WHITE PAPER

05.28.2014

SteelHead SaaS Architecture Overview

(formerly SteelHead Cloud Accelerator)

WHITE PAPER

SteelHead Software as a Service (SaaS) Overview

The SteelHead SaaS is an add-on service for the SteelHead that enables acceleration of SaaS applications.
The two SaaS applications that we support today are Office 365 and Salesforce.com.

SteelHead SaaS Architecture

SteelHead technology is dual-ended optimization architecture. For acceleration, we require a SteelHead

appliance close to the client and a SteelHead appliance close to the server that is serving the data. In this
paper, we cover the overall architecture with a particular emphasis on resiliency and security.

Akamai Hosted Cloud SteelHead Appliances

In the case of SaaS applications, customers do not have the option to install a SteelHead appliance inside
the SaaS providers’ infrastructure. Riverbed therefore partnered with Akamai to host a software version of
the SteelHead appliance in their infrastructure at the doorstep of the SaaS providers. In this paper, the
Cloud SteelHead instances hosted in the Akamai point of presence (POPs) are called the Akamai hosted
Cloud SteelHead (ACSH).

Akamai has thousands of POPs across the Internet. These POPs are also sometimes called Edge Servers.
An edge server that allows access to a SaaS provider is called a SRIP Gateway. In terms of the physical
infrastructure, each edge server has racks of compute, networking and storage needed to run a service.

The system can automatically calculate the best location to host an ACSH-based on proximity detection. It
can then spin up the required ACSH capacity on a SRIP Gateway.

Enterprise SteelHead Appliances

Riverbed SteelHead (formerly RiOS or Riverbed Optimization System) 8.0 and later support the SteelHead
SaaS service. This allows the SteelHead to intercept network traffic that’s destined to SaaS providers and
redirect that traffic to the ACSHs that are instantiated for that customer. The SteelHead that is deployed in
the customer environment (branch or datacenter) is called enterprise SteelHead (ESH).

When the enterprise SteelHead detects a connection destined for a SaaS provider, it intercepts the
connection. It then does a lookup for the nearest edge server. A SRIP edge is an edge server that serves
as the entry point into the Akamai network. It first authenticates the connection by means of a varying
checksum that’s embedded into the network header and then forwards the packet to the appropriate
destination via an optimized path.

1
© 2014 Riverbed Technology. All rights reserved.
WHITE PAPER

Figure 1 - Riverbed SteelHead SaaS Architecture Diagram

The Sure Route IP (SRIP) Network

The Sure Route IP (SRIP) network is an Akamai overlay network that allows optimized network traffic across
the Internet. The network has the concept of regions; these are areas of the Internet that have one or more
edge servers that are close from a geographic or network topology perspective.

The network continuously maps the Internet to calculate not just the shortest path between any two regions
but also the best path from a quality perspective. In addition, traffic flowing across the SRIP network can
simultaneously be sent along two or more diverse paths.

2
© 2014 Riverbed Technology. All rights reserved.
WHITE PAPER

Figure 2 - SRIP Network

Riverbed Cloud Portal

The Riverbed Cloud Portal is used to control the SteelHead SaaS service. This allows users to control
which SteelHead appliances are authorized to connect to the service, to control which SaaS applications
should be accelerated as well as access service information.

Resilience

The SteelHead SaaS service is designed with resilience in mind. Each component of the system is
redundant and the system automatically works around the failure of most system failures.

Each region close to a SaaS provider has multiple edge servers that can host ACSHs. The system can
detect the failure of one or more edge servers and automatically move the load to another edge server in the
region.

Each SRIP gateway has many blades that host one or more ACSHs. The system automatically detects if
additional capacity is needed for each customer and spins-up additional ACSHs as needed. In addition,
the system detects if there is the failure of any individual blade and spins up needed ACSHs on a different
blade.

Each region close to client locations has multiple edge servers that can act as SRIP edges. The Enterprise
SteelHead (ESH) queries the nearest edge server at the start of every SteelHead SaaS connection. If
there is a failure of any one SRIP Edge, the SteelHead automatically queries for an alternative SRIP edge.

