Professional Documents
Culture Documents
Citrix Systems assumes no responsibility for errors in this document, and retains the
right to make changes at any time, without notice.
Introduction
Repeater Appliances optimize your WAN links, giving your users maximum respon-
siveness and throughput at any distance, and providing that “locally connected” expe-
rience to remote users. Obviously, cutting down on the time users spend waiting is
the same thing as increased productivity and user satisfaction.
These Appliances are easy to deploy because they work transparently. A twenty-
minute installation accelerates your WAN traffic with no other configuration required:
there is no need to touch your applications, servers, clients, or network infrastructure.
And this benefit continues after the installation, since changes in your datacenters or
remote sites can be made without regard to the Appliances, and your traffic will still
be accelerated. The Appliances need reconfiguration only when your WAN links
change.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 1-1
1.1 Branch Repeater Product Line
Note: The name “Branch Repeater” applies both to the entire acceleration
product line and to the smaller, branch-office appliances.
The branch-office Appliances are further subdivided into a line of
stand-alone Appliances (“Branch Repeater”) and a line of Win-
dows-Server-based Appliances (“Branch Repeater with Windows Server.”)
This latter product line is not documented here. See the Branch Repeater
with Windows Server Installation and User’s Guide.
1.5 Terminology
Series. The “8500 Series” or “8500” refers to all models with a number of
8500-8599. This is also true of the 8800 Series, etc.
Acceleration Unit. A Repeater Appliance, Repeater Plug-in, Branch Repeater Appli-
ance, or Branch Repeater VPX virtual machine
Flow. This term means “all connections passing between the same pair of Accelera-
tion units.” (This is different from the usual meaning of “flow” in networking.)
Accelerated. Any TCP connection which is undergoing TCP acceleration. It may also
be undergoing additional optimizations such as compression or CIFS acceleration.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 1-3
1.6 Note About Screen Captures
2.1 Introduction
Appliance theory of operation is discussed in detail in Chapter 4. For the purposes of
this Chapter, the main point is that acceleration works on TCP/IP connections that
meet these criteria:
• All packets in the TCP connection must pass through a supported combination of
two acceleration units:
• Any combination of Repeater, Branch Repeater, and Branch Repeater VPX
Appliances.
• One Repeater Appliance and one Repeater Plug-in.
• One Branch Repeater VPX Appliance and one Repeater Plug-in.
• Traffic in both directions must pass through both Acceleration units.
Once these criteria are met, acceleration is automatic.
Deploying Appliances successfully is not difficult, but improper deployments can cause
trouble and will give inadequate acceleration. Follow the guidelines in this chapter for
best results.
Figure 2-1 Acceleration enhances performance when traffic passes through two Appliances.
NETWORK A NETWORK B
WAN
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-1
2.2 Product Selection
Disk Size
The 8800 Series offer more disk capacity than the other Appliances (roughly 600 GB
vs. roughly 200 GB for the Repeater 8500, Branch Repeater, and Branch Repeater
with Windows Server). Branch Repeater VPX has a disk capacity of 100-500 GB. Disk
capacity is important for disk-based compression. Ideally, an Appliance will have disk
space equal to at least several days’ WAN traffic. (A 1 mbps link can transfer about 10
GB per day at full speed.)
Best Practices: Use an 8800-Series Appliance for link speeds above 45 mbps or when
the expected data lifetime with another Appliance would be less than three days.
Figure 2-3 Examples of disk data lifetime.
Link Speed
Appliance Model
1 mbps 10 mbps 100 mbps
Redundancy
• The Repeater 8800 Series Appliances have dual power supplies.
• The Repeater 8800, 8500, and 8300 Series Appliances have redundant disk
drives.
• Appliances can be used in high-availability mode (two redundant Appliances with
automatic failover).
Best Practices: Your redundancy decision should be consistent with those used for
your WAN routers and network servers.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-3
2.3 Selecting a Deployment Mode
Inline mode has the following advantages over the other deployment modes:
• It provides maximum performance.
• It can be installed by people who are not IT professionals.
• It requires no reconfiguration of your other network equipment.
Other modes (WCCP, virtual inline, redirector) are less convenient to set up, generally
requiring that you reconfigure your router, and have lower performance.
Note: The configurations for which we recommend WCCP mode can all use
virtual inline mode instead, but this require an extra LAN port on the router
and (on Cisco routers) a newer version of Cisco IOS.
LAN WCCP
WAN
LAN
LAN
WAN
LAN
Two Accelerated
Bridges
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-5
2.3 Selecting a Deployment Mode
High
Soft- Hard- Full Partial Group
Config. Mode Avail-
Boost Boost BW BW Mode
ability
Inline,
D2. Dual Yes No Yes No No Yes
Bridges
Inline,
E2. Dual Yes No Yes No No Yes
Bridges
High
Soft- Hard- Full Partial Group
Config. Mode Avail-
Boost Boost BW BW Mode
ability
Inline,
D2. Dual No No Yes No No No
Bridges
Inline,
E2. Dual No No Yes No No No
Bridges
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-7
2.4 Forwarding Loop Prevention
• Full bandwidth mode. What you have when partial bandwidth mode is disabled.
SITE C SITE D
WAN
LAN
WRONG
LAN
SITE E
LAN
SITE C SITE D
WAN
OK
LAN LAN
SITE E
LAN
Some forwarding modes can deal with asymmetric routing (see also Figure 2-8):
• Multiple Bridges. An Appliance with two accelerated bridges or accelerated pairs
(for example, apA and apB), allows two independent links to be accelerated.
• WCCP mode allows a single Appliance to be shared between multiple WAN routers,
allowing it to see all the WAN traffic regardless of the link it arrived on.
• Virtual inline mode allows a single Appliance to be shared between multiple WAN
routers, allowing it to see all the WAN traffic regardless of the link it arrived on.
• Group mode allows two or more inline Appliances to share traffic with each other,
ensuring that traffic that arrives on the wrong link is handed off properly. Since
group mode requires multiple Appliances, it is an expensive solution that is best
suited to installations where the accelerated links have wide physical separation,
making the other alternatives difficult. For example, when the two WAN links are
on different offices in the same city (but the campuses are connected by a
LAN-speed link), then group mode may be the only choice.
Keep in mind that sites with only one WAN link do not participate in asymmetric rout-
ing and are not a problem. This is shown in Figure 2-9.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-9
2.5 Guidelines for Sites With Multiple WAN Routers
Figure 2-8 By covering all links with either group mode or virtual inline mode, asymmetric
routing ceases to be a problem.
SITE C SITE D
Group Mode Virtual
WAN Inline
OK
LAN LAN
SITE E
LAN
Figure 2-9 Links leading to sites with only one WAN link cannot create asymmetric routing
problems; only sites with multiple links can mis-route packets.
SITE G SITE H
WAN
OK
LAN LAN
SITE I SITE J
LAN LAN
Mix and Match. As shown in Figure 2-9, one end of the link can use virtual inline
mode while the other end uses group mode. This is true in general: the two ends of
a link do not have to use the same forwarding mode.
Repeater
Y Y Y Y Y Y N
Plug-in
Virtual
Y Y Y Y Y N
Inline
WCCP-
Y Y Y Y N
GRE
WCCP-
Y Y Y N
L2
Multiple
Y Y N
Bridges
High Avail. Y Y
Repeater
N N N N N N N
Plug-in
Virtual
NR* NR* NR* N N N
Inline
WCCP-
Y Y N N N
GRE
WCCP-
Y N N N
L2
Multiple
N N N
Bridges
High Avail. N N
be used unless the accelerated link fails. WCCP and policy-based routing with
health-checking both lend themselves to this. The main thing is to prevent the accel-
erated link from participating in load-balancing and dynamic routing.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-11
2.6 Deploying to Support VPNs
Servers
Other
Users
Figure 2-12 One option for accelerating “one-armed” VPNs. The Appliance is on the server
side of the VPN. All VPN traffic with a local destination will be accelerated. VPN traffic with a
remote destination will not be accelerated. Non-VPN traffic can also be accelerated.
Servers
Other “One-Armed”
Users VPN
Figure 2-13 Alternate method of accelerating “one-armed” VPN traffic. Non-VPN traffic
bypasses the Appliance and will not be accelerated.
Servers Firewall
Router
Appliance
Other
Users “One-Armed”
VPN
For acceleration to be effective, the VPN must preserve TCP header options. This is
true of most VPNs.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-13
2.6 Deploying to Support VPNs
3. For each of these addresses, enable all protocols (TCP, UDP, ICMP) and enable
“Preserve TCP Options.”
4. Make sure that these same addresses are included under “User Groups: Default:
Network Policies” on the “Access Policy Manager” page.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 2-15
2.7 Supporting Repeater Plug-in With “One-Armed” Redirector Mode (Not Recommended)
Figure 2-14 Basic cabling, redirector mode. This mode is supported but is not recommended.
Do not attempt to use this mode with Citrix Access Gateway products.
Servers Firewall
Router
Appliance
Other
Users “One-Armed”
VPN
The procedures in this section will get your Appliance up and running.
• Expert users may prefer to use the Quick Installation Sheet.
• Branch Repeater VPX users should read Chapter 6 first.
• Repeater Plug-in Installation is covered in Chapter 5.
3.2 Pre-Installation
Before beginning the actual installation, perform the following steps to gather appro-
priate resources and information, and to make basic decisions about the installation:
1. Required: Review Chapter 2 before installing the Appliance.
Recommended: Read this document through Chapter 4 before beginning.
2. Choose a mounting location for the 1U Appliance, which requires either 2U of
height (Repeater 8800 Series) or 1U (all others). Appliances are rack-mount
devices that can be installed into two-post relay racks and four-post EIA-310
server racks. Verify that the Appliance is compatible with your rack.
High-availability pairs require twice as much rack space. Optionally, the
Appliance can be mounted outside a rack; a set of rubber feet is provided for
this purpose.
3. Verify that adequate power is available. Branch Repeater has a 200 W power
supply (100-240 V, 50-60 Hz). The Repeater 8300 and 8500 Series have a
280W power supply (100-240 VAC, 50-60 Hz); the Repeater 8800 Series has
a 700W power supply. High-availability pairs require twice as much power.
4. Select your basic operating configuration based on the guidelines in
Chapter 2: inline, WCCP, or virtual inline.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-1
3.2 Pre-Installation
a. Have already determined that softboost doesn’t give the speed you
require in your point-to-point network?
d. If you answered “Yes” to all these questions, you can try hardboost.
Note: Hardboost and softboost are mutually incompatible. The same Appli-
ance cannot use hardboost with some partners and softboost with others.
Sometimes it is necessary to dedicate an Appliance for hardboost over a
particularly difficult link, but use softboost for the rest.
6. Identify your cabling needs and acquire appropriate cables. Use the provided
cables if possible. See Section 7.2.
7. Allocate a management IP address to the Appliance. This address should be
on the same subnet as the WAN router port that the Appliance is connected
to. The management IP address (and signaling IP address, if used), should
be on the same subnet as other devices on the same LAN segment.
Management IP Address: ______________
This management address will be used to communicate with the
browser-based management pages. If you are using the Repeater Plug-in,
you must also assign a signaling IP address to the Appliance.
Signaling IP Address: ________________
The signaling address is used by Repeater Plug-in to communicate with the
Appliance. See Figure 3-1.
Tip: Ping these addresses first to make sure they are not already in use.
Figure 3-1 Assigning IP addresses
Interface apA
Management IP Router Port IP
Signaling IP (Example: 172.16.0.1)
Example:
Management IP: 172.16.0.102
Signaling IP: 172.16.0.202
8. (Virtual inline mode only) Identify an unused Ethernet port on your router,
and make sure that you understand how to configure policy-based routing
(see Section 4.10).
9. If you are installing two units as a high-availability pair, you will need rack
space, power, cables, and a management IP address: _______________ for
the second unit as well. You will also need a virtual IP address (VIP):
_____________ that is used to manage the two Appliances as a single unit.
All three addresses must be on the same subnet. (See Section 7.4.)
3.3 Installation
3.3.1 Install the Appliance Into the Rack
10. Install the Appliance into the rack. Do not install the power cord. The unit will
start as soon as the cord is installed. We do not want to power up the unit
yet.
Figure 3-2 Appliance connectors.
apA
Power Primary Aux1 Accelerated Pairs
RS-232 Ethernet Ethernet (Bridged Ethernet Ports
Serial Port Port With Bypass Feature)
On units without the
bypass feature, these
ports become apA
Accelerated
Power Serial Primary Aux1 Pair A
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-3
3.3 Installation
Switch or Router or
Other Device Other Device
(see below) (see below)
WAN or
LAN See Below Use Existing Internet
Use Existing See Below
Cabling Cabling
Appliance
Straight-Through Cross-Over
Blue Orange
Switch WAN
Router
Cross-Over
Straight-Through
Orange
Blue
Internal
Router Switch
Cross-Over Straight-Through
Orange Blue
DSL or
Cable
Server,
Modem
Client
11. Install the Ethernet cable(s) in the ports marked “Accelerated Pair A” in
Figure 3-2. The Appliance uses Gigabit Ethernet ports that auto-configure for
Gigabit, 100 Mbps, or 10 Mbps networks. These ports are on an add-in card,
and on newer units are labeled “Accelerated LAN/WAN Ports.”
Starting with release 4.1, units can be shipped with more than one pair of
accelerated LAN/WAN ports. See Section 4.5 for information on using multi-
ple accelerated bridges. When you have multiple pairs, you should assign the
Management IP address and the Redirector IP address to the subnet attached
to Accelerated Pair A.
Motherboard Ethernet ports are not accelerated, and are shipped with plugs
to prevent cables from being installed into them accidentally. Starting with
release 4.1, these ports can be used for other purposes. See Section 4.5.
a. You can use either port of an accelerated pair as the WAN-facing port.
The unit auto-detects which port is which.
c. If you are installing a high-availability pair, the two units are connected
in parallel, as shown in Figure 3-4.
Router
To To
LAN WAN
Cross-Over
Orange
Appliance
To To
LAN WAN
Switch
HA Pair
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-5
3.3 Installation
Switch Router
To To
LAN WAN
12. (Inline units with bypass cards only) With the Appliance still powered down,
test the cabling by attempting to connect to a system on the far side of the
unit(s), using ping, ftp, or another convenient program. Units without bypass
cards will block traffic, so this step should be skipped.
13. Troubleshooting. Problems at this stage are caused by:
• Simple cabling errors (cables left disconnected or plugged into the wrong
port on one end or the other). Inspect your cabling. Note that many
Appliances have two unused Ethernet ports. Make sure you are using the
Accelerated Pair.
• (10/100 Ethernet) The use of a cross-over cable where a straight-through
cable is needed, or vice versa. Compare your cabling to the diagrams
above.
• (10/100 Ethernet) A cable plugged into the Uplink port of a switch when it
should use a regular port, or vice versa. Inspect your cabling.
• (10/100 Ethernet) If all else fails, replacing either of the cables with that
of the opposite type should work (that is, replace a straight-through cable
with a cross-over cable, or vice versa).
15. When the front-panel interface becomes active, set the IP address (from
Step 7), netmask, and gateway address through the front-panel interface as
shown (if you are setting up an HA pair, follow these steps for both units):
Figure 3-8 Front-panel configuration (Sheet 1 of 2)
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-7
3.3 Installation
This procedure also works when creating an HA pair by adding a second unit
to an existing installation.
a. On the main (System Status) page of the first Appliance, press the
“Disable” button. This will disable acceleration until the HA pair is con-
figured.
e. Follow the “Configure HA Virtual IP Address” link and assign the virtual
IP address you selected in Step 9. to the apA interface. This address
will be used later to control both units together.
g. Fill in the other unit’s SSL Common Name (from the other unit’s “Con-
figure: High Availability” page) in the “Partner SSL Common Name”
field.
i. Repeat steps c-h on the second Appliance. Remember that one Ether-
net cable was left disconnected on this Appliance, which may prevent
you from connecting to it with your browser. If so, plug it back in and
unplug the one on the first Appliance.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-9
3.3 Installation
21. Click the “Bandwidth Management” link. This will show you the bandwidth
page.
b. For now, set the “Bandwidth Limit (Send)” and “Bandwidth Limit
(Receive)” to 90% of the link bandwidth in the sending and receiving
directions, and press the “Update” button.
Some links are asymmetrical, leading to different values for the two
bandwidth limits. Figure 3-10 shows the settings for a DSL link with
384 kbps in the sending direction and 6 mbps in the receiving direction.
The other choice, “Partial Bandwidth,” should be used only if the Appli-
ance is deployed in inline mode on a WAN router with a single LAN link
and a single WAN link. Full bandwidth should be used in all other cases.
d. Click on the “System Status” link at the side of the page. If the “Status”
row does not say “NORMAL,” click the “Enable” button.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-11
3.3 Installation
Follow these steps if you will use the Appliance with the Repeater Plug-in.
23. Go to the Appliance’s “Configure Settings: Repeater Plug-in” page. (See
Figure 3-12.)
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-13
3.3 Installation
b. Leave the Signaling Port and Connection Mode at their default values.
These will be updated later.
c. Press “Update”
24. On the “Acceleration Rules” tab, create a list of subnets that are on the same
site as the Appliance. This will inform the Repeater Plug-in that it should send
traffic for the subnets to this Appliance.
25. On the “Configure Settings: Repeater Plug-in: Acceleration Rules” tab:
• Add an “Accelerated” rule for each local LAN subnet that can be reached by the
Appliance. That is, press the “ADD” button, specify “Accelerate,” and type in
the subnet IP/mask.
• Repeat for each subnet that is local to the Appliance.
• If you wish to exclude some portion of the included range, add an “Exclude” rule
and move it above the more general rule. For example, 10.217.1.99 looks like a
local address but is really the local end of a VPN unit, create an “Exclude” rule for
it on a line above the “Accelerate” rule for 10.217.1.0/24.
• If you wish to use acceleration only for a single port (not recommended), such as
port 80 for HTTP, replace the wildcard in the “Ports” field with this value. To sup-
port more than one port, add additional rules, one per port.
• In general, narrow rules (usually exceptions) should be listed first, then general
rules.
• Press the “Save” link. Changes will not be saved if you navigate away from this
page without saving.
• The default action is to not accelerate; only addresses/ports that match an “Accel-
erated” rule (before matching an “Excluded” rule) are accelerated.
Route outbound WAN traffic to the Appliance when it enters the router
on any LAN port other than the one used by the Appliance.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-15
3.3 Installation
Figure 3-14 Using the Tuning page for virtual inline modes.
Releases 5.5-5.6: Delete the text in the “Password” field for the Admin
account and type in a new password: _____________. Click the
“Update” button. For more information about User Accounts, see Sec-
tion 8.6.2.
Release 5.7: Press the “Modify” button for the Admin account, check
the “Change” box, enter the new password: _____________ twice, and
press the “Update” button.
Send the file a second time. This should yield a compression ratio of at
least 100:1.
Compression ratios can be read from the “System Tools: View Logs”
page.
35. Check for CIFS acceleration:
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-17
3.5 Troubleshooting
3.5 Troubleshooting
3.5.1 Cabling and Duplexing Problems
Ethernet cabling errors and full-duplex/half-duplex issues are the most common
sources of installation problems. This is particularly true of 10/100 Mbps Ethernet
links. The two biggest sources of trouble are:
• The incorrect us of straight-through vs. cross-over cables, which causes a total
loss of connectivity on 10/100 Mbps links.
• Links where one side is forced to 100 Mbps full-duplex, and the other is set to
Auto-negotiate. A flaw in the Fast Ethernet standard results in the Auto side
choosing 100 Mbps HALF-duplex in this case. The link works, but at greatly
reduced performance. This can happen at the actual link to the Appliance, but
long-standing cases are often discovered elsewhere in existing networks, where
they have gone unnoticed because past performance expectations have been low.
See Section 7.2 for additional information. Start by verifying that you can connect to
the local Appliance at its management IP address (using pings or browsing to the
Management interface). In inline mode, verify that you can connect through the
Appliance to outside systems.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-19
3.5 Troubleshooting
3.5.7 Contact Us
Need help? Contact Citrix Support. See Section 11.1.
3.6 Licensing
The Branch Repeater family now uses Citrix Licensing, replacing the previous
Repeater licensing method. Existing Appliances will need a new license that is valid
under the new system. This license will be available at MyCitrix.com.
Note: Until you install a license, your Appliance will not accelerate connections.
Note: New Appliances are now shipped from the factory unlicensed.
Note: Repeater Plug-ins get their licenses dynamically from the Appliances they
communicate with. This is automatic and nothing needs to be done on the Client.
