Have you set both Steelhead speeds to Auto? I've had the best luck with
this. Also, have you looked in the Riverbed support knowledgebase? Here's a
particularly relevant entry:
SMB signing FAQ
What is SMB signing?
-----------------------------
Server Message Block (SMB) signing is a Microsoft remote access
feature available in Windows Server 2000, 2003, and XP. SMB signing allows
any communication using the SMB protocol (including CIFS, the protocol used
for remote file access) to be digitally signed at the packet level. SMB
Signing is controlled through the Digitally Sign Communications options in
the domain controller policy. By default, domain controllers are configured
to require signing, while member servers and clients are not. Windows
2000sp3 and Windows XP typically do not use signing due to its associated
performance penalty.
How does it interact with the Steelhead appliance?
---------------------------------------------------------------------
Digitally signing SMB packets enables the recipient of the packets to
confirm their point of origin and authenticity (that is, verifying that the
packets came from the expected location and have not been modified during
transit). SMB Signing does not keep data confidential nor does it encrypt
any data. It merely prevents others from adding or altering data in the
connection.
Steelhead appliances do not alter the SMB payload data, but they do
perform actions on their own using transaction prediction: reading ahead in
a file, prefetching directory contents, and so forth. For these reasons,
Steelhead appliances sometimes need to act like the client or server on a
particular SMB connection. With SMB signing enabled, the Steelhead
appliances cannot perform transaction prediction.
When the Steelhead appliances detect that the client and server are
using SMB signing, the Steelhead appliances stop performing transaction
prediction. This is done without disturbing the client or the server. The
Steelhead appliances continue to use compression and data referencing on the
connection, such that bandwidth consumption is reduced. However, the
Steelhead appliances are not able to execute CIFS specific latency
optimizations. Therefore, in networks with significant latency (over 20-30
ms round-trip times) you will not see nearly as much file access performance
improvement.
Why would someone want to digitally sign SMB traffic?
-------------------------------------------------------------------------
You might want to ensure that any files or data you retrieve from a
file server have not been altered in transit. Furthermore, Windows domains
use the SMB protocol to transfer some types of non-file data. For instance,
when a workstation logs on to a domain, the domain controller sends group
policy information to the workstation through the SMB protocol. SMB signing
ensures that the workstation receives the group policy from the actual
domain controller.
What are best practices?
----------------------------------
Generally, Riverbed recommends using the Microsoft default settings:
* Use Domain controllers just for domain services, keep signing set at
the default setting Required.
* Use Member Servers for file or print serving, keep signing at the
default setting None.
Why do Microsoft and Riverbed think you should not sign traffic when
it is possible to do so?
--------------------------------------------------------------------------------------------------
First, the value added is not great. Signing can only detect data
tampering-it does not encrypt or otherwise hide the data from exposure. It
does not prevent the data from being recorded or examined. Second, when SMB
signing is enabled, this feature costs in server performance-with or without
Steelhead appliance (which is why it is not enabled on member servers).
Microsoft states that SMB signing causes a 15% performance drop for all file
serving operations in their documentation. On the Wide Area Network (WAN)
with Steelhead appliances, SMB signing can limit optimization to 1-5 times
instead of 5-100 times for remote clients.
What if I serve files from a domain controller?
-------------------------------------------------------------
If possible, you should avoid serving files from a domain controller.
If you cannot, then you must decide between keeping the signatures enabled
versus the large performance gains with deployed Steelhead appliances.
How do I control signing?
-----------------------------------
Microsoft provides full online documentation for signing at:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0905.mspx
If you would like to disable signing for all computers in your domain,
you can update their Local Policy.
To disable signing for all computers in your domain for Windows 2002:
1. Open Active Directory Users and Computers on the domain controller.
2. Right click Domain Controllers and select Properties.
3. Click the Group Policy tab.
4. Click Default Domain Controllers Policy and select Edit.
5. Click Default Domain Controllers Policy/Computer
Configuration/Windows Settings/Security Settings/Local Policies/Security
Options.
6. Disable Digitally sign client communication (always) and Digitally
sign server communication (always).
7. Disable Digitally sign client communication (when possible) and
Digitally sign server communication (when possible).
8. Push out the updated policy to the relevant computers.
Alternatively, you can reboot them so that they download the new domain
policy.
To disable SMB signing on Win2K3 domain controllers, member servers,
and
clients:
1. Open Active Directory Users and Computers on the domain controller.
2. Right click Domain Controllers and select Properties.
3. Click the Group Policy tab.
4. Click Default Domain Controllers Policy and select Edit.
5. Click Default Domain Controllers Policy/Computer
Configuration/Windows
Settings/Security Settings/Local Policies/Security Options.
6. Disable Microsoft Network Server: digitally sign communications
(always) and Microsoft Network Server: digitally sign communications (if
client agrees).
7. Disable Microsoft Network Client: digitally sign client
communication (always) and Microsoft Network client: digitally sign server
communications (if server agrees).
8. Reboot all the domain controllers and member servers that you want
to optimize.
SMB signing was enabled on Windows 2000, Service Pack 3, Critical fix
Q329170.
wrote in message news:5417646@discussion.autodesk.com...
Spoke a little too soon. Upon further testing we have been unable to get
the Steelheads to work properly. One minute things are blazing fast, the
next it's as if they aren't even there. Riverbed is thinking duplex/speed
issues, but that doesn't seem to be the problem. Just can't figure it out.
Thinking of ditching the Steelheads because of all the troubleshooting time
that's being invested and just putting a server in the remote office and
syncing the necessary files between the two locations.