3
© 2014 Riverbed Technology. All rights reserved.
WHITE PAPER

In the unlikely case where no SRIP edges can be discovered, it will put the connection in pass-through. As a
result, the connection may not be optimized but the user can continue to access the SaaS service.

The Riverbed Cloud Portal is needed to authorize new SteelHeads for the service or to create new proxy
certificates. It is hosted on Amazon Web Service infrastructure with a redundant design.

Once authorized for the acceleration service, a SteelHead will attempt to periodically contact the Riverbed
Cloud Portal to get updated information on the SaaS providers. For those SteelHead devices that are
already authorized, the service will continue to accelerate new connections even if the Riverbed Cloud
Portal cannot be contacted.

Security

The underlying acceleration technology is the proven SteelHead technology. Riverbed has been securely
accelerating SSL-based applications for a number of years. Akamai has been building a secure scalable
cloud platform for over a decade. Both of us combined to build a secure acceleration service.

Now we will walk through the process to turn on the service and walk through the authentication and
authorization steps that are required at every step.

Riverbed Cloud Portal Account

When a customer orders the SteelHead SaaS service, an account is created for an authorized user. The
user is sent a link that enables them to log into the Riverbed Cloud Portal for the first time. They are
required to set a password at this time.

Enterprise SteelHead (ESH)

They are then required to generate an authorization token for any SteelHead that wants to register for the
service.

Any SteelHead presenting this token shows up in the customer’s Riverbed Cloud Portal account. The user
has to authorize these SteelHeads. During this step, the user can inspect the SSL certificate (called the
peering certificate) that uniquely identifies each SteelHead. The SteelHead, in turn, then downloads and
authorizes the Riverbed Cloud Portals credentials. Once authorized the SSL certificates are used for all
further mutual authentication. This authorization for the service can also be revoked from the Riverbed
Cloud Portal.

Proxy Certificates

The administrator then has to create proxy SSL certificates for the SaaS services that need to be
accelerated. The user has a choice of using a Certificate Authority (CA) hosted by the customer or a
certificate authority that is created in the Akamai Key Management Infrastructure for the customer. If the
customer chooses to use their own Certificate Authority, Certificate Signing Requests (CSRs) are created for

4
© 2014 Riverbed Technology. All rights reserved.
WHITE PAPER

proxy certificates. The customer’s Certificate Authority must sign these CSRs. If the customer chooses to
use a Cloud Hosted Certificate Authority, the unique certificate authority is created for each customer. The
SteelHead SaaS user guide describes the process in detail.

Akamai Hosted Cloud SteelHead

As the SteelHead SaaS solutions running in Akamai boot up, they request proxy certificates from Akamai’s
secure key management infrastructure (KMI). The process of requesting a certificate includes a check that
the software or hardware has not been tampered with before the certificates are issued. The hardware, in
turn, is hosted in a locked cabinet with biometric controls and tamper detection. In the case where either
software or hardware tampering is detected, the hosts are “scorched.” This process involves a secure
erase of any data that is hosted in that infrastructure.

SRIP Network

The SRIP edge servers control access to the SRIP network. Each SteelHead sending traffic to the SRIP
network must include authentication information to enable access to the network and have their packets
routed to the Cloud SteelHead. In addition, Akamai has a number of audited processes in place to ensure
the security of their infrastructure.

Conclusion

The SteelHead SaaS is built to be a dynamic, scalable and secure acceleration service for SaaS
applications. The underlying platform uses proven technology to provide scalability, redundancy and
security needed for the largest customers in the world.

###

Riverbed Riverbed Riverbed Riverbed Technology

Technology, Inc. Technology Ltd. Technology Pte. Ltd. K.K.
680 Folsom Street Farley Hall, London 391A Orchard Road Shiba-Koen Plaza
San Francisco, CA Road, Level 2 #22-06/10 Building 9F
94107 Binfield, Bracknell Ngee Ann City Tower 3-6-9, Shiba, Minato-ku
Tel: (415) 247-8800 Berks A Tokyo, Japan 105-0014
www.riverbed.com RG42 4EU Singapore 238873 Tel: +81 3 5419 1990
Tel: +44 1344 401900 Tel: +65 6508-7400

5
© 2014 Riverbed Technology. All rights reserved.