• If you are upgrading an older release of the Appliance (4.x or below for Repeater/
Branch Repeater, 1.0.x for Branch Repeater with Windows Server), you must
return your existing license and reallocate and regenerate it at MyCitrix.com.
• If you have a new Appliance, you do not need to exchange a license.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-21
3.6 Licensing
• Licenses are obtained from http://www.MyCitrix.com. You will need a login and a
password. If you do not have a My Citrix account, contact your Citrix representa-
tive.
• Select your product line and model number on two dropdown menus and press
“Submit”
Figure 3-17 The “Upgrade Eligible Products” tool.
• Follow the prompts to convert the desired number of licenses to release 5.0 or
later. This will generate a “license entitlement” on My Citrix. You will receive an
email containing a license code for this entitlement. When this email arrives, go to
the next procedure.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-23
3.6 Licensing
Obtaining a License
• This step uses the “Activation System/Manage Licenses” tool, which is reached
from the “My Tools: Activation System/Manage Licenses” dropdown.
• Select “Activate/Allocate” from the “Current Tool” dropdown.
• Enter the license code from the email into the “License Code” field.
• Branch Repeater VPX: You will asked for the host ID of your license server. This
can be discovered running lmhostid. Typically, this is done from the command line:
cd \Program Files\Citrix\Licensing\LS
lmhostid
• Repeater/Branch Repeater: You will be asked for the host ID of the Appliance.
This can be found on the “System Tools: Update License” page for pre-5.0
releases and the “System Tools: Manage Licenses” page on newer releases. Enter
the host ID (without dashes) in the appropriate box.
Figure 3-18 The host ID is called “Licensing Mac” on release 4.x and “License Host Id” on
release 5.x.
• Branch Repeater with Windows Server: You will also be asked for the Appli-
ance’s host ID. This can be found on the “System Tools: Update License” page for
pre-5.0 releases and the “System Tools: Manage Licenses” page on newer
releases. Your Appliance may show multiple host IDs, separated by spaces,
instead of one. If so, use the rightmost one only. The Host ID must start with
003048. Enter the host ID in the appropriate box.
Figure 3-19 The host ID is called the “License Host Id” on release 5.0.x. Only the leftmost
host ID should be used.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-25
3.6 Licensing
• At the end of this process, you will generate a license file. Download this file to
your computer. You will paste it into the Appliance in the next step.
• If your Appliance supports the Repeater Plug-in, repeat the procedure to convert
Client concurrent user entitlements into a concurrent user license for the Appli-
ance. You can allocate your Repeater Plug-in entitlements across your Appliances
as desired; however, each model has a maximum number of Plug-ins that it can
support, and allocating more than this will not be effective. The Branch Repeater
product lines does not support the Repeater Plug-in.
• If you use high-availability pairs or Appliances at disaster recovery sites, you can
“return and reallocate” your Repeater Plug-in licenses from the first Appliance for
use on a second one without losing their functionality on the first Appliance. This
allows client licenses to be active in two places at once. Use the “Activation Sys-
tem/Manage Licenses” tool on My Citrix to return and reallocate the licenses.
• Reallocation can be done a fixed number of times (determined by Citrix). Only one
copy of a license is allowed to be in use at any given time.
(If your Appliance is running release 4.x software (1.0.x for Branch Repeater with
Windows Server), you must install release 5.x/1.5.x first.)
• Repeater/Branch Repeater: To install the license, go to the “System Tools: Manage
Licenses” page and select the “License Configuration” tab. Add a new licensse by
pressing the “Add” button.
• Branch Repeater with Windows Server: To install the license, go to the “Configura-
tion: Manage Licenses” page. Add a new license by clicking the “Add License” link.
• Type a name into the “License Name” Field. This name can be anything, but it can-
not be blank.
• Upload the license you obtained from Citrix from the “Load from File” button. (Pre-
vious releases used a cut-and-paste mechanism, but this has been changed to a
file upload).
• Press the “Install” (Repeater/Branch Repeater) or “Finish” (Branch Repeater with
Windows Server) button.
• After a delay, the license should install successfully.
• Repeater: Repeat for the Repeater Plug-in license file if you have one.
3.7
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 3-27
3.7
Theory of Operation
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-1
4.2 How Acceleration Works
4.2.2 Optimizations
Optimization techniques fall into these interrelated categories:
1. Lossless, transparent flow control.
2. Fair Queuing
3. QoS (Section 4.4)
4. WAN Optimizations
5. Compression (Section 4.13)
6. Windows Filesystem (CIFS) acceleration Section 4.14)
NETWORK A NETWORK B
WAN
Accelerator
Accelerator
WAN Link
Transparent,
AutoOptimized
Acceleration
LAN Link LAN Link
One of the main benefits of Acceleration is flow control. A widely used rule of thumb
for WAN links is that, once link utilization reaches 40%, it’s time to add more band-
width, because performance and reliability will have degraded to the point where the
link is largely unusable. Interactive performance suffers, making it hard for people to
get work done, and connections frequently time out. Accelerated links don’t have this
problem; a link with 95% utilization is still perfectly usable.
Acceleration operates on any TCP connection passing between two Appliances (one at
the sending site and one at the receiving site), or a Repeater Appliance and a
Repeater Plug-in. Though the figure shows a network of two Appliances, any Appli-
ance can accelerate connections between any number of other Appliance-equipped
sites simultaneously. This allows a single Appliance to be used per site, rather than
two per link.
Like any gateway, the Appliance meters packets onto the link. Unlike ordinary gate-
ways, however, it imposes transparent, lossless flow control on each link segment:
1. the LAN segment between the sender and the sending Appliance,
2. the WAN segment between the sending and receiving Appliances,
3. and the LAN segment between the receiving Appliance and the receiver.
By splitting the link into three parts, flow control can be managed independently for
each of these three segments. By partly decoupling the segments, each can have its
speed controlled independently. This is important when a connection’s speed needs to
be ramped up or down quickly to its fair bandwidth share, and is also important as a
means of supporting enhanced WAN algorithms and compression, as we shall see.
The TCP protocol is greedy for bandwidth: every TCP connection continually attempts
to increase its bandwidth usage. However, the link bandwidth is limited. Flow control
keeps the TCP connections flowing at just the right speed. The link is never overrun,
which means that queuing latency and packet losses are minimized.
This bandwidth hunger of TCP connections means that long-running connections
(which have had time to seize all the bandwidth) tend to squeeze out short-running
connections. This ruins interactive responsiveness. Flow control keeps such greedy
bulk-transfer connections from getting out of hand.
Flow control is a standard feature on all Appliances.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-3
4.2 How Acceleration Works
Per-Connection
Data Streams Queues
DATA
ACK
DATA
Sched-
uler
ACK
DATA
ACK
One-Way
Distance
(Miles)
Dialup
100,000
ADSL
Worldwide
10,000
T1
Cross-Country Long-Haul
(Limited by TCP)
10 Mb/s 1,000
Cross-State
T3
100
Cross-City
Short-Haul Mb/s 100
(MAN) (Limited by Line OC-3
Speed) OC-12
1Gb/s 10
Cross-Campus OC-48
OC-
192
1
10
Gb/s
0.1
0.01 0.1 1.0 10 100 1,000 10,000
Connection Speed (Mb/s)
Note: Some applications that run under UDP by default, such as older versions of
NFS, can also run in TCP mode.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-5
4.3 Bandwidth Control
action, and this traffic (such as it is) can be doubled. In effect, transactional mode
provides forward error correction (FEC) on interactive traffic, and gives end-of-trans-
action RTO protection to other traffic.
Note: Softboost and hardboost are mutually exclusive, which means that all the
Appliances that must communicate with each other must be set the same. If one
unit is set to hardboost and the other is set to softboost, no acceleration will take
place.
Note: Prior to release 4.1, softboost uses only the sending bandwidth limit. Start-
ing with release 4.1, both the sending and receiving limits are used. Interactive
performance is often greatly increased if both limits are set.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-7
4.3 Bandwidth Control
For variable-speed links, or when a single Appliance is handling the traffic from two or
more links, the bandwidth limit should be set to 90-95% of the maximum expected
speed.
Note: Hardboost is recommended for fixed-speed links only. If used with a vari-
able-speed link, the bandwidth limit must not exceed that of the guaranteed band-
width (committed information rate).
Example 1: On a 1.5 mbps point-to-point link with a bit rate of 1.54 mbps, set the
sending and receiving bandwidth limits to 90-95% of 1.54 mbps, or 1390-1463 kbps.
Either hardboost or softboost can be used.
Example 2: Suppose you have a simple hub-and-spoke deployment. Site 1 has two
T1 links, one terminating at Site 2 and one terminating at Site 3. If all three sites
have Appliances, then the hub Appliance would have its bandwidth limits set to
90%-95% of the aggregate bandwidth (twice the value in Example 1, or 2780-2926
kbps). The Appliances at the two spokes would set their bandwidth limits as in Exam-
ple 1 (1390-1463 kbps). Either hardboost or softboost can be used
Note: Set the bandwidth limits of each Appliance to match the speed of its local
link, without regard to the speed at the other end of the WAN. This simplifies con-
figuration and allows each unit to be installed with knowledge of the local links only.
The only exception is when there is an intermediate bottleneck that is slower than
either endpoint link. This rare situation is dealt with by using the intermediate bot-
tleneck speed on affected Appliance, instead of the local speed.
40500-4275 kbps, while the branch-office Appliance should have its sending speed
set for 90-95% of 384 kbps (346-365 kbps) and its receiving speed set for 90-95% of
6 mbps (5400-5700 kbps). If the sum of all the branch-office Appliances does not
exceed 45 mbps in either direction, hardboost can be used. Otherwise, softboost
should be used.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-9
4.3 Bandwidth Control
For example, if you have a 45 Mbps link and your Appliance is set for 30 Mbps, 15
Mbps is left over for non-accelerated traffic. Non-accelerated traffic behaves exactly
as if it were on a dedicated 15 Mbps link.
When an Appliance is idle, it uses no bandwidth, and non-accelerated connections can
use the full bandwidth of the link. When an Appliance uses only part of its bandwidth
(for example, when the application cannot handle data at full speed), non-accelerated
connections can use the leftover bandwidth.
In short, an Appliance splits the link into two virtual links: accelerated and non-accel-
erated. Each acts as if the other weren’t there. Accelerated traffic always behaves as
if the non-accelerated traffic didn’t exist, and takes its full allocated bandwidth
regardless of the amount of non-accelerated traffic. Non-accelerated traffic also
behaves as if it had the link to itself, but the apparent size of the link is variable,
depending on how much accelerated traffic there is.
4.4 QoS
QoS was introduced in release 4.1. It consists of three parts:
1. Dynamic, zero-config QoS that automatically gives precedence to interactive traf-
fic.
2. Policy-based QoS that allows the administrator to allocate bandwidth into different
categories.
3. A XenApp (ICA/Citrix Presentation Server) feature that optionally maps traffic of
different priority levels into the administrator-defined categories.
Of these, the dynamic, zero-config QoS is the most important, since for the majority
of installations it works so well that no additional configuration is necessary. The
remainder of the QoS system exists to adjust the Appliance when this default
behavior falls short in some way.
QoS is applied only to accelerated traffic, since its purpose is to adjust the bandwidth
priority of selected accelerated traffic classes. Non-accelerated traffic is not subject to
QoS.
QoS implements a simple, general method of separating traffic into five queues, each
of which is assigned a percentage of the link bandwidth (more precisely, the band-
width limit). These queues are initially named “A” through “E,” but can be renamed
according to their function. Fair queuing is performed within each queue, and
weighted fair queuing is performed between the queues. See Figure 4-4.
Figure 4-4 QoS in operation. QoS divides traffic into different queues, each of which has a
different bandwidth slice. Weighted fair queuing is performed within each queue and between
the queues.
Queue A: 80%
Data
Connections
QoS
Scheduler
Queue B: 20%
Data
Connections
While the queues each have a specified bandwidth percentage, each queue will lend
its leftover bandwidth to the other queues. This means that the bandwidth assign-
ments are minimum levels, not maximums.
This results in a QoS system embodying Repeater’s “accelerator” philosophy. Nothing
stands in the way of a connection using bandwidth that would otherwise be wasted.
The bandwidth assignments only come into play when there is competition for the
bandwidth; that is, when the link is saturated.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-11
4.4 QoS
2. Altering the Service Class Policy queue assignments as shown in Figure 4-6.
Figure 4-6 Assigning the “FTP Data” service class to the “FTP” queue.
3. QoS configuration is complete. Figure 4-7 shows the results, where normal,
non-FTP traffic (light green) dominates the link at first, but then goes idle, allow-
ing FTP traffic (dark green) to use the full link bandwidth.
Figure 4-7 QoS example, showing FTP class (dark green) using either 10% of the link or the
unused link bandwidth, whichever is more.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-13
4.4 QoS
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-15
4.4 QoS
This divides the bandwidth evenly, except for our FTP bandwidth, which we are keep-
ing at 10%, and the high-priority ICA bandwidth, which we are over-provisioning with
30%.
Another approach would be to combine the FTP and ICA Background traffic into the
same queue, since they are both low-priority bulk-transfer categories:
sending to the receiver at once. As with any other sender-side QoS system, this
leads to a loss of control over latency and queue ratios during the period of con-
tention.
• QoS operates only on accelerated traffic, since it is an extension of fair queuing.
Inline installations can also use the “Partial Bandwidth” feature to protect VoIP and
other latency-sensitive non-accelerated traffic.
• QoS (in softboost mode) is compatible with other QoS solutions. QoS will work in
tandem with your existing QoS solutions, if present. The only things you need to
keep in mind are:
• The Appliance should be on the “fast side” of the chain, that is, on the LAN side
of any QoS-enabled routers or Appliances. This will prevent the other devices
from defeating Compression by slowing down the uncompressed data stream
to WAN speeds.
• Hardboost should not be used. Hardboost is unresponsive to QoS techniques
such as congestion signals or increased queueing. Use softboost on networks
that have non-Repeater QoS.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-17
4.5 Ethernet Ports
Note: Acceleration is supported only on Accelerated Pairs. The Primary and Aux1
ports are for UI and group-mode backchannel access.
• Inline mode works even if a bridge has no IP address; all other modes require that
an IP address be assigned to the port.
• Traffic is not routed between interfaces. For example, a connection on bridge apA
will not cross over to the Primary or Aux1 ports, but will remain on bridge apA.
The entire issue of routing is left to your routers.
To handle load-balanced links, the bridges use the following algorithm: when it is time
to send a packet for a given connection, it is sent out whichever bridge has received
the most recent input packet. Thus, the Appliance honors whatever link decisions was
made by the router, and automatically tracks the load-balancing or main-link/
failover-link algorithm in real time. For non-load-balanced links, this same algorithm
also ensures that packets will always use the correct bridge.
Only One Bandwidth Limit. A system with two accelerated pairs still has only one
bandwidth limit. If the pairs are attached to different WAN links, there is no way of
specifying a per-link bandwidth limit. In the deployments shown above, this is not an
issue; both accelerated pairs service the same link. In cases where this is not the
case, softboost mode must be used, since hardboost mode cannot tolerate any ambi-
guity about link speed.
High Availability with Multiple Bridges. Two units with multiple bridges can be
used in a high-availability pair. Simply match up the bridges so that all links pass
through both Appliances. (See Section 7.4 for more about high availability mode.)
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-19
4.6 Autodiscovery and Autoconfiguration
WAN to
LAN Site X
LAN
Two Accelerated WAN to
Bridges Site Y
LAN Load-Balanced
LAN WAN Links
Two Accelerated
Bridges
LAN WAN
LAN WAN
HA Pair
1 SYN Tagged
2 SYN
SYN
3
4
5
SYN-ACK SYN-ACK
6 Tagged
7 SYN-ACK
1. The client opens a TCP connection to the server as usual by sending it a TCP SYN packet.
2. The first Appliance passes the SYN packet through after attaching a set of Appliance-spe-
cific TCP header options to it and adjusting its window size.
3. The second Appliance reads the TCP options, removes them from the packet, and for-
wards them to the server.
4. The server accepts the connection by responding as usual with a TCP SYN-ACK packet.
5. The second Appliance remembers that this connection is a candidate for acceleration and
attaches its own acceleration options to the SYN-ACK header.
6. The first Appliance reads the options added by the second Appliance, strips them from the
packet header, and forwards the packet to the client. The connection is now accelerated.
Both Appliances know this, and the necessary parameters have been exchanged through
the option values.
7. The remainder of the connection will be accelerated. The client, server, routers, and fire-
walls are all unaware of this; it happens transparently.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-21
4.7 Forwarding Modes
Such firewalls need to be reconfigured to allow TCP options in the range of 24-31
(decimal). Examples for two common Cisco firewalls are given in Section 3.5.3.1. The
basic procedure will be similar for other firewalls.
All modes can be active simultaneously. The mode used for a given packet is determined by
the Ethernet and IP headers.
NETWORK A NETWORK B
WAN
Appliance
Appliance
TCP/IP traffic passing through
two appliances is accelerated
Any TCP-based traffic passing through both units will be accelerated. No address
translation, proxying or per-site setup is required. Inline mode is auto-detecting and
auto-configuring.
In inline mode, traffic passes into one of the Appliance’s Ethernet ports and out of the
other. When two sites with inline Appliances communicate, every TCP connection
passing between them is accelerated. All other traffic is passed through transparently,
as if the Appliance were not there.
Management is minimized with inline mode. You do not need to keep track of which
remote systems have Appliances installed, since inline mode is auto-sensing and
auto-configuring. As soon as an Appliance is installed on a remote network, all your
connections that pass through it will be accelerated.
Ethernet Bypass. Most Appliance models include a “fail-to-wire” (Ethernet bypass)
feature for inline mode. This feature is standard. If power fails, a relay closes and the
input and output ports become electrically connected, allowing the Ethernet signal to
pass through from one port to the other as if the Appliance were not there. In
fail-to-wire mode, the Appliance looks like a cross-over cable connecting the two
ports.
A watchdog feature ensures that any failure of the Appliance hardware or software
will also close the relay. When the Appliance is restarted, the bypass relay remains
closed until the Appliance is fully initialized, maintaining network continuity at all
times. This feature is automatic and requires no user configuration.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-23
4.8 Inline Mode
Link-Down Propagation. If carrier is lost on one of the bridge ports, the carrier will
be dropped briefly on the other bridge port to ensure that the carrier-down condition
is propagated to the device on the far side of the Appliance. Units that monitor link
state (such as routers) are thus notified of conditions on the far side of the bridge.
NETWORK A
WAN
Appliance
Accelerated Non-Accelerated
At first glance, it might seem that this would not work, since the Appliance is not in a
position to throttle unaccelerated traffic to clear the way for accelerated connections.
However, the Appliance does not use bandwidth throttling.
However, because it does not control all the traffic on the link, the full benefits of
transparent flow control and fair queuing will not be achieved. In practice, this means
that the accelerated applications will achieve the desired bandwidth, but latency con-
trol is up to the bottleneck gateway, and interactive responsiveness may suffer.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-25
4.9 Redirector Mode
Figure 4-17 shows the packet flow and address mapping in redirector mode used by
Repeater system. Redirector mode is a proxy mode that is transparent to applications
on the client:
• The client application thinks it is talking directly to the server. For this reason,
applications do not need to be reconfigured. (Redirector mode is thus an inter-
cepting proxy.)
• The Repeater Plug-in software redirects the packets to the Appliance.
• The Appliance once again redirects the packets to the server. Thus, from the
server’s point of view, the connection originates at the Appliance.
• The port numbers are not changed, so network monitoring applications can still
classify the traffic.
Unlike inline mode, redirector mode is an explicit, non-transparent proxy. The packets
are explicitly addressed to the Appliance, with the address of the endpoint server indi-
cated by TCP option fields. In addition, redirector mode is an asymmetric mode.
Repeater Plug-in initiate redirector-mode connections to Appliances, but Appliances
do not initiate connections to Repeater Plug-in.
Because of the explicit addressing, redirector mode never suffers from asymmetric
routing, which makes it simple to deploy.
Switch Router
To To
LAN WAN
Switch Router
To To
LAN WAN
WCCP mode was introduced in release 3.0 and was greatly expanded in release
4.2.17 and again in 4.3.
