Cisco WAAS Mobile Administration Guide (Software … · • Providing support for Cisco WAAS Mobile end users Document Outline ... • Cisco WAAS Mobile User Guide—A guide for the

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-15416-05

Cisco WAAS Mobile Administration GuideSoftware Version 3.5April 2011

http://www.cisco.com

Foreword

Cisco WAAS Mobile Administration Guide. The contents of this document are protected under the copyright laws of the United States and by international treaties. All rights in these materials are reserved. No part of this paper may be copied, photocopied, reproduced, transmitted, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of the author. Copyright © 2011 by Cisco Systems, Inc. All rights reserved. Duplication in whole or in part is not permitted without express written permission. Cisco Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below. The following lists the copyright notices for: Jquery

Copyright (c) 2008 John Resig THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

LibJpg2 This work is based in part on the work of the Independent JPEG Group.

MD5

RSA Data Security, Inc. MD5 Message-Digest Algorithm Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.

WebClient, WebServer, netcfgapi.cpp, miniport.c Microsoft Public License (Ms-PL) This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software. 1. Definitions The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software, or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution. 2. Grant of Rights (A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create. (B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section

Cisco WAAS Mobile Administration Guide i

3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software. 3. Conditions and Limitations (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. (B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. (D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

WinPcap

Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). Copyright (c) 2005 - 2009 CACE Technologies, Davis (California). All rights reserved. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

ii Cisco WAAS Mobile Administration Guide

Contents

Foreword ................................................................................................................................................... i Contents ..................................................................................................................................................iii List of Tables .......................................................................................................................................... v List of Figures ........................................................................................................................................ vi About this Document .......................................................................................................................... vii

Intended Audience .......................................................................................................................... vii Document Outline............................................................................................................................ vii Related Documents ......................................................................................................................... viii

CHAPTER 1. Overview ..................................................................................................................... 1 Product Overview .............................................................................................................................. 1

CHAPTER 2. Hardware and Software System Requirements .................................................. 2 Server Hardware and Software Requirements .............................................................................. 2 Client Hardware and Software Requirements ............................................................................... 3 Software Compatibility ..................................................................................................................... 4

CHAPTER 3. Cisco WAAS Mobile System Installation ............................................................. 8 Pre-Installation System Check .......................................................................................................... 8 WAAS Mobile Server Installation .................................................................................................. 10 WAAS Mobile Client Installation .................................................................................................. 14

CHAPTER 4. Getting Started With The Cisco WAAS Mobile Manager ............................... 16 Manager Functionality .................................................................................................................... 16 Applying Configuration Settings ................................................................................................... 17

CHAPTER 5. Configuring the Cisco WAAS Mobile Manager ............................................... 19 Establishing the Management Authority ...................................................................................... 19 Defining the Servers to be Managed ............................................................................................. 19 Pooled Client Licensing .................................................................................................................. 20 Changing the Manager Password .................................................................................................. 22 Changing Manager Properties ....................................................................................................... 22

CHAPTER 6. Configuring Cisco WAAS Mobile Servers ......................................................... 23 Configuring Server Profiles ............................................................................................................ 23 Configuring Server Acceleration ................................................................................................... 24 Configuring Server Networking .................................................................................................... 26 Configuring Server Diagnostics ..................................................................................................... 27 Configuring Server Capacity .......................................................................................................... 30 Configuring Client Access Control ................................................................................................ 30 WAAS Mobile Security ................................................................................................................... 31

CHAPTER 7. Configuring the Cisco WAAS Mobile Client .................................................... 33 Configuring Client Software .......................................................................................................... 33 Configuring Client Acceleration .................................................................................................... 35 Configuring Client Networking ..................................................................................................... 41

Cisco WAAS Mobile Administration Guide iii

Configuring Client Diagnostics Settings ....................................................................................... 46 Configuring the Client’s User Interface ........................................................................................ 47

CHAPTER 8. Managing Cisco WAAS Mobile ........................................................................... 49 Using the Cisco WAAS Mobile Dashboard .................................................................................. 50 Performance Management .............................................................................................................. 51 Monitoring System Resources and Usage .................................................................................... 52 Managing Servers ............................................................................................................................ 52 Managing Clients ............................................................................................................................. 53 Managing a Specific Client ............................................................................................................. 54 Managing Events ............................................................................................................................. 56 Managing System Reports .............................................................................................................. 56 Backing Up and Restoring the Manager ....................................................................................... 58 SNMP Support ................................................................................................................................. 58