WCCP mode is an alternative to inline mode, and is the simplest way of dealing with
installations where inline operation is impractical. It is also useful where asymmetric
routing occurs: that is, when packets from the same connection arrive over different
WAN links. In WCCP mode, the routers use the WCCP 2.0 protocol to divert traffic
through the Appliance, either using a tunnel or, if the Appliance is on the same Ether-
net segment as the router, direct L2 forwarding. Such traffic is treated by the Appli-
ance as if it were received in inline mode.
A WCCP-mode Appliance requires only a single attached Ethernet port. It may be
deployed anywhere on the LAN, though ideally there would be no more than one
switch between the Appliance and the router, to minimize contention for LAN band-
width.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-27
4.10 WCCP Mode
re-established. This heartbeat repeats every ten seconds. If the router sees thirty
seconds of failed “Here I Am/I See You” dialogs, it times out and stops using the
Appliance until contact is re-established.
When WCCP is used with high-availability mode, the primary Appliance contacts the
router using its own apA or apB management IP, not the virtual address of the HA
pair. On failover, the new primary Appliance contacts the router automatically, rees-
tablishing the WCCP channel. In most cases the WCCP timeout period and the HA
failover time will overlap, meaning that the network outage is less than the sum of
the two delays.
Only a single Appliance is allowed in a WCCP service group. This is enforced by the
Appliance. When a new Appliance attempts to contact the router, it will discover that
the other Appliance is handling the service group and cause an Alert. It will periodi-
cally check whether the service group is still active with the other Appliance, and will
handle the service group when the other Appliance becomes inactive.
4.10.2 Performance
WCCP-L2 is a high-performance mode and can be as fast as inline mode.
WCCP-GRE has somewhat lower performance than inline mode. The encapsulation/
decapsulation and checksum operations have some overhead, especially on the
router.
Usually, the router is the limiting factor in WCCP-GRE performance. With modern
routers, performance in excess of 155 mbps is readily achieved.
4.10.3 Limitations
• Inline and WCCP traffic should not be mixed on the same Appliance if this can be
avoided, due to the possibility of router loops. If this cannot be avoided, add the
following statement on the router interface connected to the Appliance:
ip wccp redirect exclude in
• On Appliances with more than one accelerated pair, all the traffic for a given WCCP
service group must arrive on the same accelerated pair.
If multiple routers are to use the same Appliance, then each is configured as shown
above.
Multicast operation. The routers and the Appliance are each given a multicast
address to use. Configuration is slightly different:
config term
ip wccp version 2
ip wccp 51 group-address 225.0.0.1
^Z
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-29
4.10 WCCP Mode
Router Forwarding
1. When “Auto” is selected, the preference is for Level-2 because it is more efficient
for both router and Appliance.
2. Routers in a unicast service group can negotiate different methods negotiated if
“Auto” is selected.
3. Routers in a multicast service group must all use the same method, whether
forced with “GRE” or “Level-2”, or, with “Auto,” as determined by the first router in
the service group to connect.
4. The incompatibility alert will announce that the router “has incompatible router
forwarding.”
Router Assignment
1. The default is Hash.
2. When “Auto” is selected the preference is for Hash, as it is the original and most
common method.
3. All routers in a service group must use the same assignment method.
4. For any service group, when this attribute is configured as “Auto”, then “Hash” or
“Mask” is selected when the first router is connected. “Hash” is chosen if the
router supports it, otherwise “Mask” is selected. Subsequent routers may be
incompatible with the auto-selected method. This can be minimized manually by
manually selecting a method common to all routers in the service group.
5. The incompatibility alert will announce that the router “has incompatible router
assignment method.”
6. With either method, the single appliance in the service instructs all the routers in
the service group to direct all TCP packets to the appliance. Routers can modify
this with access lists or by selecting which interfaces to redirect to the service
group.
7. For the Mask method, the appliance negotiates the “source IP address” mask. We
do not provide any mechanism to select “destination IP address” or the ports for
either source or destination. The “source IP mask” does not specifically identify
any specific IP address or range. The protocol does not provide a means to specify
a specific IP address.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-31
4.11 Virtual Inline Mode
Router Status. On the router, the “show ip wccp” command will also show the status
of the WCCP link:
Router>enable
Password:
Router#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.16.2.4
Protocol Version: 2.0
Service Identifier: 51
Number of Cache Engines: 0
Number of routers: 0
Total Packets Redirected: 19951
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
The Appliance can be deployed in a virtual inline mode where selected traffic is redi-
rected to the Appliance by a router using simple routing policies. This mode allows
zero rewiring and zero downtime.
In addition, virtual inline mode also provides an elegant solution for asymmetric rout-
ing issues faced when two or more WAN links are used.
Note that the fail-to-wire feature is effective only for inline mode. In virtual inline
mode, maintaining packet flow in the face of Appliance failure can be achieved with
high-availability pairs.
4.11.1.1 Example
Figure 4-21 shows a simple network where all traffic destined for the remote site is
sent to the gateway router.
Figure 4-21 Virtual inline example. Appliances are at 192.168.1.200 and 192.168.2.200.
Router Router
FE 1/0
FE 1/0
Appliance Appliance
192.168.1.200 192.168.2.200
The router redirects WAN traffic to the Appliance so that it can be accelerated. This is
accomplished with policy-based routing (PBR) rules.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-33
4.11 Virtual Inline Mode
4.11.2 Configuration
The following are some configuration details for the example network:
• Endpoint systems have their gateways set to the local router (this is already true).
• Appliances have their default gateway set to the local router (using the
“Configure Settings->Management IP” field).
• Virtual Inline settings are on the “Configure Settings->Tuning” menu. (See Figure
4-22.)
• Routers are configured to redirect both incoming and outgoing WAN traffic to the
Appliance.
Figure 4-22 Virtual inline uses either “return to sender” or “forward to gateway” mode.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-35
4.11 Virtual Inline Mode
A typical method involves dedicating one of the router’s Ethernet ports to the Appli-
ance, then writing routing rules that are based on the Ethernet port on which packets
arrive. Packets that arrive on the interface connected to the Appliance are never for-
warded back to the Appliance; others can be.
The basic routing algorithm to be used is:
• Don’t forward packets from the Appliance back to the Appliance.
• If packet arrived from the WAN, forward to the Appliance.
• If packet is destined for the WAN, forward to the Appliance.
• LAN-to-LAN traffic should not be forwarded to the Appliance.
• If the “partial bandwidth” feature is used, all WAN traffic should be routed through
the Appliance.
• If the “full bandwidth” feature is used, only TCP-based WAN traffic need be routed
through the Appliance. However, there is no harm in routing all WAN traffic
through the Appliance.
Note: When considering routing options, keep in mind that returning data must
flow through the Appliance -- not just outgoing data. For example, placing the
Appliance on the local subnet and designating it as the default router for local sys-
tems will not work as a virtual inline deployment. Outgoing data will flow through
the Appliance, but incoming data will bypass it. To force data through the Appliance
without router reconfiguration, place the Appliance inline, along the only path
between the WAN and the systems to be accelerated.
A rule must be defined to test the availability of the unit, as shown in the example
below:
!— Use a ping (ICMP echo) to see if Appliance is connected
track 123 rtr 1 reachability
!
rtr 1
type echo protocol IpIcmpecho 192.168.1.200
schedule 1 life forever start-time now
This rule pings the Appliance at 192.168.1.200 periodically. We can test against 123
to see if the unit is up.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-37
4.11 Virtual Inline Mode
Note that, for access lists, ordinary masks are not used. The masks are wildcard
masks; when reading a wildcard mask in binary, note that ‘1’ is considered a “don’t
care” bit.
Local Network:
10.10.10.0/24
Routers
Remote Network:
FE 0/1
20.20.20.0/24
Router
FE 0/0
FE 1/0 FE 0/1 FE 0/0
FE 1/0
FE 1/0
FE 0/1
FE 0/0
192.168.2.200
192.168.1.200
Enterprises with multiple WAN links often have asymmetric routing policies, which can
require that an inline Appliance be in two places at once. Virtual inline mode solves
the asymmetric routing problem using the routers, which are configured to send all
WAN traffic through the Appliance, regardless of the WAN link used. A simple
multi-WAN link deployment example is shown in Figure 4-23.
The two local-side routers redirect traffic to the local Appliance. The fe0/0 ports for
both routers are on the same broadcast domain as the Appliance.
The Appliance can forward packets to its default router, or to return packets to their
Ethernet origin (the router they came from). In this example, the latter option is pre-
ferred. In a more hierarchical network, one router might be preferred over the other,
and would be configured as the Appliance’s default router.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-39
4.12 Group Mode
Local Network:
10.10.10.0/24
Routers
Remote Network:
FE 0/1
20.20.20.0/24
Router
FE 0/0
FE 1/0 FE 0/1 FE 0/0
FE 1/0
FE 1/0
FE 0/1
FE 0/0
Appliance Appliance
192.168.1.201 192.168.1.202
Group mode was introduced in release 3.1. It allows two or more Appliances to be
grouped into a single virtual Appliance. Its main use is multi-link/multi-Appliance
installations where packets for a given connection will not always pass through the
same Appliance.
Group mode is one solution to the problem of “asymmetric routing,” which is defined
as any case where some packets in a given connection pass through a given Appli-
ance, but others do not. A limitation of the Appliance architecture is that acceleration
cannot take place unless all of the packets in a given connection pass through the
same two Appliances.
Group mode can be used with multiple or redundant links without reconfiguring your
routers.
Group mode applies only to the Appliances on one side of the WAN link; the local
Appliances neither know nor care whether the remote Appliances are using group
mode.
Figure 4-25 Group mode over redundant links
WAN
WAN
Figure 4-26 Group mode over non-redundant links with possible asymmetric routing
WAN
WAN
WAN
Group Mode
Campus A
Rest of
High-Speed WAN Network
MAN Link
Campus B
Group Mode
Two nearby sites can have Appliances that are part of the same group-mode group. This is used
when dynamic routing allows WAN packets to take the alternate route via the other nearby site,
bypassing the local Appliance. The high-speed link connects the group members. It needs to
have higher speed and lower latency than the WAN links.
Group mode uses a heartbeat mechanism to verify that other members of the group
are active. Packets are only forwarded to active group members.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-41
4.12 Group Mode
Figure 4-28 Sending-side traffic flow in group mode. Traffic is returned to its original path for
delivery.
Group Mode (Sending Side) Does Not Disturb Original Routing Path
4
1 WAN
2 3
WAN
Legend
1. Traffic arrives at non-owning unit
2. Traffic is forwared to owning unit
3. Owning unit accelerates traffic and returns it
4. Accelerated traffic is delivered
Figure 4-29 Receiving-side traffic flow in group mode. Traffic is returned to its original path
for delivery.
Group Mode (Receiving Side) Does Not Disturb Original Routing Path
1
WAN 4
2 3
WAN
Legend
1. Traffic arrives at non-owning unit.
2. Traffic is forwared to owning unit
3. Owning unit accelerates traffic and returns it
4. Accelerated traffic is delivered
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-43
4.12 Group Mode
WAN
WAN
Backup
Link
Set to send
all traffic to
partner
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-45
4.12 Group Mode
group member’s IP address in the “Member VIP” field. This is the IP address of the
port used by the other Appliance for group-mode communication.
3. Enter the other group member’s SSL common name in the “SSL common name”
column. (The SSL common name is listed on the other Appliance’s “Configure:
High Availability” page.)
If the group member is not part of a high-availability pair, the entry under “HA
Secondary SSL Common Name” will be blank.
b. The bottom button should read, “Disable Group Mode.” If it does not, enable
group mode by pressing the button.
7. Refresh the screen. The top of the page should list the group mode partners, but
complain about their status.
8. Repeat this procedure with the other members of the group. Within 20 seconds
after enabling the last member of the group, the “Group Mode Status” should to
go “NORMAL,” and the other group mode members should be listed with “Status:
On-Line” and “Configuration: OK.”
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-47
4.13 Compression
On a setup with a primary link and a backup link, the forwarding rules would send all
traffic to the Appliance on the primary link. If the primary link failed, but the primary
unit did not,
Figure 4-32 Forwarding rules
4.13 Compression
Repeater compression uses breakthrough technology to provide transparent
multi-level compression.
Repeater compression is true compression that acts on arbitrary byte streams. It is
not application-aware, is indifferent to connection boundaries, and can compress a
string optimally the second time it appears in the data. It supports compression at
any link speed.
Unlike most compression methods, the compression history is shared between con-
nections, meaning that data sent earlier by connection A can be referred to later by
connection B in lieu of retransmitting the data. This gives much higher performance
than can be achieved by conventional methods.
Large-history, multi-session compression technology erases the distinction between
“compressible” and “uncompressible” data. For example, a JPEG image is normally
considered “uncompressible,” but if it is sent twice by two different connections, the
second occurrence may be compressed by over 200:1. The entire image will be
replaced by a pointer referring to the data in the receiving Appliance’s compression
history.
Only payload data is compressed. However, headers are compressed indirectly. For
example, if a connection achieves 4:1 compression, only one full-sized output packet
will be emitted for every four full-sized input packets. Thus, the amount of header
data is also reduced by 4:1.
Compression makes good use of lossless flow control. A run of compressible data
might reduce 200 input packets to one output packet. This might be followed by data
that is not compressed successfully, and is sent as literal data. With flow control, the
TCP sender (the origin host) can be told to speed up or slow down by 200:1 almost
instantly. Ordinary TCP speeds up and slows down on a much coarser timescale,
making compression relatively useless. Neither the compressed connection nor any
other connection can speed up quickly enough to take advantage of the intermittently
reduced bandwidth load created by compression. Citrix flow control can and does.
Like most acceleration features, compression has virtually no configuration. It can be
enabled or disabled (on a global, per-port, or per-address basis), but there are no
actual compression parameters to configure. Compression self-adjusts to the current
traffic load.
Compression can use the Appliance’s disk as well as memory, providing up to 600 GB
of compression history.
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableForSecureIca = 1
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\EnableWanScalerOptimization = 1
HKLM\System\CurrentControlSet\Control\Citrix\WanScaler\UchBehavior = 2
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-49
4.13 Compression
6. Verify acceleration. Start XenApp sessions over the accelerated link. On the
“Monitoring: Active Connections” page on the Appliances, accelerated ICA connec-
tions should appear. A compression ratio of greater than 1:1 indicates that com-
pression is taking place.
XenApp compression dynamically switches between memory-based compression for
interactive tasks (mouse/keyboard/video, etc.) and disk-based compression for bulk
tasks (file transfer, printing, etc.). Compression ratios should increase as compression
history fills, increasing the amount of previously seen data that can be matched
against new data. XenApp compression provides several times as much data
reduction as unassisted XenApp, often exceeding 50:1 on repetitive bulk transfers,
such as printing or saving successive versions of the same document.
XenApp compression prevents users from interfering with each other, allowing high
link utilization without congestion.
The link generally runs at full capacity with compression enabled, provided that the
endpoint senders and receivers can keep up. On runs of compressed data, compres-
sion ratios of 200:1 are not unusual. This gives a T1 link an effective speed of 300
Mbps for the duration of the compression “hit,” which may be megabytes in length.
This is higher than the sustainable I/O rate of many endpoint systems!
A compression-enabled Appliance can communicate with any number of other Appli-
ances simultaneously. These Acceleration Partners can support compression or not in
any combination.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-51
4.13 Compression
Maximum compression performance will not be achieved until the disk storage of the
disk-based compression unit has filled, giving it a maximum amount of prior data to
match with new data.
The “Compression Status” page reports the system compression performance since
the system was started or the “Clear” button was used to reset the statistics.
Compression for individual connections is reported in the connection close messages
in the log:
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-53
4.14 CIFS (Windows Filesystem) Acceleration
Samba Yes No
Windows NT Yes No
*Windows Vista connections will be accelerated if Vista is used as the client or the server, but
not both. For example, a connection between a Vista desktop and a Windows 2003 server
will be accelerated, but a connection between a Vista desktop and a Vista server will not.
Note: Most third-party CIFS implementations emulate one of the servers or clients listed
above. To the extent that the emulation is successful, it will be accelerated or not, according
to the table above. If the emulation behaves differently from what the CIFS accelerator
expects, it will terminate CIFS acceleration for that connection.
CIFS acceleration sports the “NT LM 0.12” dialect, which is used by the vast majority of CIFS
implementations. Other dialects will not receive CIFS protocol acceleration, but will still
benefit from flow control and compression.
The behavior of CIFS acceleration with a given CIFS implementation cannot be known for
certain until it has been tested.
Small file reads and writes. Small-file enhancements center more around meta-
data (directory) optimizations than data streaming. Native CIFS does not combine
metadata requests in an efficient way; CIFS acceleration does. As with large-file
acceleration, these optimizations are not performed unless they are safe; for exam-
ple, they will not be performed if the CIFS client was not granted an exclusive lock on
the directory.
Directory Browsing. Standard CIFS clients perform directory browsing in an
extremely inefficient way, requiring an enormous number of round-trips to open a
remote folder. CIFS acceleration reduces this to 2-3 round-trips.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-55
4.14 CIFS (Windows Filesystem) Acceleration
NETWORK A
WAN
Appliance
Accelerated Non-Accelerated
By default, Windows file servers offer signing but do not require it, except for domain
servers, which require it by default.
To achieve CIFS acceleration with systems that require signing, you must change the
system security settings to disable this requirement. This is done from “Local Security
Settings.”
Windows 2003 Server (see Figure 4-35):
• Set “Microsoft network client: Digitally sign communications (always)” to
“Disabled”
• Set “Microsoft network server: Digitally sign communications (always)” to
“Disabled”
Windows 2000 Server (see Figure 4-36):
• Set “Digitally sign server communication (always)” to “Disabled”
• Set “Digitally sign client communication (always)” to “Disabled”
Another option, sealing, encrypts the data stream, which prevents CIFS acceleration.
Sealing is not enabled by default on Windows file servers.
If sealing has been enabled on your systems, it can be disabled by setting the options
on “Secure channel: Digitally encrypt secure channel data” options (on the same page
as the signing options) to “Disabled.”
In either case, the issue can be detected through the log file on the client-side Accel-
eration unit:
CIFS Session from client <ip> to server <ip> cannot be accelerated for CIFS
due to: server security settings.
Note: The CIFS status page is only meaningful on the Appliance closest to the
requesting system. The unit closest to the fileserver will show nothing on the CIFS
page. This is because the CIFS acceleration, as currently implemented, is per-
formed entirely by the unit closest to the requesting system. The other unit sees a
stream of CIFS traffic that is not easily distinguishable from ordinary traffic.
The top graph shows CIFS optimization, the ratio between the accelerated transfer
time and an estimate of the time the client’s original requests would have taken,
using the current bandwidth and RTT of the actual connection. A ratio of 100% shows
no CIFS acceleration, while 1000% shows a 10x speedup.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-57
4.14 CIFS (Windows Filesystem) Acceleration
This graph only considers the boost that CIFS acceleration gives in addition to ordi-
nary Acceleration. (Since flow control gives a 2x-3x speedup over a typical link, the
“CIFS Optimization” graph may be under-reporting the benefit of installing Appliances
by a factor of 2-3.)
eration is enabled with the fileserver and client already up and running, no accel-
eration will be seen for many minutes, until the pre-existing CIFS connections are
fully closed. CIFS connections are very persistent and last a long time before clos-
ing themselves, even when idle. This is annoying during test, but has little impor-
tance in normal deployment.
3. Dismounting and remounting a filesystem in Windows does not have the desired
effect, because Windows doesn’t really dismount the filesystem fully. Rebooting
the client or server will work. For a less invasive measure, use the “NET USE
devicename /DELETE” command from the Windows command line to fully dis-
mount the volume. In Linux, smbmount and umount will fully dismount the vol-
ume.
4. Disabling and then reenabling CIFS read and write optimizations in the Appliance
raises similar issues; existing connections will not become accelerated when CIFS
is enabled, and the number of “protocol errors detected” on the CIFS Status page
will increase briefly.
5. Only the Appliance furthest from the fileserver recognizes CIFS acceleration; the
other unit sees it as ordinary Acceleration. This is frequently confusing.
6. CIFS acceleration is not supported in proxy mode.
7. If CIFS acceleration does not take place with a Windows server, check its security
settings.
4.15.2 Configuration
Outlook acceleration is a zero-configuration feature that is enabled by default. (If
desired, it can be disabled by disabling acceleration on the MAPI service class on the
“Configure Settings: Service Class Policy” page.) Outlook acceleration will take place
automatically if the following conditions are met:
• There is an Appliance at the Exchange Server end of the WAN.
• There is an Appliance at the Outlook end of the WAN, OR the system running
Outlook is also running the Repeater Plug-in.
• All Outlook/Exchange traffic passes through the appliances.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-59
4.15 Microsoft Outlook (MAPI) Acceleration
• Either the Exchange Server or the Outlook are restarted (acceleration does not
begin until existing MAPI connections are closed).
• Encryption is disabled on Outlook.
and Microsoft Exchange. To disable encryption for multiple users via group policies,
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-61
4.16 SSL Compression (Release 5.7 Only)
SSL Connection
Note: SSL Compression decrypts the encrypted data stream and, unless the User
Data Encryption option is used, it leaves a persistent cleartext record of the
decrypted data in the compression histories of both acceleration units. Verify that
your deployment and settings are consistent with your organization’s security poli-
cies.
Note: When you enable SSL compression, the Appliance will stop attempting
compression with units for which SSL compression is not enabled, and with
non-authenticated units (whether Repeater, Branch Repeater, or Repeater Plugin).
This feature is thus best-suited for networks where all units are configured for SSL
compression.
Note: When you enable SSL compression, you must manually type in the Key
Store password each time the Appliance is restarted.
Note: This is not the same thing as encrypting all link traffic. Traffic that was
originally encrypted will remain encrypted, but non-encrypted traffic will not always
be encrypted. The Appliances do not attempt to encrypt non-accelerated traffic.
Since there is no absolute guarantee that any given connection will be accelerated
(various failures will prevent this), there is no guarantee that a given
non-encrypted connection will be encrypted by the Appliances.
Servers’
Credential
SSL Signaling Connection
SSL split proxy mode will be used in most instances, since it supports Temp RSA and
Diffie-Hellman, which are required by many applications. In SSL split proxy mode, the
server-side Appliance masquerades as a server to the client, and as a client to the
server. You install server credentials (a certificate/key pair) on the server-side
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-63
4.16 SSL Compression (Release 5.7 Only)
Appliance to allow it to act on the server’s behalf. You can also install optional client
credentials, which are used when the application requires client authentication.
To support multiple servers, multiple private key/cert pairs can be installed on the
Appliance, one per SSL profile. Special SSL rules in the service class definitions match
up servers to SSL profiles, and thus SSL profiles to credentials.
Due to the nature of a split proxy, the key/cert pairs and CA certificates do not
actually have to match those of the servers. They can be any credentials that the
client application will accept (valid credentials issued by a trusted authority). Note
that, in the case of HTTPS connections, Web browsers will issue a warning if the
common name does not match the domain name in the URL. In general, using copies
of the server’s credentials is the more trouble-free option.
Server’s Private
Keys
SSL Signaling Connection
SSL transparent proxy mode (not to be confused with transparent mode on the
Repeater Plug-in), uses the server-side Appliance to masquerade as the server. The
server’s credentials (certificate/key pair) are installed on the server-side Appliance so
it can act on the server’s behalf. The server-side Appliance then configures the
client-side Appliance to handle its end of the connection. The server’s credentials are
not installed on the client-side Appliance.
True client authentication is supported in this mode, but Temp RSA and
Diffie-Hellman are not. SSL transparent proxy mode is suited for applications that
require client authentication if the following features are not required: Diffie-Hellman,
Temp RSA, TLS session tickets, SSL version 2. Also, session renegotiation must not
be attempted, or the connection will terminate.
To support multiple servers, multiple private keys can be installed on the Appliance,
one per SSL profile. Special SSL rules in the service class definitions match up servers
to SSL profiles, and thus SSL profiles to private keys.
Note: The “Acceleration: SSL” page has an unusual structure. It is divided into five
tabs, but instead of having tab icons at the top, it has buttons at the bottom. The
five tabs are: “Profiles,” “Manage CAs,” “Manage Keys,” “Import SSL,” and “Export
SSL.”
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-65
4.16 SSL Compression (Release 5.7 Only)
1. Hide the “Configure SSL Connection Guide.” These online instructions are less
comprehensive than the ones you are reading now and should be ignored. Press
the “Hide Guide” link at the upper right-hand corner of the online help block.
2. Install a crypto license. Without a crypto license, SSL Compression and User
Data Encryption are not available, and you will see a yellow warning message to
this effect on the “Acceleration Settings: SSL” page (see Figure 4-43).
a. Download a crypto license from MyCitrix (see Section 3.3.6)
b. Install the license via the “System Settings: License Management” page (see
Section 8.5.3).
c. Verify successful installation on the “Licensed Features” tab of the “System
Settings: License Management” page. The “Crypto License” heading should
appear in the Licensed Features table and the crypto license expiration date
should be in the future.
Figure 4-43 The SSL page before the crypto license is installed
3. Set a key store password, then open the key store. On the “Acceleration Set-
tings: Encryption” page, open the key store and assign a password to it. (You will
have to re-enter this password after every restart, so don’t forget it.) See
Figure 4-45.
4. (Recommended, but optional) Encrypt disk data by pressing the “Enable Encryp-
tion” button. This will prevent disk-based compression history from being read in
case the unit is stolen or returned to the factory. The security of this feature relies
on the key store password not being compromised.
Note: If you use User Data Encryption, you will have to re-enter the key store
password after every restart, even if SSL compression is disabled.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-67
4.16 SSL Compression (Release 5.7 Only)
Figure 4-45 The key store is open but encryption is not yet enabled.
6. Install credentials for the SSL signaling connection. The Appliances will use
these credentials to authenticate each other, and to encrypt communications
between each other. On each Appliance, acquire a CA certificate and certificate/
key pair for the SSL signaling connection. See the examples of certificate and key
generation in Section 4.16.3. When using self-signed certificates, the same certifi-
cate can be used for the certificate and the CA certificate. When using proper cer-
tificates, these two would be different, and their use would be the same as in your
other secure devices.
a. Install the CA Certificate. On the “Acceleration Settings: SSL” page, click the
“Manage CAs” button at the bottom of the page, then press the “Add” button.
Create a name for your CA certificate in the “Name” field. Us the “Input
Method” field to select whether you would like to upload the CA certificate as a
file or paste it into a text box, then install your CA certificate. Finally, press the
“Add” button again. See Figure 4-46. (See also Section 8.3.22.)
b. Install the Cert/Key Pair. This process is nearly identical to inserting the CA
Certificate. Press the “Manage Keys” button at the bottom of the page, then
press the “Add” button. Cert/key pairs are sometimes generated as a single
file and sometimes as two files. This page supports both formats. Choose the
one that fits your cert/key pair, add the cert/key pair, and press the “Add” but-
ton again.
.
Figure 4-46 Adding security credentials.
7. Set up the SSL signaling connection on the Appliance. See Figure 4-47.
a. Enable Peer Connections. Select “Enabled” under “Peer State.”
b. Select Cert/key and CA for Signaling Connection. On the “Acceleration Set-
tings: Peers” page, specifying the certificate/key pair and CA certificate store
you installed in the previous step.
c. Select Peer Authentication Method. Under “Certificate Validation,” select how
authorized peers are identified. “Signature/Expiration” is the default: that is,
the credentials are examined for authenticity based on their signature and
expiration date. Other options include “Signature/Expiration/Common Name
White List,” where the common name on the certificate must be present in a
whitelist (which appears below the radio button when this option is selected);
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-69
4.16 SSL Compression (Release 5.7 Only)
d. SSL Cipher Specification. This uses the OpenSSL syntax for specifying accept-
able ciphers for the signaling connection. The signaling connection carries key
information and should use a cipher specification suitable for this task, accord-
ing to the standards used by your organization. You can create a new specifi-
cation by clicking the link to the right of the text box.
e. Auto-Discovery. Peers are selected either by auto-discovery or through the
optional list of known peer IP addresses on the “Connect To” list. Select one
method or the other.
f. Publish Network Address Translation Addresses to Peers. If your network uses
NAT and your Appliance cannot be reached at its signaling address, enter the
address/port combination at which it can actually be reached here.
g. Listen On: This list specifies the addresses and ports on which the Appliance
will listen for signaling connections. If already defined, the Repeater Plug-in
signaling connection is the default. Otherwise, specify the address/port combi-
nation here. The address needs to be on the same subnet as the accelerated
bridge, but different from the management IP on that subnet. Port 443 and
2312 are preferred.
h. Connect To: A list of IP:port pairs of remote hosts. This can be used in addition
to or instead of auto-discovery for identifying peers.
i. Press “Save.” This should allow the Appliances to open secure SSL signaling
connections with each other. (In fact, only one connection is needed, and it
does not matter which Appliance succeeds in opening this connection. But con-
figure both directions anyway.) This should happen after the next accelerated
connection alerts the Appliance that a remote Appliance is available for an SSL
signaling connection. At this point, the remote Appliance should appear on the
“Monitoring: Peer Status” page. If accelerated connections are being estab-
lished but the SSL signaling connection is not, check your settings.
8. Install credentials from your SSL server. Acquire copies of your server’s cer-
tificate/private key pair and CA certificate and install them on the server-side
Appliance, using the “Cert/Key pairs” and “CA Certificates” tabs on the “Accelera-
tion Settings: SSL” page. The procedure is the same as adding cert/key pairs and
CA certificates for the signaling connection.
9. Set up a split-proxy SSL Profile for your SSL server. See Figure 4-48. (See
the next step for transparent proxy.)
a. Go to the server-side Appliance only, go to the “Acceleration Settings: SSL
Settings” page.
b. Click the “Add” button to add a new profile.
c. Profile Name. Type a profile name, usually the name of the server.
d. Profile Enabled. Check the “Profile Enabled” box.
e. Proxy Type. Select “Split.”
f. Virtual Host Name. If your SSL server uses more than one virtual hostname,
type the virtual hostname that matches the server credentials you supplied in
the “Virtual Host Name” field. Otherwise, you can leave it blank. (To support
multiple virtual hosts, you will create one SSL profile per hostname.) This
option is only effective with TLS.
g. CA Certificate Store, Certificate/Private Key. Select the credentials you
installed in the previous step for the “CA Certificate Store” and “Certificate/Pri-
vate Key” fields.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-71
4.16 SSL Compression (Release 5.7 Only)
h. Build Certificate Chain. Causes the SSL certificate chain to be built by the
server-side Appliance. Enabled by default.
i. Certificate Verification. This option is the same as for peer verification. For
example, if “Signature/Expiration” is chosen, the CA certificate store and key/
cert pair you installed must have a valid signature and be unexpired, or this
profile will not be used.
j. Server-Side Proxy Configuration. Selects the protocols that are allowed when
talking to the server and specifies the ciphers.
k. Authentication required. If checked, the server’s credentials must match the
credentials used in this profile.
l. Renegotiation type. Allows SSL session renegotiation if checked. Disabled by
default because of the possibility of renegotiation exploits.
m. Client-Side Proxy Configuration. Selects the protocols, ciphers, and renegotia-
tion settings that are allowed when talking to the client-side unit.
10. (Optional) Create an SSL Transparent Proxy for your SSL server. SSL trans-
parent proxy is less commonly used because its strict requirements are matched
by fewer applications under their default configurations. However, Appliance con-
figuration is simple. On the server-side Appliance only, go to the “Profiles” tab of
the “Acceleration Settings: SSL Settings” page and create a profile:
a. Click the “Add” button to add a new profile.
b. Profile Name. Select a profile name for the “Profile Name” field.
c. Profile Enabled. Check the “Profile Enabled” box.
d. Proxy Type. Select “Transparent.”
e. Virtual Host Name (optional). If your SSL server uses more than one virtual
hostname, type the virtual hostname that matches the server credentials you
supplied in the “Virtual Host Name” field. Otherwise, you can leave it blank.
This option is effective only for TLS. To support multiple virtual host names,
create multiple SSL Profiles.
f. SSL Server’s Private Key. Select your server’s private key that you installed in
step 8 for “Private Key” field.
g. Press the “Add” button.
11. Create an SSL service class. On the server-side Appliance, go to the “Accelera-
tion Settings: Service Class” page and create a new service class with appropriate
SSL rules. We will take the example of an HTTPS server at 172.16.0.1:
Figure 4-49 SSL service class rules.
a. Create the Service Class. On the “Service Class” page, press the “Insert New
Service Class Rule” button. Type in a name for the new service class (for
example, “HTTPS (SSL)”) and press the “Create” button. The new service class
will appear at the top of the service class list.
b. Create a Rule. Click on the service class’s name and press the “New SSL Rule”
button. Specify the server’s IP address in the “SSL Server IP/Mask” field (in
this case, “172.16.0.1” or, equivalently, “172.16.0.1/32”). In the “SSL Server
Port Range” fields, specify a destination IP address of 172.16.0.1 and a port
address of 443 in the first field of the “Port Range” section.
c. Attach the Rule to an SSL Profile. Each SSL rule is attached to one or more SSL
profiles. Press the “Add” button and select the profile you created for this
server, then press the “Add” button.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-73
4.16 SSL Compression (Release 5.7 Only)
The Repeater Plug-in supports both SSL split proxy and SSL transparent proxy. The
Plug-in ships without certificate/key pairs for the SSL signaling connection. If desired,
the same credentials can be used by all Plug-ins, or each Plug-in can have its own
credentials.
The Plug-in will not attempt SSL compression unless credentials have been installed.
A service class is a named group of IP addresses, port numbers, or both. For example,
a service class called “HTTP” might be defined as any connection with port 80 as the
destination port.
Acceleration features can be enabled or disabled on a service-class basis. Selectable
features currently include “flow control” (generally called “acceleration” in this docu-
ment), and compression.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-75
4.17 Service Classes
Service class rules are evaluated on both Acceleration units. Only the features
common to both sets of rules are enabled. For example, if one unit specifies “Flow
control + compression,” and the other specifies only “Flow control,” then flow control
is enabled and compression is disabled.
In addition, statistics are gathered independently for each service class, making mon-
itoring and management easier. Service class statistics are reported twice: once for
the accumulated statistics since the unit was last restarted, and again for the statis-
tics since the last time the user reset the statistics. These statistics can be reset at
any time for convenience in testing.
Service classes have three top-level pages in the user interface: “Monitoring: Service
Class Statistics” (Section 8.2.5), “Configure Settings: Service Class” (Section 8.3.11),
and “Configure Settings: Service Class Policy” (Section 8.3.12).
Proxy mode allow the Appliance to accelerate connections when it is not in line with
the data traffic. This make acceleration independent of network topology. For compat-
ibility with other sites, proxying can also be used by inline Appliances.
4.19.0.1 Overview
For a connection to be accelerated, its data must pass through an Appliance at each
end. This happens automatically in inline mode, since the Appliances are between the
WAN and the target systems, and all data passing between these two systems must
pass through the two Appliances.
When the Appliance is not inline with the path between the two systems, packets
must be addressed to it explicitly. The mechanism for this is to assign a virtual IP
address (or VIP) to the Appliance. Applications use the virtual IP address instead the
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-77
4.19 Proxy Mode (Legacy Feature)
Network A Network B
Appliance-A
VIP: "Beta-Proxy"
VIP: "Beta-Proxy-A"
Appliance-B
System System
"Alpha" "Beta"
Only traffic sent through two Appliances is accelerated. This configuration allows systems on
Network A to open accelerated connections with system Beta.
The user must remember to use a virtual IP address rather than the actual IP address of the
target system. For example, when initiating a connection from site Alpha:
ftp Beta# Not accelerated (does not go through the Appliances)
ftp Beta-Proxy# Accelerated (goes through the Appliances)
real IP address of the target system. For example, “ftp Alpha-proxy” is used instead
of “ftp Alpha.” The local Appliance responds to the virtual IP address and forwards
packets to the remote Appliance, which in turn forwards it to system “Alpha.”
A proxy-mode Appliance can be anywhere; it does not have to be between the WAN
and the systems to be accelerated. Proxy mode makes it easier to reserve an Appli-
ance for specific, mission-critical uses, rather than using it for all traffic (important or
otherwise) passing between two Repeater-equipped systems. Only those commands
addressed to virtual IP addresses will be accelerated.
Figure 4-51 shows how proxy mode accelerates connections between two networks.
Any connection addressed to VIP address “Beta-Proxy” will create an accelerated con-
nection with system “Beta.”
Network A Network B
Appliance-A
VIP: "Beta-Proxy"
VIP: "Beta-Proxy-A"
Appliance-B
System System
"Alpha" "Beta"
Once the connection is opened, data flowing in the reverse direction is also acceler-
ated. That is, an “ftp Beta-Proxy” session will accelerate both get and put com-
mands. However, the proxy in Figure 4-51 does not allow systems on Network B to
open new accelerated connections with systems on Network A, since have not yet
defined a VIP address that will serve as a proxy for a system on Network A.
Figure 4-52 shows a reverse connection that allows systems to open accelerated con-
nections with “Alpha” by addressing VIP “Alpha-proxy.”
A single Appliance can have any number of virtual IP addresses, limited only by the
number of unused IP addresses on its subnet.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-79
4.19 Proxy Mode (Legacy Feature)
Server Server
Server Server
VIP Points
Case Mode VIP Points To Mode
To
1 Inline - Inline -
Proxy mode is shown in Figure 4-53. In proxy mode, there are only two parameters to
configure: a VIP address and a server address. The server can be either a local server
or a remote server. This section explains how full proxies work. See Section 8.3.2 for
a description of the “proxies” page in the management interface.
A proxy connection can be used with the units either inline or out-of-line. In fact, one
end of the connection can be in inline mode and the other in proxy mode. The inline
unit requires no configuration at all.
This allows the simplicity of inline operation at remote offices, while allowing proxy
mode (with its greater control) in central offices.
All four case of inline vs. out-of-line units are supported by proxy mode, as shown in
Figure 4-53.
• Case 1 is inline mode. The server’s actual IP address is used by the client. This
requires no configuration and no proxies. All traffic that can be accelerated will be
accelerated. The lack of configuration makes Case 1 desirable whenever the net-
work topology favors it and the desire is to accelerate all traffic between Appli-
ance-equipped sites.
• Case 2 shows the client operating in proxy mode, while the server uses inline
mode. No configuration is required on the server network. On the client side, the
proxy configuration defines a VIP on the local network whose target is the server
on the remote network. Applications use the local VIP instead of the server’s real
address. To the application on the client network, the server appears to be on the
local network. This mode provides targeted acceleration on the client network,
since only commands using a VIP will be accelerated. It also allows the client-side
Appliance to be placed anywhere, not just inline with the clients. The server net-
work accelerates all traffic that can be accelerated.
• Case 3 shows the client running in inline mode, while the server uses proxy mode.
On the server side, a VIP is defined that points to the server. Applications use this
VIP instead of the server’s real address. To the application on the client network,
the server still appears to be on the remote network, but at its virtual address, not
its real one. This configuration is especially useful for remote offices, because of
the lack of configuration at the client site, while the proxy configuration is
restricted to the home office, where there are presumably more IT resources.
Proxy mode becomes necessary if an important server cannot be placed inline
with an Appliance, for whatever reason. With proxy mode, the server can be any-
where.
• Case 4 shows both units operating in proxy mode. The server side is identical to
case 3. On the client side, a VIP is defined that points to the server-side VIP (not
to the server itself). This VIP-to-VIP proxy ensures that the packets will pass
through both Appliances. To the application, the server appears to be on the local
network. This configuration combines the advantages and disadvantages of prox-
ies on the client and server sides. Any connections addressed to the client-side
VIP, from any source, will receive acceleration. The client doesn’t have to be on
the same network as the client-side Appliance; it can be anywhere. Similarly, the
server doesn’t have to be on the same network as the server-side Appliance.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 4-81
4.19 Proxy Mode (Legacy Feature)
In Case 4, the VIP used by the application got the data into the client-side Appliance.
Now it must be forwarded to the server-side unit. This can be done using the
server-side VIP that we used in Case 3. Thus, a VIP-to-VIP proxy provides a handoff
between two non-inlined units. This is shown in Figure 4-54.
Figure 4-54 Proxy mode, showing VIP-to-VIP proxying.
Network A Network B
WAN
VIP: "B-Beta-Proxy"
VIP: "A-Beta-Proxy"
"Alpha"
"Beta"
Servers
VPN Firewall
Firewall Repeater
Internet Plug-in
Repeater Ordinary
Plug-in PCs
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-1
5.1 About the Repeater Plug-in
• On the server side, the Appliance is a rack-mount unit that accelerates the traffic
from any number of servers. The Repeater 8500 Series, 8800 Series, and Branch
Repeater VPX currently support Repeater Plug-in deployments.
• The Plug-in is supported by Citrix Receiver 1.2 and up, and can be distributed and
managed by Citrix Receiver.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-3
5.1 About the Repeater Plug-in
Ordinary Servers
PCs
VPN Firewall
Firewall Repeater
Internet Plug-in
In transparent mode, the packets for accelerated connections must pass through the
target Appliance, much as they do in Appliance-to-Appliance acceleration.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-5
5.1 About the Repeater Plug-in
The appliance tags the SYN-ACK 6 The Repeater Plug-in receives the SYN-ACK packet. The
5 packet with a TCP header option that options in the packet headers indicate that the connection is
shows that acceleration will take accelerated. The Plug-in strips the options and passes the
place. SYN-ACK packet to the application. The connection is now
fully open and accelerated.
Src: 10.200.0.201, Dst: 10.0.0.50
Servers
CONNECTION
VPN Firewall
Firewall Repeater
Internet Plug-in
Repeater Ordinary
Plug-in PCs
Figure 5-4 shows the packet flow and address mapping in redirector mode. Redirector
mode works differently from transparent mode:
• The Repeater Plug-in software redirects the packets by addressing them explicitly
to the Appliance. This means that, unlike transparent mode, the redirector-mode
Appliance does not have to transparently intercept all of the WAN link traffic.
Because accelerated connections are addressed to it directly, it can be placed any-
where, so long as it can be reached by both the Plug-in and the server.
• The Appliance performs its optimizations, then redirects the output packets to the
server, giving itself as the source of the packets. Thus, from the server’s point of
view, the connection originates at the Appliance.
• Return traffic from the server is addressed to the Appliance, which performs opti-
mizations in the return direction and forwards the output packets to the Plug-in.
• The destination port numbers are not changed, so network monitoring applica-
tions can still classify the traffic.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-7
5.1 About the Repeater Plug-in
Note: Lists containing multiple Appliances are not recommended. The typi-
cal use case for the Repeater Plug-in is as a VPN accelerator, and the recom-
mended deployment for a VPN accelerator is to place a Repeater Appliance
inline with the VPN unit. This is the only Appliance that the Repeater Plug-in
should attempt to communicate with.
The Appliances each have a list of “acceleration rules” that are a list of target
addresses or ports that the Appliance is willing to accelerate. The Plug-in downloads
these rules from the Appliances and matches the destination address and port of each
connection with each Appliance’s rule set. If only one Appliance offers to accelerate a
given connection, then the selection is easy. If more than one Appliance offers to
accelerate the connection, then the Plug-in must choose one of these Appliances.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-9
5.2 Deploying Appliances for Use With Plug-ins
However, Appliances can use any of the deployment modes described in Chapter 2,
with the exception of group mode. These modes are suitable for both Appli-
ance-to-Appliance and client-to-Appliance acceleration, and can be used for either
redirector or transparent mode.
tion is to put the Appliance in the same datacenter as the endpoint servers, to
ensure that no bottleneck link can exist between the Appliance and the servers.
Setting Acceleration Rules. This task is performed on Appliance via the “Configure
Settings: Repeater Plug-in: Acceleration Rules” tab.
Rules are evaluated in order, and the action (“Accelerate” or “Exclude”) from the first
matching rule is taken. For a connection to be accelerated, it must match an “Acceler-
ate” rule. Otherwise, the connection is made directly with the target server.
Figure 5-6 Setting Plug-in rules on the Appliance
5.2.6.1 Procedure
• On the “Configure Settings: Repeater Plug-in: Acceleration Rules” tab:
• Add an “Accelerated” rule for each local LAN subnet that can be reached by the
Appliance. That is, press the “ADD” button, specify “Accelerate,” and type in
the subnet IP/mask.
• Repeat for each subnet that is local to the Appliance.
• If you need to exclude some portion of the included range, add an “Exclude” rule
and move it above the more general rule. For example, 10.217.1.99 looks like a
local address but is really the local endpoint of a VPN unit, create an “Exclude” rule
for it on a line above the “Accelerate” rule for 10.217.1.0/24.
• If you wish to use acceleration only for a single port (not recommended), such as
port 80 for HTTP, replace the wildcard in the “Ports” field with this value. To sup-
port more than one port, add additional rules, one per port.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-11
5.2 Deploying Appliances for Use With Plug-ins
• In general, narrow rules (usually exceptions) should be listed first, then general
rules.
• Press the “Save” link. Changes will not be saved if you navigate away from this
page without saving.
• The default action is to not accelerate; only addresses/ports that match an “Accel-
erated” rule (before matching an “Excluded” rule) are accelerated.
There is very little Plug-in configuration. The Plug-in software is distributed as an exe-
cutable file in.MSI (MicroSoft Installer) format, which is downloaded or otherwise
copied onto the Plug-in PC as with any other software. Executing this file walks the
user through the installation process. A reboot is required before the Plug-in becomes
active.
The only configuration needed by the Plug-in is the list of Appliance addresses. This
list can consists of a comma-separated list of IP or DNS address. The two forms can
be mixed.
You can customize the distribution file so that this points to your Appliances by
default. If you do this, the user does not need to enter any configuration information
at all. Otherwise, the user must enter the IP address of the Appliances.
If you define a DNS address that returns multiple IP addresses (which is a standard
practice), then you can define a single DNS address that will return the addresses of
all your Plug-in-capable Appliances. This allows you to add, remove, or move Appli-
ances without reconfiguring the Plug-ins.
Once installed, operation is transparent. Traffic to accelerated subnets is sent through
an appropriate Appliance; all other traffic is sent directly to the server. The user appli-
cation is unaware that any of this has happened.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-13
5.3 Deploying Plug-ins
Note: The altered parameters in your edited .MSI file are only used on new instal-
lations. When existing Plug-in users update to a new release, their existing settings
are retained. Thus, after changing the parameters, you should advise your users to
uninstall the old version before installing the new one.
Best Practices: Create a DNS entry that resolves to the nearest Plug-in-enabled
Appliance. For example, define “Repeater.mycompany.com” and have it resolve to
your Appliance (if you have only one Appliance) or one of your five Appliances (if
you have five Appliances), based on the location of the DNS server. Build this
address into your Plug-in binary with Orca. When you add, move, or remove Appli-
ances, changing this single DNS definition on your DNS server will update the
Appliance list on your Plug-ins automatically.
You can also have the DNS entry resolve to multiple Appliances, but this is undesir-
able unless all Appliances are configured identically, because the Plug-in takes
some of it characteristics from the leftmost appliance in the list (especially, in
Release 5.7, SSL compression characteristics). This can lead to undesirable and
confusing results, especially if the DNS server rotates the order of IPs on each
request.
Installing Orca. There are many MSI editors. We will use Microsoft’s Orca MSI edi-
tor, which is part of Microsoft’s free “Platform SDK,” which can be downloaded from:
http://www.microsoft.com/downloads/details.aspx?Fami-
lyID=0baf2b35-c656-4969-ace8-e4c0c0716adb&DisplayLang=en
Download the PSDK-x86.exe version of the SDK and execute it. Follow the installa-
tion instructions.
Once the SDK is installed, the Orca editor must be installed. It will be under “Microsoft
Platform SDK\Bin\Orca.Msi”. Launch Orca.msi to install the actual Orca editor
(orca.exe).
Running Orca. The Orca documentation can be read at http://sup-
port.microsoft.com/kb/255905. We will discuss only the steps needed to edit the
most important Plug-in parameters.
Launch Orca with “Start -> All Programs -> Orca”. This will give you a blank Orca win-
dow. Open the Repeater Plug-in MSI file with “File -> Open..”, as shown in Figure 5-7.
On the “Tables” menu, click “Property.” This page will list all the editable properties of
the .MSI file. We are only interested in the two parameters shown in Figure 5-8
To edit a parameter, double-click on its value, type the new value, and press Enter, as
shown in Figure 5-9.
When done, use the “File -> Save As..” command to save your edited file with a new
filename; for example, “test.msi”.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-15
5.3 Deploying Plug-ins
Note: Some users have seen a bug in orca that causes it to truncate files to
1 MB. Check the size of the saved file. If it has been truncated, make a copy
of the original file and use the “Save” command to overwrite the original.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-17
5.3 Deploying Plug-ins
5.3.3 Installation
Figure 5-10 Initial installation screen.
8. The Repeater*.msi file is an installation file. Close all applications and open
windows, then launch the installer it in the usual way (double-click on it in a
file window, or use the “Run” command).
9. The installation program will ask you where to install the software. This direc-
tory will be used for both the client software and the disk-based compression
history. Together, they require a minimum of 350 MB of disk space.
10. Once the installer finishes, you it may ask you to restart the system. After
restarting, the Repeater Plug-in will start automatically.
Figure 5-11 Final installation screen.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-19
5.3 Deploying Plug-ins
notepad oem13.inf
Delete everything except the three lines at the top that start with semi-
colons. Save the file.
Other installation problems. If you have any difficulty with the installation step,
the problem is usually that existing networking, firewall, or antivirus software is inter-
fering with the installation. Usually, once the installation is complete, there are no fur-
ther problems.
If the installation fails, try these steps:
Make sure the Plug-in installation file has been copied to your local system.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-21
5.3 Deploying Plug-ins
13. The Repeater accelerator is now running. All future connections to acceler-
ated subnets will be accelerated
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-23
5.6 Repeater Plug-in Command Reference
The “Configuration” page contains the user-settable commands. These consist of:
• Accelerator Appliances (Must be set): The “Signaling Addresses” field speci-
fies the IP address of each Appliance that will be used by the Plug-in. If you have
more than one Appliance, this can be a comma-separated list (though this is not
the recommended configuration). This is an ordered list, with the leftmost Appli-
ances having precedence over the others. Acceleration will be attempted with the
leftmost Appliance for which a signaling connection can be established. Both DNS
addresses and IP addresses can be used.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-25
5.6 Repeater Plug-in Command Reference
The Diagnostics page reports the number of connections in different categories, and
other useful information.
• Accelerated Connections: The number of open connections between the
Repeater Plug-in and Appliances. This includes one signaling connection per Appli-
ance but does not include accelerated CIFS connections. Pressing “More” will pop
up a window with a brief summary of each connection. The field are: Plug-in IP
and port, server IP and port, and amount of data transferred. (All of the “More”
buttons allow you to copy the information in the window to the clipboard, if you
want to share it with Support.)
• Accelerated CIFS Connections: The number of open, accelerated connections
with CIFS (Windows filesystem) servers. This is usually the same as the number of
mounted network filesystems. Pressing “More” gives the same information as with
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-27
5.6 Repeater Plug-in Command Reference
accelerated connections, plus a status field that reports “Active” if the CIFS con-
nection is running with our special CIFS optimizations.
• Unaccelerated Connections: Open connections that are not being accelerated.
If you press the “More” button, you will see a brief description of why this connec-
tion was not accelerated. Typically, this is because no Appliance accelerates the
destination address, which is reported as “Service policy rule.”
• Opening/Closing Connections: Connections that are not fully open, but are in
the process of opening or closing (TCP “half-open” or “half-closed” connections).
The “More” button will provide more (but cryptic) details.
• Alerts: The number of current active Plug-in alert messages. Alerts are significant
error or warning messages. These can be listed by pressing the “More..” button or
cleared with the “Erase..” button.
• Memory Dumps. On certain errors, the Plug-in will exit and leave a core dump
behind. The “Perform Full Dumps” option allows core dumps to be long or short.
Full dumps are preferred by Support.
• Plug-in Name: The name of this Plug-in system as seen by the Appliances. Usu-
ally the same as the Windows hostname of the client system.
• Start Tracing/Stop Tracing. Your Citrix representative may ask you to make a
connection trace to help pinpoint problems. This button starts and stops the trace.
When you stop tracing, a window pops up showing the trace files. These should be
sent to your Citrix representative by the means they recommend.
• Clear Compression History. This feature should not be used.
• Clear Statistics. Pressing this button will clear the statistics on the Performance
tab.
• Console. A scrollable window with recent status messages, mostly connection
open/connection close messages, but also error and miscellaneous status mes-
sages.
• Open in Notepad. Allows you to view the status messages in a larger window, or,
if necessary, send them to Support.
Note: This tab is hidden until the “Show SSL Configuration” checkbox is
checked on the “Configuration” tab.
This tab is hidden by default. To enable it, you must first configure the Plug-in to con-
nect to an Appliance with SSL compression enabled. Once the signaling connection is
active, the “Show SSL Configuration” checkbox on the “Configuration” tab becomes
accessible. Check this box and press “Save.”
Figure 5-18 Enabling the “Certificates” tab (left). The “Certificates” tab (right).
Once the “Certificates” tab becomes visible, you can upload CA certificates and certif-
icate/key pairs (called “client certificates” on the tab).
To upload the CA certificate and certificate/key pair:
1. Click the “CA Certificate Management” radio button.
2. Press the “Import” button.
3. Upload a CA certificate. The certificate file must use one of the supported file
types (.pem, .crt., .cer, or .spc. The examples given in Section 4.16.3 are in PEM
format.) A dialog box may ask you to “Select the certificate store you want to
use,” presenting you with a list of keywords. Select the first keyword on the list.
4. Click the “Client Certificate Management” radio button.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 5-29
5.6 Repeater Plug-in Command Reference
XenServer
WAN
BranchRepeater VPX
Branch-Office
Users
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-1
6.1 About Branch Repeater VPX
The virtual environment allows you to add whatever functionality you like to the
server unit, with your choice of operating system and features. Whatever you
install, Branch Repeater VPX will accelerate its WAN traffic — network filesystem
access, Web traffic, backups, remote applications, database queries, and so on.
More than that, it will accelerate all the WAN traffic from every system in the
branch office. You can even deploy multiple virtual servers on the same machine,
consolidating your branch-office rack down to a single unit running multiple virtual
machines.
Figure 6-2 VPX use case #2: Accelerated branch-office server
XenServer
WAN
Branch
Repeater VPX Branch-Office
Server
Branch-Office
Users
XenServers
Branch Datacenter
Repeater VPX Server
WAN
Branch Datacenter
Repeater VPX Server
Branch Datacenter
Repeater VPX Server
4. VPN accelerator. By installing the VPN of your choice with Repeater VPX, you
have an accelerated VPN. (Note that, unlike the other configurations, the VPN vir-
tual machine is on the WAN side and Branch Repeater VPX is on the LAN side,
because Branch Repeater VPX needs to see the decrypted VPN traffic to achieve
compression and application acceleration).
Figure 6-4 VPX use case #4: VPN accelerator
Xenserver
Internet
Branch
VPN
Repeater VPX Datacenter
Servers
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-3
6.1 About Branch Repeater VPX
Xenserver
Internet
VSWITCH VSWITCH
Datacenter
Servers
Branch
Repeater VPX
6. WCCP deployment. The previous examples all used inline mode. “Single-ended”
modes can also be used. Traffic is sent to Branch Repeater VPX by the WAN router.
WCCP is the recommended mode for single-ended deployments.
Figure 6-6 VPX use case #6: WCCP deployment
Xenserver
Internet
Branch
Repeater VPX
Server
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-5
6.3 System Requirements and Provisioning
Minimal, default
configuration. Not for 1 GB 60 GB 2 mbps 1,000 50
production networks
CPU
• Performance does not scale linearly with additional CPUs. Two virtual CPUs are the
maximum recommended number. In most installations, performance is most sen-
sitive to the speed of a single CPU core.
Network
• Two virtual network interfaces are required. These will be bridged and used for
both acceleration and the browser-based user interface.These interfaces must be
attached to different virtual networks in XenCenter. Note that, for single-ended
operation, the second interface can be a stub, attached only to Branch Repeater
VPX.
• If a third virtual network interface is added, it provides an independent interface
to Branch Repeater VPX, and is the equivalent to the Primary port. It can be used
for the browser-based interface, but not for acceleration.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-7
6.4 Virtual Ethernet Ports
Other
VMs
XenServer
Routing. XenServer virtual network routing can be used to connect other virtual
machines on the server to Branch Repeater VPX, but the simplest method of connect-
ing such virtual machines is to attach them to the server’s LAN-side Ethernet port.
WAN-bound packets then will pass through the Branch Repeater VPX’s bridge and be
accelerated automatically.
Figure 6-9 An inline deployment that accelerates both external traffic and traffic from local
VMs.
Other
VMs
XenServer
Branch Repeater VPX uses network licenses that are served remotely by the Citrix
License Server. You can use your existing license server or install a new one. The
Citrix License Server runs on Windows 2003 Server and Windows 2008 Server, and
requires a Web server (IIS or Apache) for the License Manager Console. Citrix License
Server is a free download, available at:
http://www.citrix.com/english/ss/downloads/
details.asp?downloadId=1688507&productId=186
Note: The License Manager Console is not installed by default, but you will need it.
You should select it as part of the installation process.
You will receive a license file from your Citrix representative. Install this on your
license server in the usual way. For more information, see:
http://support.citrix.com/article/CTX114695
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-9
6.6 Initial Installation
4. Attach virtual network interfaces “interface 0” and “interface 1”to the two differ-
ent virtual adapters (called “Networks” on this page). These two interfaces will be
used as Branch Repeater VPX’s accelerated bridge. Do not assign both virtual
adapters to the same network, or forwarding loops will be created and network
outages may be caused. In addition, do not attach the two physical Ethernet
ports associated with Branch Repeater VPX to the same Ethernet switch.
See Figure 6-13.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-11
6.6 Initial Installation
7. The newly created virtual machine will appear under the server. Select the icon for
the Branch Repeater VPX virtual machine. Go to the “Storage” tab and select
“Properties.” Adjust the disk allocation to the desired level. See Figure 6-15.
Note: If you change the disk allocation on the Branch Repeater VPX virtual
machine, the compression history will be resized and reinitialized. Its prior contents
will be lost.
Note: Do not attempt to change resource allocation while VPX is running. Stop VPX
first.
Note: Do not use the “Force Shutdown” or “Force Reboot” commands, as they may
not work and can cause problems. Use the “Shutdown” and “Reboot” commands
instead.
8. Right-click the “Branch Repeater VPX” icon and select “Properties.” Under “CPU
and Memory,” select 1-2 VCPUs and an amount of VM corresponding to a sup-
ported configuration. Use the table in Figure 6-7 as a guide.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-13
6.6 Initial Installation
9. Click on “Startup Options,” check the “Auto-start on server boot” checkbox. (The
OS Boot Parameters are not used).
10. After the virtual machine starts, go to the virtual machine console and log into the
command-line interpreter and set the IP parameters for the accelerated bridge,
using the following example as a guide:
Login: admin
Password: password
admin> set adapter apa -ip 172.16.0.213 -netmask 255.255.255.0 -gateway
172.16.0.1
admin> restart
Note: The default admin password has changed for release 5.6, and is now “pass-
word”.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-15
6.6 Initial Installation
11. After Branch Repeater VPX has restarted, log into the browser-based UI (login:
admin, password: password) using the IP address you assigned to apA, for exam-
ple:
https://172.16.0.213
12. On the “Configure Settings: IP Address” page, set the DNS address and hostname
and press “Update.” Wait for VPX to restart.
13. On the “Monitoring: System Status” page, enable bridging with the “Enable Bridg-
ing” button. This will pop up a warning dialog box to remind you that if the two
accelerated bridge ports are both connected to the same virtual or physical Ether-
net segment, network loops will be created which may bring down your entire net-
work. Check the network assignments in XenCenter, and if the two network
devices are connected to different Networks, press “OK.” Otherwise, shut down
the Branch Repeater VPX virtual machine and fix the network assignments first.
Figure 6-19 Double-checking network assignments in XenCenter
14. (When using local licenses: Branch Repeater VPX Express only) License the Branch
Repeater VPX by going to the “Local Licenses” tab on the “System Tools: Manage
Licenses” page and uploading the license file.
15. (When licensing via a central license server) License the Branch Repeater VPX by
going to the “System Tools: Manage Licenses” page and setting the following
parameters (See Figure 6-18):
• License Server Location: Remote.
• Remote License Server Address: Enter the IP address of your license server.
• Remote License Server Port: The default will work unless you chose a
non-standard port for your license server
• Model: match the selection to the BW limit in your license, that is “Citrix
Branch Repeater V10” refers to a 10 mbps license.
• Press the “Apply” button and wait for the clock icon to count down to zero.
• Verify your license parameters on the “License Information” tab. (See
Figure 6-21.)
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-17
6.6 Initial Installation
16. Complete the configuration as you would with any Branch Repeater installation.
Figure 6-20 License parameters on the Branch Repeater VPX
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 6-19
6.7 Additional Configuration
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 7-1
7.2 Ethernet Issues
Both Ethernet ports on the Appliance are wired as computer ports. Therefore:
• When an Appliance port is plugged into a switch, use a straight-through cable.
• When an Appliance port is plugged into a computer or router, use a cross-over
cable.
The uplink port on a switch can be thought of as having a built-in cross-over cable.
Switch or Router or
Router Switch
WAN or
LAN Internet
Use Existing See Below See Below Use Existing
Cabling Cabling
Appliance
Straight-Through Cross-Over
Blue Orange
Switch WAN
Router
Cross-Over
Straight-Through
Orange
Blue
Internal
Router Switch
Cross-Over Straight-Through
Orange Blue
DSL or
Cable
Server,
Modem
Client
Switch Switch
TO TO
LAN WAN
Blue Straight- Blue Straight-
Through Cables HA Pair Through Cables
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 7-3
7.4 High-Availability Mode
When the Appliance comes back online, existing connections will continue as
non-accelerated connections. New connections will be accelerated in the usual way.
The spanning-tree protocol is not supported, and must be turned off on router ports
connected to the Appliances.
Figure 7-3 High-availability pairs can be deployed with inline (top), WCCP, or virtual inline
(bottom) topologies.
Switch Switch
TO TO
LAN WAN
Blue Straight- Blue Straight-
Through Cables HA Pair Through Cables
Switch
Router
TO
LAN
Blue Straight-
Through Cables HA Pair
TO
WAN
7.4.1 Requirements
To use HA, the two Appliances must meet the following criteria:
• They must use identical hardware, as given on the “System Hardware” entry on
the “Monitoring: System Status” page.
• They must both run the exact same software release.
• They must both be equipped with appropriate fail-to-wire (FTW) cards. To deter-
mine what is installed in your units, see the “Monitoring: System Status” page.
Units that do not support HA or which do not have an appropriate license will show a
warning on the “Configure Settings: High Availability” page.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 7-5
7.4 High-Availability Mode
Primary/secondary assignment. If both units are restarted, the first one to fully initial-
ize itself will become the primary. That is, the units have no assigned roles, and the
first one to become available takes over as the primary. The IP address is used as a
tie-breaker if both become available at the same time.
Connection termination during fail-over. TCP connections are terminated as a side
effect of fail-over. This includes both accelerated and non-accelerated sessions.
Non-TCP sessions are not affected, other than the delay caused by the brief period
(several seconds) between the failure of the primary unit and the fail-over to the sec-
ondary unit. To the users, the symptoms of failover will be the closing of open con-
nections, but their attempts to start new connections will succeed.
Configuration synchronization. The two units synchronize their settings to ensure that
the secondary is ready to take over for the primary. If the configuration of the pair is
changed through the browser-based interface, the primary unit updates the second-
ary unit immediately.
Both units must be running the same software release, or HA cannot be enabled.
HA in WCCP mode. When WCCP is used with an HA pair, the primary Appliance estab-
lishes communication with the router. The Appliance uses its management IP address
on apA or apB for this, not its virtual IP address. On failover, the new primary Appli-
ance will establish WCCP communication with the router.
The management pages for the secondary unit becomes unavailable once it is part of a
high-availability pair.
Note: pressing the “Update button” will terminate all open TCP connections
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 7-7
7.4 High-Availability Mode
Configuration Reference
This chapter describes the browser-based user interface of the Citrix Appliances.
Different Citrix acceleration products have different user interfaces:
• Repeater Appliances, and Branch Repeater Appliances use the same
browser-based interface, documented in this chapter.
• Branch Repeater with Windows Server has its own MMC (Microsoft Management
Console) user interface, described in the Branch Repeater With Windows Server
Installation and User’s Guide.
• The Repeater Plug-in has its own simplified user interface, which is covered in
Section 5.6.
• Release 5.7 substantially rearranges the left-hand menu bar. This document gen-
erally uses the menu structure in releases 5.5 and 5.6. See Section 8.1 for the
mapping between Release 5.7 and 5.5-5.6.
Note: Branch Repeater and Repeater Appliances have the same user interface.
Screen images from the two product lines are used interchangeably in this chapter,
and thus some images may say “Repeater” and others “Branch Repeater.”
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-1
8.1 Altered Menu Structure for Release 5.7
Figure 8-1 Comparison between rel. 5.7 and rel. 5.5 menu structures (Continued)
Monitoring: QoS Statistics Monitoring: QoS Statistics 8.2.7
Figure 8-1 Comparison between rel. 5.7 and rel. 5.5 menu structures (Continued)
Deployment Settings: WCCP Configure Settings: WCCP 8.3.17
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-3
8.2 “Monitoring” Pages
The “Status” row identifies the product type (“Repeater 8500” in the example above)
and shows whether acceleration is NORMAL (enabled) or DISABLED. The “Enable” or
“Disable” button allows you to change this state. The user interfaces remain active
when acceleration is disabled.
Disabling acceleration will reset all open accelerated connections. New connections
will not be accelerated. New proxy-mode connections will not be accepted when accel-
eration is disabled.
Re-enabling acceleration has no effect on existing connections, but new connections
will be accelerated.
The “Throughput” row reports the current maximum bandwidth setting and the
licensed bandwidth limit. The “Adjust Using BW Scheduler” link takes you to the
Bandwidth Scheduler page, where the current setting can be changed (see Section
8.3.1). The licensed limit is changed with a new license key from Citrix (see Section
8.5.3).
This row reports throughput limits, not the throughput of currently open connections.
Second-by-second throughput is given on the Main page (see Section 8.2).
If separate send/receive rates have been enabled, both values will be shown here.
The “Up Time” row gives the elapsed time since the last restart.
The “Bandwidth Mode” shows the acceleration mode: Hardboost or Softboost, Full
Bandwidth or Partial Bandwidth.
The “Active Connections” row lists both accelerated and unaccelerated TCP connec-
tions. Non-TCP traffic is not listed.
An “Active” connection is one that has seen traffic in the last second.
The “Repeater Plug-in” row lists how many Repeater Plug-in are using the Appliance,
and the maximum number of simultaneously active Plug-ins allowed by the license.
The “Software Version” row lists the release number, build number, and compilation
date of the software.
The “System Personality” row reports the model number of the Appliance.
The “Bypass Card Type” row gives the version number of the Ethernet bypass
(fail-to-wire) card in the system.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-5
8.2 “Monitoring” Pages
Tabs at the top of the page allow you to select a timescale to display: the last minute, hour,
day, week or month.
Accelerated Line Usage (light blue): Total accelerated line usage, including headers, ACK
packets, and retransmitted packets.
Accelerated Goodput (dark blue): Payload data, excluding retransmissions and headers.
Non-Accelerated (red): Non-accelerated traffic of all kinds (including data and overhead).
Compression is taking place during periods when the LAN traffic is higher than the
(compressed) WAN traffic. In the diagram above, periods of high compression are creating
data spikes at 2.5 mbps in a WAN stream of about 400 kbps.
The “Monitoring: Usage Graph” page shows real-time throughput graphs for the WAN
and LAN sides of the Appliance. The graph defaults to a static display, but an
auto-refresh mode can be selected by clicking the “Toggle” link. Clicking the
left-arrow icon next to the graph shows information for one period further back in
time; clicking the right arrow, if present, moves the display one period forward in
time. See Figure 8-4.
The amount of time covered by the display varies from one minute to one month. The
shorter timescales are useful when setting parameters such as bandwidth limits or
service class rules; the longer timescales are useful for general monitoring.
Restarting the Appliance will cause all the graph data to be lost.
• Dark blue indicates accelerated “goodput,” or payload data.
• Light blue indicates the overhead of accelerated connections: packet headers,
acknowledgement packets (ACKs), and retransmissions.
• Red indicates non-accelerated traffic.
• The graphs are stacked, so the topmost point on the graph shows total acceler-
ated traffic (LAN-side graph) or total line usage (WAN-side graph).
The “Graph Settings” link takes you to the “Configure Settings: UI” page, which
allows you so change the graphing features, including the frequency of update and
whether separate graphs are shown for the sending and receiving directions. See Sec-
tion 8.3.9.
Clicking “Popup Graph” will create a new window containing a similar auto-refreshing
throughput graph. See Figure 8-4.
Figure 8-4 Popup performance graph
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-7
8.2 “Monitoring” Pages
This page consists of a list of accelerated connections and a filter specification. The
list of accelerated connections identifies the IP and port numbers for the two endpoint
systems, gives information about the duration and data transferred in the connection
so far, and identifies the other Appliance (or Repeater Plug-in) in the connection.
Clicking on the IP address of a Acceleration Partner Appliance takes you to the man-
agement interface of that Appliance.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-9
8.2 “Monitoring” Pages
WAN/LAN graphs. These show only the traffic for the selected connection. Otherwise,
they are the same as the usual throughput graph.
Figure 8-8 Connection Details page. Top portion: graphs.
Detailed Connection Information table. See Figure 8-9. This table reports:
• Creation Time: the date and time when the connection was opened.
• Uncompressed Bytes Transmitted: the amount of data transferred in the connec-
tion so far (in both directions, before compression)
• Compressed Bytes Transmitted: the amount of data transferred in the connection
so far (in both directions, after compression)
• Effective Compression Ratio: the number of uncompressed bytes divided by the
number of compressed bytes. The value in parenthesis is 1/(compression ratio).
• Duration: the elapsed time since the connection was opened.
• Idle Time: the elapsed time since the last data transfer.
• Status: The state of the TCP connection (Open, Closing, Closed, etc.). The code
after this state is for use by Support and is not documented here.
• Acceleration Partner: The IP address of the partner Appliance, as reported by the
Acceleration Partner itself.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-11
8.2 “Monitoring” Pages
Detailed Per-Endpoint Information table. See Figure 8-10. This table is primarily
for the use of Support and is not fully documented here. Some of the reported values
are not always accurate. In particular, the RTT value uses a counter-intuitive smooth-
ing algorithm and may give unexpected results.
The table reports values for both the local and remote sides of the flow, labeled “LAN
Endpoint” and “WAN Endpoint,” respectively.
Some of the more interesting values include:
• Send Rate Setting. The bandwidth limit in the sending direction.
• Send Rate Setting Constrained: The bandwidth limit as constrained by the Accel-
eration Partner, which may have a lower bandwidth limit or may be dividing its
bandwidth between multiple partners.
• Receive Rate Setting/Receive Rate Setting Constrained: As above, but in the
receiving direction.
• Smoothed Round-Trip Time: Do not use this value. This uses the standard TCP
RTT calculation, which behaves differently from what one would expect.
• Largest Receive Window: The largest advertised window used so far in the con-
nection. This is typically much larger on the WAN side than the LAN side, since the
long RTT of a WAN link requires a larger amount of in-flight data. This value tends
to grow as needed. (The default maximum is 8 MB on the WAN side and 64 KB on
the LAN side.)
• Total Wire Bytes Transmitted/Transmitted Good: The amount of data send, with
headers, payload, and retransmissions all counted equally. The loss rate can be
calculated from the difference between “transmitted” and “transmitted good.”
• Total Wire Bytes Received/Received Good: As above, but in the opposite direction.
(Note: Do not calculate loss rates by subtracting data received from data sent,
since that does not account for data still in flight.)
• Total Payload Bytes: As above, but with headers and retransmissions removed
from the calculation.
Figure 8-10 Connection Details page, “Detailed Per-Endpoint Information” table.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-13
8.2 “Monitoring” Pages
Note: In releases prior to release 3.3, the CIFS status pages are only meaningful
on the Appliance closest to the requesting system. The unit closest to the
fileserver will show nothing on these pages. This is because the CIFS acceler-
ation, as currently implemented, is performed entirely by the unit closest to the
client system. The other unit sees a stream of CIFS traffic that is not easily distin-
guishable from ordinary traffic.
In newer releases, the read and write traffic graphs are correct but the other infor-
mation is shown as zeroes on both graphs and tables.
The page has an auto-refresh toggle. The auto-refresh rate uses the same refresh
period as the main Usage Graph.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-15
8.2 “Monitoring” Pages
Connections. Clicking the “Connections” tab at the top of the page will cause a table
of CIFS connections to be displayed. These are divided into accelerated and
non-accelerated connections. Clicking the icon in the “Details” column will give
detailed information about this CIFS connection. See Figure 8-13. Clicking the
“Graphs” tab at the top of the page will return you to throughput graph mode.
Note: The term “non-accelerated” is used improperly on this page. In reality, all
connections listed on this page are benefiting from Acceleration. The connections
listed as “non-accelerated” are benefiting from normal Acceleration but not from
CIFS-specific optimizations. The ones listed as “accelerated” are benefiting from
CIFS-specific optimizations in addition to normal Acceleration.
“File Details” and Read/Write counters. When the Appliance is on the server side of
the link, the “File Details” entry always reads “Not Available” and the read and write
counters always read zero. Information about the connection can be obtained from
the client-side Appliance.
The “Reason” column. For so-called “non-accelerated” connections, a “Reason”
column gives a code specifying why CIFS optimizations were not used. The reasons
are one of these:
1. The connections uses the Vista SMB 2.0 format, which is not supported.
2. CIFS optimizations are disabled on the Appliance.
3. Security settings on the connection prevent optimization.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-17
8.2 “Monitoring” Pages
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-19
8.2 “Monitoring” Pages
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-21
8.2 “Monitoring” Pages
binary data) and 10:1 or even more (where there is significant internal redun-
dancy, which often occurs in source code, Microsoft Office documents, etc.)
• Second-pass data generally gives compression ratios in excess of 10:1 and often
in excess of 100:1.
• If enough data has gone by, the first-pass copy will no longer be in compression
history when the object is sent again, and second-pass compression ratios will not
be seen.
• If the Appliance is communicating with many different Acceleration Partners, this
limits the amount of compression history that any one unit can have.
The compression status tab shows cumulative compression statistics rather than
second-by-second results. (Starting with release 4.1, this portion is on a separate tab
rather than at the bottom of the same page as the time chart.) The statistics can be
cleared at any time by pressing the “Clear” button. Statistics are reported separately
for the sending and receiving direction.
Figure 8-20 Compression status tab.
The compression ratios have their usual meaning (uncompressed bytes / compressed
bytes).
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-23
8.2 “Monitoring” Pages
The “Effective Bandwidth” is the negotiated bandwidth limit (in the sending direction)
multiplied by the compression ratio in the sending direction. If factors other than link
speed (such as application speed) are the limiting factors in throughput, the “effective
bandwidth” will have little resemblance to actual throughput.
The “Bandwidth Reduction” values are a different way of expressing the same infor-
mation as the compression ratio. For example, a connection with 10:1 compression
has a bandwidth reduction of 90%.
Note: In some releases, the percentage bandwidth reduction values are displayed
incorrectly. They display (100 - percent_reduction) rather than the true value.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-25
8.2 “Monitoring” Pages
The QoS graph shows the interaction between the different QoS queues in real time.
The tabs at the top of the page allow you to choose views covering the list minute,
hour, and day. The legend above the graph shows the five queue names and assigns
a color to each queue.
The graph is useful for monitoring the interaction between different QoS queue, and
also monitoring whether there is enough traffic being offered to fill the link.
Only TCP traffic is shown on this graph.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-27
8.2 “Monitoring” Pages
Undefined interface The defined interface for the service group does not exist.
Bad configuration The service group configuration does not make sense.
The accelerated interface defined for the service group has been
Disable interface
disabled.
Service Group is The service group has been manually disabled on the WCCP
disabled Configuration page.
Acceleration is The service group does not operate when acceleration is disabled.
disabled
At least one packet has been received from the router, and WCCP
Connecting to router
protocol negotiations are underway.
Connected to router Negotiation is complete and the WCCP interface is fully active.
Disconnecting from The Appliance is terminating its connection to the router, probably
router due to a user-initiated configuration change.
No response from The router has been completely unresponsive for at least five
router minutes
Router’s forward or Cannot communicate with the router because the specified mode is
return capability not available. Usually means that the Appliance is configured for
mismatch WCCP-L2, but the router does not support this mode.
Multicast failed to No multicast group partners were found in the last five minutes.
discover
Router’s view has There is another WCCP device, such as another Appliance, using the
other cache same service group. We do not allow this.
Router is off-net and Packet forwarding cannot take place because the appliance’s
appliance’s gateway gateway is invalid (not on the same subnet as the appliance).
is invalid
Service group had Internal software error. Please report this event to Support.
socket send error
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-29
8.2 “Monitoring” Pages
This page reports on the Repeater Plug-in currently connected to the Appliance. The
list is similar to the Active Connection list and can be filtered and sorted in similar
ways. Pressing the “Details” link shows client connection details similar to that in
Figure 8-26.
These graphs will look different on the two Appliances, and from the main usage
graphs, since they show movement into and out of the MAPI engine, not actual traffic
on the WAN. The differences are caused by buffering.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-31
8.2 “Monitoring” Pages
This page allows you to monitor total ICA traffic (in the sending direction only) and
the list of ICA connections. The ICA connection list is similar to the Active Connection
list and can be filtered or sorted in the same way.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-33
8.2 “Monitoring” Pages
This page reports the SSL signaling connection status of peer Appliances or Repeater
Plug-ins that have been detected since the last restart. By default, only currently
connected peers are displayed, but this can be changed with the “Connection Status”
pull-down in the “Filter” table.
In the Peer table, each peer is listed by name and its IP address (not the signaling
address used by its SSL tunnel, which is not reported). Its connection status, length
of connection, and time since last contact are also reported. These all refer to the
secure signaling connection, which the units use to exchange security information,
not data connections. Click on the “Details” column for more information about a
given peer’s signaling connection
Note: The “true/false” status in the “Secure” column means that a secure signaling
connection has been established and that new accelerated connections will be
encrypted. It does not mean that all traffic passing through the unit is encrypted,
because non-accelerated traffic is never encrypted by the Appliance.
Softboost and hardboost are two different bandwidth-control modes (see Section
4.3.1). Hardboost gives ideal performance over fixed-speed links. However, if the
hardboost bandwidth limit exceeds the link speed, it will send faster than the link
speed and produce high packet-loss rates and poor performance. This makes it
unsuitable to variable-speed links. Hardboost is also unresponsive to third-party QoS
systems.
Softboost is more responsive to packet loss and is forgiving of situations where the
bandwidth limit is higher than the link speed. In a congested environment, it will back
off in the face of competing traffic. This makes softboost more flexible in shared, con-
gested, and variable bandwidth environments, but also less aggressive in seizing
bandwidth.
These values set how much line bandwidth is used by accelerated connections.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-35
8.3 The “Configure Settings” Pages
The sending bandwidth limit sets an upper limit to how fast the Appliance will send
accelerated data on the WAN. For example, if the limit is 5,500 kbps, the Appliance
will never send accelerated data faster than 5,500 kbps. This reduces congestion on
the WAN by not overrunning it.
The receive bandwidth limit is used indirectly. It is sent to acceleration partners,
which use it to adjust their sending rate. In essence, an appliance’s sending rate is
limited by its own sending limit or its partner’s receiving limit, whichever is smaller.
This is useful in hub-and-spoke and mesh topologies where each partner may have a
different link bandwidth. (See Section 4.3.2 for more about bandwidth allocation.)
The Full Bandwidth mode means that the Appliance will attempt to send accelerated
data at the bandwidth limit you set. Other traffic is forwarded immediately to the
output port, but is ignored for the purposes of bandwidth calculations. If the band-
width limit is set to the effective data rate of the link, non-accelerated traffic will com-
pete with accelerated transfers.
With softboost, this competition acts like any other TCP traffic. Hardboost, however, is
very aggressive and will suppress competing traffic unless room is made for it.
If the bandwidth limit is set lower than the link speed, the difference between the
bandwidth limit and the link speed is reserved for non-accelerated transfers. (See
Section 4.3.4.2.)
Note: Partial bandwidth should only be used on point-to-point links where the local
WAN router has a single LAN link and a single WAN link. More complex topologies
will confuse the partial bandwidth algorithm, causing it to back off unnecessarily,
reducing performance (possibly to zero).
Partial bandwidth is especially useful for hardboost links, because hardboost will
ignore any indications from your router-based QoS system that it should slow down.
Without partial bandwidth, hardboost might interfere with sensitive traffic like VoIP.
It is also useful for softboost links if you are not using router-based QoS to protect
your VoIP connections. If you are using router-based QoS, partial bandwidth is unnec-
essary.
How It Works
By enabling partial bandwidth, non-accelerated traffic has priority. All packets for
non-accelerated connections are transferred immediately from the input port to the
output port. In addition, the non-accelerated traffic counts towards the bandwidth
limit, meaning that accelerated traffic backs off in the face of non-accelerated traffic.
This combination of immediate forwarding and backing off means that non-acceler-
ated traffic moves through the network as quickly as it would on an idle link.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-37
8.3 The “Configure Settings” Pages
With partial bandwidth, the bandwidth limit should be set to the effective data rate of
the link. 90%-95% of the nominal link speed usually works well. Non-accelerated
traffic can monopolize the link during peak periods; accelerated traffic will monopolize
the link when it is otherwise idle.
The effect of partial bandwidth is to make the presence of accelerated connections
invisible to non-accelerated traffic, while allowing accelerated traffic to use bandwidth
that would otherwise be wasted. This eliminates the need for bandwidth schedules,
which are normally used to back off the accelerated bandwidth limit during peak
usage hours.
Partial bandwidth considers only the traffic that passes through the Appliance. This
implies that the Appliance should be placed as close to the LAN/WAN boundary as
possible. Partial bandwidth is used only on the sending Appliance.
When used with the partial bandwidth option, this specifies a rate below which accel-
erated traffic will not back off. It defaults to zero, meaning that accelerated connec-
tions can be shut down entirely by non-accelerated traffic.
The bottom table shows the schedules. The Appliance will use the first schedule that
matches both the time of day and the day of the week. See Figure 8-35.
Schedules are allowed to wrap around past midnight. For example, a schedule of
22:00-4:00 is valid. However, because the bandwidth scheduler performs a simple
AND of the day and time, weekday schedules are truncated at 23:59 on Friday, and
weekend schedules are truncated at 23:59 on Sunday.
Schedules are allowed to overlap. The first schedule in the list to match the current
day and time will be applied.
When making changes to a schedule, remember to press the “Update” button. If you
navigate away from a schedule without pressing “Update,” your changes will be lost.
These schedules have all the parameters of a system bandwidth schedule, and adds
an entry for the management address of a remote Appliance. When talking to this
unit, the bandwidth value in the “Appliance to Appliance” table takes precedence over
that in the general table. This allows more bandwidth to be made available to favored
sites, or less to disfavored ones.
As with regular schedules, the bandwidth limit will be the default bandwidth or the
Appliance-to-Appliance bandwidth, whichever is less.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-39
8.3 The “Configure Settings” Pages
In proxy mode, the Appliance masquerades locally as the remote system. Traffic for
the remote system is then forwarded to a remote Appliance and then to the remote
system itself.
Proxying involves address translation. The addresses are entered in the Proxy Config-
uration page.
With a proxy connection, one end of the connection may be left in inline mode. When
this is done, the inlined Appliance requires no configuration.
When you enter a new proxy definition, the Appliance pings the target address when
you press the “Add” button. If the ping is unsuccessful, a warning icon is displayed
and the target address is shown in red. However, the proxy entry is still active. On
paths where pings are blocked but TCP traffic is not, the proxy definition will work in
spite of the warning icon. See Figure 8-37.
Figure 8-37 The warning symbol means that the target does not respond to pings, but the
proxy entry is still active. If pings are being blocked, this warning means nothing.
A proxy entry requires two IP addresses: the IP address of the server and the local
VIP address that you assign to the server.
Figure 8-38 Proxy configuration, allowing Network B to access Alpha and Anvil.
WAN
Appliance
Mgmt Addr: "Appliance-B" 172.16.0.200
Appliance
Mgmt Addr: "Appliance-A" 10.0.0.150
VIP Addr: "Alpha-Proxy" 10.0.0.152
VIP Addr: "Anvil-Proxy" 10.0.0.153
System "Beta"
System "Alpha" System "Anvil" 172.16.0.1
10.0.0.51 10.0.0.60
Figure 8-38. shows a configuration that allows users of Network B to access two serv-
ers on Network A: Alpha and Anvil. This corresponds to Case 2 in Section 4.19.0.2.
This takes care of connections initiated by the inline site. But the reverse connection
“ftp Beta” requires its own configuration, since the packets will not flow through the
Appliance-A unless they are sent to it via a virtual IP address. Another virtual IP entry
must be configured, this time pointing to the server on the remote network. This is
shown in Figure 8-39, and corresponds to Case 3 in Section 4.19.0.2, and illustrates a
general point about proxies, which is that the target system does not have to be on
the same network as the Appliance. See Figure 4-51.
The final example, in Figure 8-40, shows proxy configuration where neither unit is
inlined. This corresponds to Case 4 in Section 4.19.0.2.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-41
8.3 The “Configure Settings” Pages
Appliance
Mgmt Addr: "Appliance-B" 172.16.0.200
VIP Addr: "Beta-Proxy" 172.16.0.201
Appliance
Mgmt Addr: "Appliance-A" 10.0.0.150
VIP Addr: "Beta-Proxy-A" 10.0.0.154
System "Beta"
System "Alpha" System "Anvil" 172.16.0.1
10.0.0.51 10.0.0.60
Appliance
Mgmt Addr: "Appliance-B" 172.16.0.200
VIP Addr: "Beta-Proxy" 172.16.0.201
VIP Addr: "Alpha-Proxy-B" 172.16.0.202
VIP Addr: "Anvil-Proxy-B" 172.16.0.203
Appliance
Mgmt Addr: "Appliance-A" 10.0.0.150
VIP Addr: "Alpha-Proxy" 10.0.0.152
VIP Addr: "Anvil-Proxy" 10.0.0.153
VIP Addr: "Beta-Proxy-A" 10.0.0.154
System "Beta"
System "Alpha" System "Anvil" 172.16.0.1
10.0.0.51 10.0.0.60
Figure 8-41 Appliance-A configuration. The third entry is the first part of a VIP-to-VIP proxy
between Appliance-A and Appliance-B.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-43
8.3 The “Configure Settings” Pages
Figure 8-42 Appliance-B configuration. Additional VIP addresses have been defined for Alpha
and Anvil.
Each Ethernet interface used by the Appliance is listed here, along with its speed (10,
100, or 1000 Mbps), its duplex setting (full or half), and its auto-negotiation state
(auto or forced to a specific mode).
Note: Auto-negotiation failures on Fast Ethernet (100 Mbps) networks are the most
common cause of performance problems with Appliances. These are caused by a
flaw in the Fast Ethernet Specification. See Section 7.2.2.2 for more information.
A pull-down menu allows you to reset the modes of the individual Ethernet ports.
Changes do not take effect until you click the “Update Adapter Configuration” button.
Clicking on the individual adapter links (such as eth1) will open the Detailed Informa-
tion page for the adapter, which is shown in Figure 8-44.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-45
8.3 The “Configure Settings” Pages
The table offers “More Info” links for bridged adapters (that is, the two adapters used
in inline mode) and individual flows. (A flow is the set of all accelerated connections
between a given pair of Appliances.) The statistics for bridged adapters and individual
flows are similar to those for individual adapters, with summary tables and sec-
ond-by-second graphs.
Figure 8-44 Ethernet adapter detailed information page, top half.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-47
8.3 The “Configure Settings” Pages
This page contains a number of TCP-oriented settings, including which ports are
accelerated, TCP window scaling limits, connection timeouts, etc. The individual set-
ting are listed below.
Note: Unlike the other pages, the buttons on the Tuning page are greyed out until
you change a parameter.
There are two tuning settings: the WAN scale limit and the LAN scale limit. These set
the TCP scaling option between the two Appliances (See RFC 1323). The default LAN
scale limit is 16, corresponding to a 64 KB (216 bytes) advertised window. The default
WAN scale limit is 23, corresponding to an 8 MB (223 bytes) advertised window.
These values rarely need to be changed from their defaults, though in WANs with a
very high bandwidth-delay product, the WAN scale limit may need to be increased,
while on a WAN with a very low bandwidth-delay product, the WAN scale limit may
need to be decreased. The rule of thumb is to have a WAN scale limit that is at least
2-3 times the bandwidth-delay product.
For example, a 200 Mbps link with a 500 ms RTT has a bandwidth-delay product of
100,000,000 bits. Doubling this gives 200,000,000 bits, or 25,000,000 bytes. This is
larger than the default 8 MB window. Increasing the WAN scale limit to 23 (225 bytes
or 32 MB) would accommodate this.
Increasing these limits under other circumstances will not increase performance and
will only waste memory.
Idle accelerated connections should time out eventually, as they consume system
resources. This entry gives the idle time that must elapse before the Appliance closes
a connection. If the application sends keep-alive packets, these will reset the idle
timer. Such connections will never be closed by the connection timeout mechanism.
Some links see thousands of half-closed connections that never become fully closed.
These may eventually overflow the Appliance’s connection table. The Active Connec-
tions page can identify half-closed connections. If the problem cannot be fixed at its
source, shortening the idle timeout can eliminate the problem.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-49
8.3 The “Configure Settings” Pages
When using address translation with the FTP or rshell (rsh/rcp/rexec) protocols, the
agent performing the address translation must be protocol-aware. FTP control ports
and rshell control ports define which ports are used with these two protocol groups. If
you use nonstandard ports for these protocols, adding the port numbers the special
ports list will allow them to work in proxy mode.
Virtual inline mode allows a router to send packets to the Appliance and receive pack-
ets back from it.
There are two slight variations of this forwarding. The first is to forward packets to the
default gateway. The second is to forward them to the Ethernet address they came
from. Both have the potential to create routing loops. Policy-based routing is required
to prevent router loops. See Section 4.8.
8.3.4.5 Daisy-Chain
Acceleration takes place between two Appliances. If three or more Appliances are
used in series, the link will not be accelerated end-to-end. Instead, the link between
Appliances 1 and 2 will be accelerated, but not between Appliances 2 and 3.
Appliances with the “Enable Daisy-Chained Units” option set will detect when they are
in the middle of a chain, and pretend that such connections are non-accelerated. This
guarantees that the two endpoint Appliances will both see an accelerated connection.
Daisy-chaining is not recommended for hardboost links.
Peculiarities of Daisy-Chaining
• Daisy-chaining does not need to be enabled except on the middle units.
• The bandwidth graph of the middle unit will display daisy-chained connections as
non-accelerated.
• If a middle Appliance has its acceleration disabled or restarts, the daisy-chained
connections will be reset, just like the ordinary accelerated connections.
• The behavior of the middle link depends on the “Full Bandwidth/Partial Bandwidth”
switch on the Bandwidth Management page. Normally, daisy-chained units should
be set to softboost, full bandwidth. If Full Bandwidth is selected on a hardboost
link, competition between ordinary and daisy-chained bandwidth will cause the
link to become overcommitted. If Partial Bandwidth is selected, the daisy-chained
unit will give daisy-chained bandwidth precedence over ordinary accelerated
bandwidth.
This specifies the maximum size of the TCP portion of a packet. This defaults to 1380
bytes. If you have a VPN that encapsulates packets inside another header (as PPTP
and IPSec VPNs do), you may need to reduce this to prevent packet fragmentation.
Reducing the MSS to 1340 will usually accomplish this.
Both the “Default MSS” and “Maximum MSS” fields should always be set to the same
value.
8.3.4.7 SCPS
SCPS is a TCP variant used in satellite communication and similar applications. The
Appliance can accelerate SCPS connections if this option is selected.
The main practical difference between SCPS and the default Appliance behavior is that
SCPS-style “selective negative acknowledgements” (SNACKs) are used instead of
standard “selective acknowledgements” (SACKs). These two methods of enhancing
data retransmissions are mutually exclusive, so if the Appliance on one end of the
connection has SCPS enabled and one does not, retransmission performance will suf-
fer. This condition will cause an “SCPS Mode Mismatch” alert.
We recommend that, if you must mix SCPS-enabled Appliances with non-SCPS-
enabled Appliances, that you deploy them in such a way that mismatches do not
occur. This can be done with IP-based service class rules or by always deploying the
Appliances so that accelerated paths contain matched pairs rather than odd numbers
of units.
The “Forwarding Loop Prevention” option allows the same packet to traverse Appli-
ances twice without causing trouble. In most deployments, this does not happen, but
sometimes it is unavoidable. Passing the same packet through the same Appliance
multiple times, or through more than one Appliance in the same group, can cause
problems.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-51
8.3 The “Configure Settings” Pages
This allows any internal Appliance parameter to be set to an arbitrary value. This is
generally done only at the request of Support.
For example, the bandwidth limit can be set 1,000 kbps by putting “SlowSendRate” in
the “Setting” field and “1000 K/S” in the “Value” field.
You can also query the current setting of a parameter by filling in the “Setting” field
but leaving the “Value” field blank.
Note: The internal Appliance values are not documented and setting them
in this way is not recommended, unless you are advised to do so by Sup-
port.
This page sets up SNMP monitoring of the Appliance. SNMP operation is disabled by
default, but is enabled by the button at the top of the page. SNMP v1 and v2c are
supported.
Fields on this page have their conventional meanings.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-53
8.3 The “Configure Settings” Pages
The date and time are set on this page. You can set the date and time manually by
updating the time fields with the current time. The Zone field allows you to choose a
time zone.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-55
8.3 The “Configure Settings” Pages
If an NTP server is available, type its IP address or DNS address in the “NTP Server”
field. If no NTP server is available, leave this field blank.
To use GMT, select “UTC” from the bottom of the list.
Changes do not take effect until the “Update” button is pressed.
These options set the kind of information that is stored in the log:
• Log System Records. This gives general statistics about connections every 60 sec-
onds. Most users will want to disable this option.
• Log Adapter Records. This reports the status of each Ethernet port every 60 sec-
onds. Most users will want to disable this option.
• Log Flow Records. This summarizes the status of the communication between this
unit and each active Acceleration Partner every 60 seconds. Most users will want
to disable this option.
• Log Connection Records. This summarizes the state of each active accelerated
connections every 60 seconds. Most users will want to disable this option.
• Log Open/Close Records. Adds a log entry whenever an accelerated connection is
opened or closed. These records contain performance statistics in addition to iden-
tifying the endpoints and the connection duration. Leave this option enabled.
• Log Text Records. Shows kernel and other OS messages. Leave this option
enabled.
• Log Alert Records. Repeats the information from the Alerts page in the log. Leave
this option enabled.
• Other Settings. The Log Max Size, Lines Displayed, and Max Export Count fields
are self-explanatory and rarely need to be changed.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-57
8.3 The “Configure Settings” Pages
To export log files, select a range of entries by number of date/time, and press the
“Export” button. Your browser will show an “Open/Save” dialog that allows you to
open the log file with a default application or save it to a file. Log files are exported as
ordinary ASCII text files with a.txt extension or as XML files. Line ending style is
selectable for convenience when important to systems with different newline conven-
tions (such as Windows CR/LF vs. UNIX LF).
You can erase the log files by pressing the “Remove” button.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-59
8.3 The “Configure Settings” Pages
This page allows you to select which events will cause the alert link to appear at the
top of ever UI page. It also controls which alertable conditions are logged. Some
installations will have normal conditions that would be considered errors elsewhere,
such as high packet-loss rates. These can be configured for a higher threshold before
an alert is triggered.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-61
8.3 The “Configure Settings” Pages
• Network Unreachable
• DNS Lookup Failed
• Appliance in the Middle Intercepting Options
• Major Internal Errors
• Minor Internal Errors
• Internal Warning
• WCCP Detected Major Error
• WCCP Detected Minor Error
• WCCP Warning
• Network Driver Hang Detected
• Signaling Channel Establishment Error
• SCPS Mode Mismatch Detected
• Repeater Plug-in count is nearing its limit
• SSL Communication Error
The Alerts page lets you select the reporting for different types of error.
Clicking on the link displays information about the outstanding alerts, as shown in
Figure 8-54.
Alerts will clear themselves if the problem goes away for long enough (by default, for
one hour).
Web Access Protocol. Selects between HTTP (the default) and secure HTTP
(HTTPS).HTTPS is the default
HTTP/HTTPS Port. Sets the port used for each protocol. The non-selected protocol is
greyed out. To access it, select the protocol, press “Update,” and then change the
port number. Setting the port numbers to zero will disable browser-based access
(re-enabling browser-based access will require the use of the serial interface or the
command-line interface).
HTTP Forwarding to HTTPS. If HTTPS is the selected protocol, attempts to reach the
interface via HTTP will result in an redirect to the correct protocol and port.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-63
8.3 The “Configure Settings” Pages
SSL Certificate, SSL Private Key. These boxes allow you to paste in your own certifi-
cate and private key for SSL security, which is used by HTTPS. The Appliance is deliv-
ered with a default SSL key and certificate, which is not particularly secure. To replace
it with your own key and certificate, generate these using your organization’s stan-
dard procedure, then paste them into the boxes on the UI page and press the
“Update” button.
Display WAN Side Graph/Display LAN Side Graph. The data flow is not identical on the
LAN side of the Appliance and the WAN side. The differences between the two flows
can provide useful information. For example, the difference between accelerated line
usage and goodput should be very low on the LAN side, which is supposed to have low
losses. But if there is a problem with the local LAN (a failing switch, for example, or a
port accidentally configured to half-duplex), losses may be high. By default, both
graphs are shown.
Combine Send/Recv Graphs. By default, send and receive traffic are added together,
but they can be displayed separately. This is useful on busy systems with traffic
moving in both directions.
Autoscale Graphs. By default, bandwidth graphs are scaled automatically, but they
can be scaled to user-specified limits.
Graph Refresh Rate. The data displayed on the graphs covers 60 seconds of activity
and is collected at one-second intervals. The default refresh rate is ten seconds. Sen-
sible values for the refresh interval are between 1 and 60 seconds.
Autorefresh Graph. Unchecking this box means that the “reload” browser button must
be pressed to see an up-to-date graph.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-65
8.3 The “Configure Settings” Pages
Lock Changes via LCD. Checking this box prevents system settings from being
updated via the front-panel interface. By default, the front-panel is not locked.
Max Connections Shown on Connection Page. A busy system may have thousands of
open connections. The default is to show the first 200. This may be set to any value
desired.
User Session Timeout. If the interface is idle for more than this time (in minutes), you
will have to log in again. Setting the value to zero will disable session timeouts.
This page enables or disables CIFS acceleration features and allows acceleration to be
enabled/disabled on a per-IP or per-subnet basis.
CIFS Include/Exclude by Server IP allows individual hosts or networks to be
included or excluded from CIFS acceleration. Networks are specified by base IP and
the number of bits in the host portion of the netmask, as in “10.0.0.0/8”.
Three buttons allow these IP addresses to be ignored (“Accelerate All Traffic”), to
specify the addresses to be accelerated (“Only Traffic with a Server IP Listed Above”),
or excluded (“Never Accelerate Traffic With a Server IP Listed Above.”)
Note that only server addresses can be specified with this mechanism. Plug-in
addresses can’t be specified.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-67
8.3 The “Configure Settings” Pages
Service classes are defined as lists or ranges of port numbers or IP addresses. They
are used for statistics gathering. In addition, acceleration features are enabled or dis-
abled on a per-service-class basis.
This page shows the list of defined service classes. Clicking on the link holding a ser-
vice class’s name takes you to the definition page. This displays the individual “rules”
or IP/port ranges. These can be modified or deleted, or new rules added, by using the
buttons on the page.
The arrow icons on the right-hand edge of the list bring up buttons that allow you to
rename or delete the selected service class.
Note: Service classes are evaluated in order. Ordering the classes correctly is vital
to proper operation. However, the order cannot be arranged on this page. Instead,
it must be rearranged on the “Service Class Policy” page.
The only exception is when inserting a new service class. This class is inserted
above the highlighted class on the service-class list. This is the last service class
you clicked on, or, if you haven’t clicked on any, it will be at the top of the service
class list.
Click on the “Insert New Service Class” button at the top of the page. Give it a name
and assign it to a QoS traffic class (usually Queue A). Press the “Create” button. This
creates a service class with no rules.
Figure 8-61 Service class definition page
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-69
8.3 The “Configure Settings” Pages
Source and Destination IP Addresses refer to the client system’s source or desti-
nation address. To specify a subnet value, use the standard “/xx” suffix. For example,
“10.0.0.0/8” specifies that the first 8 bits of the address are the network portion,
equivalent to a netmask of “255.0.0.0”.
Bidirectional checkbox. Select the “bidirectional” checkbox if the rule should also
match when the source and destination addresses are reversed. For example, a rule
that specifies a source address of “10.0.0.0/8” would also match a destination
address of “10.0.0.0/8” if the “bidirectional” box is checked.
Port Ranges. When adding new rules, multiple ports can be listed, separated by
commas, and ranges can be used. For example, the entries “80,81,8000,80001” and
“80-81,8000-8001” are equivalent.
SSL compression will not take place unless a connection matches an SSL rule. These
rules are created with the ‘New SSL Rule” button. The fields are similar to those for
ordinary rules, except that you are not allowed to leave the dest IP field blank (the
address must resolve to a subnet or individual IP), and at least one SSL profile must
be specified. See Section 4.16 for more information on SSL compression.
This page sets the evaluation order of service classes and the acceleration, compres-
sion, and queueing options used by each service class:
Flow Control. The “Flow Control” checkbox enables or disables acceleration. If this box
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-71
8.3 The “Configure Settings” Pages
is not checked, the “Compression” and “QoS Queue” settings have no effect.
Compression. The compression option allows you to choose between no compression,
memory compression, and disk compression. The compression setting is not effective
unless flow control is also selected.
QoS Queue. This determines which of the five queues the service class is assigned to.
Dynamic QoS for ICA: ICA (XenApp/Presentation Server) traffic is divided into four
“Priority Classes” (real-time, interactive, bulk-transfer, background). Each class can
be mapped to a QoS queue.
8.3.12.3 Recommendations
• Enable flow control for all service classes except possibly “HTTP (Internet)” and
“HTTPS (Internet)” (See below). “Unclassified TCP” should be disabled for a while
after the initial installation, then enabled after the installation is running smoothly.
• Disable compression (select “None”) for the following services:
• The FTP control channel (should not be compressed because compression
interferes with network address translation, which must snoop the control
channel).
• Encrypted traffic (SSH, HTTPS, etc.). Encrypted traffic is not compressible.
• Enable disk-based compression for ICA (XenApp/Presentation Server), FTP, NFS,
and CIFS.
• Enable disk-based compression for any service that has average transfer sizes of
more than a few megabytes.
• For all other services, use memory-based compression.
Accelerating or compressing only “important” traffic can be done, but this generally
gives inferior results to compressing all traffic (except FTP Control) that is known to
be unencrypted. When in doubt, compress.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-73
8.3 The “Configure Settings” Pages
This page allows you to divide the link bandwidth between the different QoS queues,
as described in Section 4.4. The bandwidth assignments must add up to 100%.
QoS was introduced in release 4.1.
This page allows you to configure the IP address, netmask, gateway, HA virtual
address, and VLAN of each interface, as well as enabling or disabling the interface.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-75
8.3 The “Configure Settings” Pages
For complete information on port usage, see Section 4.5. What follows below is a
summary.
Note: When the VLAN is enabled, the management interface only responds to
browser traffic from the specified VLAN. Thus, accidentally specifying the wrong
VLAN will make the browser-based interface inaccessible. To disable VLAN support,
use the “VLANDISABLE” command on the serial interface.
VLAN support can also be enabled from the serial interface with the “VLANENABLE x”
command, where x is a decimal number in the range of 0-4095.
This page allows you to set up Appliances as high-availability pairs, so that if one unit
fails, the other will take over.
Note: pressing the “Update button” will terminate all open TCP connections.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-77
8.3 The “Configure Settings” Pages
SSL Common Name: Also called the serial number, it uniquely identifies this Appli-
ance. You type this string into the “Partner SSL Common Name” field on your HA
partner Appliance.
Virtual VIP Configuration: The virtual IP address used to manage the pair as a unit is
not set here, but on the “Configure Settings: UI” page. A link is provided here.
VRRP VRID: This identifies the HA pair according to the VRRP (Virtual Router Redun-
dancy Protocol) as defined in RFC 2338. The default value of 0 is not a valid VRRP
VRID, which must be in the range of 1-255. If there are no other VRRP devices on the
subnet containing the Appliance, the choice of a VRRP ID is arbitrary.
Note that, while the Appliance uses a VRRP ID (which is designed primarily for rout-
ers), the Appliance is not a router.
Partner SSL Common Name: Copy this from the Acceleration Partner’s “SSL Common
Name” field.
Enabled: Turns high-availability functionality on or off. You will be warned that
enabling or disabling high availability will terminate all open connections.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-79
8.3 The “Configure Settings” Pages
• Id. This is the service group number, which is also used by the router. Must not
conflict with other WCCP devices on the local network. The default value of 51 is
usually adequate.
• Enabled. This allows individual service groups to be enabled or disabled, in addi-
tion to the master enable/disable button at the top of the page.
• Priority. This is the WCCP protocol priority. This should be left at the default value
of 0.
• Router Assignment. Can be Hash, Mask, or Auto. The default is Hash, which is
used by most routers. Some programmable switches support only the Mask
method.
• Router Forwarding/Router Packet Return. Can be GRE, Level-2, or Auto. The
default is Auto, which means that the Appliance uses GRE if it must and L2 (which
is faster) if it can. This capability is negotiated with the router in each direction.
The only reason not to use Auto is if a bug in your router prevents negotiation
from succeeding.
• Router Communication. Multicast or Unicast. The default is Multicast, which
requires that you set up a multicast address in your routers and at the Appliance.
With Unicast, the Appliance must be given the router’s address, but the router
does not need to know the Appliance’s address. Although Multicast is the default,
Unicast is the more flexible mode and requires less configuration, so it is recom-
mended.
• Multicast Address. if Multicast is selected, this gives the multicast address used by
your routers and Appliances for this purpose.
• Time To Live [1-15]. The TTL value for packets sent by multicast. Some routers
insist that this be set to 1, meaning that the packet cannot be forwarded beyond
the current subnet. This makes multicast operation more restrictive than unicast
operation.
• Router Addressing. One or more addresses for your routers. If you specify more
than one router’s IP address, the Appliance will work with multiple routers within
the same service group. Alternatively, you can assign different routers to different
service groups. The results are functionally equivalent.
• Create. Don’t forget to press the “Create” button before leaving the page.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-81
8.3 The “Configure Settings” Pages
Signaling Channel Source Filtering. (Not available in release 5.5.) Allows you to define
(optional) rules about which source IP addresses are acceptable for Plug-in accelera-
tion. Usually it’s best to attempt acceleration only data connections arriving via the
local VPN. Most other traffic is not accelerable anyway, and since each Plug-in with an
active signaling connection consumes a license, such non-functional signaling connec-
tions can deny service to other users who can actually benefit from acceleration. Set
the rules to accept the IP range used by your local VPN and to exclude everything
else.
Connection Mode. Choices are transparent mode (in which connections are inter-
cepted and accelerated transparently, as with Appliance-to-Appliance communication)
and redirector mode (where the Plug-in addresses accelerated connections to the sig-
naling IP directly. Transparent mode is recommended when convenient, though when
asymmetric routing problems or other path-based problems are encountered, redirec-
tor mode will eliminate these.
Enable Plug-in-Appliance RTT Detection. This feature prevents acceleration when the
Plug-in and Appliance are on the same LAN. Such “local acceleration” is undesirable
because the Appliance’s bandwidth limit will be applied to local connections, which will
greatly reduce the speed of LAN-to-LAN traffic. This feature is effective on release 5.0
Plug-ins and up.
Min Plug-in-Appliance RTT for Acceleration. This value should be larger than any RTT
(ping time) seen on the local LAN, but smaller than that seen by any remote user. The
default value of 20 ms is adequate for most networks.
Refresh/Cancel/Apply. Depending on context, some subset of these buttons will
appear.
Note: Changes to the connection status will not be updated in real time. Press the
“Refresh” button to see the actual status.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-83
8.3 The “Configure Settings” Pages
This tab defines which Plug-in connections will be accelerated. The rules are based on
the destination address of the connection’s SYN packet (that is, the IP address of the
server). Rules can either include or exclude addresses or port ranges. The first match-
ing entry determines whether Plug-in acceleration is allowed or disallowed.
Note: If the rules on this page specify that acceleration is allowed, acceler-
ation will be enabled even if it is forbidden on the service-class policies
page.
This tab enables various housekeeping and diagnostic features related to the
Repeater Plug-in. The operation of most features is TBD.
Note: This feature is not present in release 5.7. We recommend the use of
Citrix Receiver to distribute updates.
Note: The software checks the Appliance’s version vs. that of the user’s
Plug-in, not the user’s Plug-in vs. the one pointed to by the URL. This means
that, every time you update the Appliance, the users will be prompted to
download an outdated version of the Plug-in if you forget to update the .MSI
file on your Web server at the same time.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-85
8.3 The “Configure Settings” Pages
This page’s title means, “Certificates and Private Keys for High Availability and Group
Modes.” When an Appliance is a member of a high-availability pair or group-mode
group, these are used to authenticate each other.
Private keys and certificates are factory-installed, but can be replaced, if desired.
Press the “Edit” button, and paste the new certificates and key in the boxes provided,
replacing the old ones, then press “Update.”
This page has the main password and enable/disable toggles for SSL compression.
• Key Store. For greater security, keys are password-protected. SSL compression
will not take place unless the key store is opened with the password. For security
reasons, SSL compression is disabled after each restart, until this password is
entered. If user data encryption is used, disk-based compression is also disabled
until this password is entered. See Section
• User Data Store. User data, consisting mostly of disk-based compression history,
can optionally be encrypted. Changing the encryption state causes disk-based
compression history to be lost. Encrypting the user data protects the contents
from disk-based compression history from being examined if the unit is stolen or
removed from service.
• SSL Compression. The master enable/disable switch for the SSL compression
feature.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-87
8.3 The “Configure Settings” Pages
This page is used to set up the SSL signaling connection used by SSL compression. Its
fields and use are describe in Section 4.16.4, Step 7.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-89
8.4 The “Reporting” Pages
This page was introduced in release 4.1. It allows you to create a system status
report for time periods varying between the last minute and the last month. This
report is created in PDF format and displayed in your browser window, where it can be
viewed, printed, or saved.
The information used to create the report is saved in memory, not disk, so restarting
the Appliance will cause the information from before the restart to be lost.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-91
8.5 The “System Tools” Pages
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-93
8.5 The “System Tools” Pages
Once a patch is installed, a new screen will ask if the unit can be restarted. The patch
will not be applied until the unit is restarted. If the user chooses not to restart the
system immediately, a reminder will be placed at the top of each page.
The unit may require several minutes longer than usual to restart when it is applying
a patch.
Figure 8-82 Display on a successful patch upload.
A license file must be installed before your Appliance will accelerate connections.
License files are generally obtained on MyCitrix. See the release notes for more infor-
mation.
Note: Release 5.0 introduced a new licensing system. Licenses from older
releases are no longer valid. When upgrading an Appliance to 5.0, a new
license must be installed, using the procedure below. See the release notes
for more information.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-95
8.5 The “System Tools” Pages
The format of the License Information tab is different if no license has been installed.
The “Required Action” field will report that only a legacy license is installed. A link is
provided to go to the Citrix Web page and obtain another.
Note: The procedure for obtaining your license is covered in the release
notes, not in this User’s Guide.
Figure 8-86 License Configuration tab on the System Tools: Manage Licenses page (rel. 5.5).
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-97
8.5 The “System Tools” Pages
This tab specifies whether licenses will be obtained locally or remotely. If local
licenses are used, they are installed using the “Local Licenses” tab. With remote
licensing, the license file is installed on a Citrix License Server running on the machine
of your choice. Remote licenses were introduced in release 5.6.
If remote licenses are used, the “Remote License Server” address must be supplied,
plus the “Remote License Server Port” (the default value will almost always be cor-
rect). Also, the type of license must be specified in the “Model” pull-down menu. This
specifies the maximum supported bandwidth and needs to match one of the licenses
installed on the remote server.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-99
8.5 The “System Tools” Pages
The logging page shows system activity, including configuration changes and boot
progress messages. See Figure 8-90.
Status reports are logged every minute, including system status, adapter status, con-
nection status, and flow status. Events, including the opening or closing of an acceler-
ated connection, are also logged. Unaccelerated connections are not logged.
Additional detail is available by clicking the link in the left column of the entry. For
example, if you click on the “System Status” entry in Figure 8-90, you get a System
Status report that gives a second-by-second throughput graph and a table of other
status data for the same minute.
Status reports for the system, flows, connections, and adapters are all similar, with
performance graphs at the top and tables of related system objects and their status
below. Arrows to the left and right of the graphs will give a report for one minute pre-
viously or one minute later, respectively.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-101
8.6 The “Security” Pages
This page contains SSL certificates and private keys used by the Appliance. They
should not be changed unless you are instructed to do so by Support.
These users accounts are maintained locally by the Appliance. There are two types of
accounts: Admin and Viewer.
Admin accounts allow the user to view all pages and modify all settings.
Viewer accounts allow the user to see only the Main page and pop-up performance
graphs.
You can create as many accounts as you like.
The menu page is self-explanatory. Changes take effect as soon as the “Update”,
“Delete”, or “Add” buttons are pressed.
Note: If you forget the passwords for all the Admin users, the only way to regain
admin access is to use the RESETTOFACTORY command over the RS-232 serial
port.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-103
8.6 The “Security” Pages
8.6.2.2 Authentication
Figure 8-93 RADIUS Authentication Tab
RADIUS and TACACS+ authentication are also supported. The user interface for the
two are similar. Enter the IP address of the authentication server, verify the port
number (the default is usually correct), enter the shared secret and press the
“Update” button.
Notes on RADIUS authentication. Radius authentication will succeeds if the
RADIUS server returns an “Accept-Access” packet with an appropriate “Service-Type”
attribute. If “Service-Type” is “Login,” then the user is granted viewer access. If it is
“Administrative,” then the user is granted admin access. Otherwise, access is denied.
Note: For accounts that exist locally on the Appliance, the locally defined password
continues to work after Radius or TACACS+ authentication are enabled; the remote
server is queried only if the password fails to match the locally stored value.
Two methods of accessing the unit are enabled by default, but can be disabled if
desired. One is SSH access, which must be running for the CLI feature to work (see
Chapter 9). It also allows Support access to the Appliance if necessary. The other is
“Web Access,” access to the browser-based user interface.
The two functions have “Disable/Enable” buttons. However, if you disable web access,
you will of course not be able to access the button to re-enable it. To re-enable the
browser-based user interface, use the RS-232 or CLI interface.
Clicking this link will end your session. To continue using the browser-based interface,
you must log in again. You will be presented with a login pop-up if you click on any
link.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-105
8.7 The “Diagnostics” Pages
The fail-to-wire (Ethernet bypass) functionality of the Ethernet interface can be tested
for a user-selected period with the feature. Enter the number of seconds for the unit
to fail-to-wire (bypassing all Appliance functionality and causing the unit to act as if it
had a cross-over cable between the two ports) and press the “Submit Query” button.
The bypass relay will close for the specified number of seconds. Afterwards, normal
operation will resume.
If the Appliance software has exited abnormally, core files will have been left behind.
The unit will restart automatically after an abnormal exit, except in cases of persistent
crashes, where it will disable acceleration while leaving the management interface
active.
1. Select one or more core files to send to Support. Choose core files based on date
and time. That is, a core file that was generated at a time when the unit was fail-
ing or behaving strangely is better than one from a period where no one noticed
anything wrong. When in doubt, send them all.
2. In the “Core Retrieval” table, select the check boxes in the left-hand column of the
desired core files. Leave the checkboxes for “Retrieve Core,” “Trace,” and “Log”
checked and the “Timespan” at 20 minutes. (The “Timespan” field tells the system
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-107
8.7 The “Diagnostics” Pages
how far back before the corefile was generated to collect log data and similar
information.)
3. Press the “Get Core Files” button. The selected files will be gathered into a.zip
archive (this may take several minutes), and a new screen will be shown.
4. Click on the “Click here” link. A dialog box will ask you what you want to do with
the file. Select “Save File to Disk.” A “Save As..” dialog box will open. Choose an
appropriate directory and save the file.
The “Line Test: SERVER” function starts an iperf server on the Appliance, running in
TCP mode. Iperf is a free TCP/UDP performance testing tool, available for Windows
and UNIX systems from:
http://dast.nlanr.net/Projects/Iperf
The documentation for iperf is also on this site. Iperf is preinstalled on Appliances as a
convenience.
To run iperf tests, one system (an Appliance or other host) must run iperf as a server,
and another must connect to it as a client. The defaults on the Diagnostics Tools page
are the usual defaults for iperf. Press the “Start Server” button to start an iperf server
on the Appliance.
The “Line Test: CLIENT” function starts an iperf client on the unit, running in TCP
mode. You specify the iperf server to connect to, the port number, the interface, and
the length of the test. For the latter two parameters, the defaults are usually ade-
quate. When the test is complete, the connection speed will be reported.
The “Get System Info” link takes you to a page that lists all parameters that are not
set to their defaults. This information is read-only. It is used by Support when some
kind of misconfiguration is suspected. When you report a problem, you may be asked
to check one or more values on this page.
The information is intended for use by Support, and is not documented.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 8-109
8.7 The “Diagnostics” Pages
(admin)>
On Windows systems, you might need to install the PuTTY package and use “putty”
instead of “ssh.”
Note that you first log in as user “cli,” which has a null password, but you are
immediately prompted to log in with proper Appliance credentials, using any
username/password that would work on the Appliance’s browser-based UI.
Once logged in, all the CLI commands are available to you.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-1
9.3 Command Description
9.3.1.1 exit
Syntax: exit
Exits from the CLI. Same as "quit."
9.3.1.2 quit
Syntax: quit
Exits from the CLI. Same as "exit."
9.3.1.3 help
Syntax: help "command"
When used in the form of "help command", displays the help topic for the specified
command.
Hint: When in doubt, type "show config-script." This will display the Appliance's
current configuration, which will provide useful examples of the commands and their
syntax.
Example: help save settings
9.3.1.4 show
Syntax: show "parameter"
Displays the current settings of the specified parameter.
Example: show bandwidth
Example Output:
Status: Softboost
Bandwidth: Full
Bandwidth Limit (Send): 325 Kbps
9.3.2.4 restart
Syntax: restart
Reboots the Appliance.
CAUTION: This command takes effect immediately, without an "are you sure?"
verification.
9.3.2.5 what
Syntax: what
Reserved for use by Command Center.
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-3
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-5
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-7
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-9
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-11
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-13
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-15
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-17
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 9-19
9.3 Command Description
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 10-1
The following example exercises some of the more commonly used commands of the
serial interface:
Citrix v.Release 2.2.11.1927 Built on Mon Feb 23 17:46:11 2006
============================================================================
==================== COMMANDS
============================================================================
============================
ADDRESS your_ip - Sets the IP address
NETMASK your_net_mask - Sets the netmask
GATEWAY your_gateway - Sets the gateway
DNS your_dns - Sets the dns server address
HOSTNAME your_hostname - Sets the hostname
ADMINPORT protocol:port_number - Sets the port the web admin runs on
(default http:80)
.
.
.
DISPLAY - Displays all network setings
STATUS - Displays FilterStatus.txt file
RESTART - Restart. Must be executed after making changes.
dns 10.0.0.60
Dns set to: 10.0.0.60
hostname Appliance-A
Hostname set to: Appliance-A
adminport http:80
Adminport set to: http:80
display
restart
Restarting...
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 10-3
Figure 10-1 Serial interface command set (Continued)
primaryenable, Sets parameters for the Primary
primarydisable, Ethernet port, which is disabled
primaryaddress, by default. See the commands
primarynetmask, of the same name (but lacking
primarygateway, the “primary” prefix) for syntax
primaryvlaneena and usage.
ble,
primaryvlandisab
le
* Resettofactory does the following: Bandwidth schedules and proxy tables are
cleared, acceleration is enabled and the bandwidth limit is set to 100 Mbps, other
variables visible in the browser-based interface are also set to default values, the
browser-based interface port is set to http: 80.
Exceptions: IP parameters (address, netmask, gateway, DNS server, and hostname)
are retained, as are license files.
Note: Though similar, the unit is not set to the same state it was in when it left the
factory, despite the command’s name.
Power Supply
Temperature
Power Supply
Temperature
Branch Repeater Family Installation and User’s Guide, rel. 5.5-5.7 11-1
11.1 Contact Us
11.1 Contact Us
To contact Citrix Support, call 1-800-4CITRIX or use the “My Support” section on
MyCitrix at http://www.citrix.com.
You will be asked for your hardware serial number as part of the support process.
Detailed instructions for contacting support can be found at: http://citrix.com/site/
resources/dynamic/sup2nd/Citrix_HWS_SerialNO.pdf.
本製品に同梱している電源コードセットは、本製品専用です。
電源コードセットは、本製品以外の製品ならびに他の用途で使用いただくことは出来ません。
製品本体には同梱された電源コードセットを使用し、他製品の電源コードセットを使用しないで
ください。
この書面は、あくまでも取? 說明書の追記あるいは別冊の位置付けとなる事を予めご了承くださ
い。
883-00002-00