CHAPTER 9. Tips for Optimizing Application Acceleration .................................................. 61 Outlook 2007 ..................................................................................................................................... 61 Firefox HTTPS acceleration ............................................................................................................ 61 Microsoft ISA Firewall Client ......................................................................................................... 62 Virtual Desktops .............................................................................................................................. 62 Citrix ICA .......................................................................................................................................... 64 Kaspersky Internet Security ........................................................................................................... 64 Symantec Data Loss Prevention (formerly Vontu) ...................................................................... 65 To interoperate with Symantec Data Loss Prevention, Symantec needs to be configured as follows: .............................................................................................................................................. 65 FTP over the Internet ....................................................................................................................... 65 Optimizing Acceleration over Satellite ......................................................................................... 66 Virus Scanning Best Practices ......................................................................................................... 66

CHAPTER 10. Diagnostics .......................................................................................................... 67 Server-Side Diagnostics ................................................................................................................... 67 Client-Side Diagnostics ................................................................................................................... 69

CHAPTER 11. Troubleshooting ................................................................................................. 73 Problem Isolation ............................................................................................................................. 78

CHAPTER 12. System Status Reports ....................................................................................... 98 Generating a System Report from a Client Computer ................................................................ 98 Generating a System Report from the WAAS Mobile Server .................................................... 98

Appendix A. Hardware and Software Configuration Guidelines ......................................... 99 Appendix B. List of Acronyms ....................................................................................................101

iv Cisco WAAS Mobile Administration Guide

List of Tables

Table 1 Server System Requirements ........................................................................................................ 2 Table 2 Server Software Requirements ..................................................................................................... 2 Table 3 Client Hardware System Requirements ..................................................................................... 3 Table 4 Client Software Requirements ..................................................................................................... 3 Table 5 Protocols and Applications Compatible with Cisco WAAS Mobile ....................................... 4 Table 6 Delta Cache Settings .................................................................................................................... 24 Table 7 HTTP Prefetching Settings ......................................................................................................... 25 Table 8 Configuring Client IP Aliasing .................................................................................................. 27 Table 9 Server Diagnostics Settings......................................................................................................... 28 Table 10 Access Control Settings ............................................................................................................. 30 Table 11 Client Distribution Configuration Settings ............................................................................ 33 Table 12 Accelerated Processes Settings ................................................................................................. 36 Table 13 HTTP Settings ............................................................................................................................. 38 Table 14 HTTPS Settings ........................................................................................................................... 38 Table 15 File Shares Settings .................................................................................................................... 40 Table 16 Delta Cache Settings .................................................................................................................. 40 Table 17 Connection Settings ................................................................................................................... 44 Table 18 Diagnostics Settings ................................................................................................................... 46 Table 19 Client User Interface Settings ................................................................................................... 48 Table 20 WAAS Mobile Server Issues and Isolation ............................................................................. 78 Table 21 WAAS Mobile Client Issues and Isolation ............................................................................. 79 Table 22 WAAS Mobile Client Event Messages .................................................................................... 82 Table 23 WAAS Mobile Server Event Messages ................................................................................... 94 Table 24 Server Hardware and Software Requirements ...................................................................... 99

Cisco WAAS Mobile Administration Guide v

List of Figures

Figure 1 Starting a 30-Day Evaluation .................................................................................................... 10 Figure 2 Starting Up WAAS Mobile in a Production Environment ................................................... 11 Figure 3 Enter License Information ......................................................................................................... 12 Figure 4 Applying System Settings ......................................................................................................... 18 Figure 5 Accelerated Processes Table ..................................................................................................... 36 Figure 6. The Cisco WAAS Mobile Dashboard ..................................................................................... 50 Figure 7 Traffic Summary Graph ............................................................................................................ 51 Figure 8 System Reports Download Page .............................................................................................. 56 Figure 9 Windows SNMP Service Configuration ................................................................................. 59 Figure 10 Acceleration Icon in System Tray .......................................................................................... 69 Figure 11 Client Manager Diagnostics – TCP Sessions Tab ................................................................. 70 Figure 12 WAAS Mobile System Tray Icon Menu ................................................................................ 98

vi Cisco WAAS Mobile Administration Guide

About this Document

Intended Audience

This guide is intended for administrators of the Cisco WAAS Mobile software. Administrators may be responsible for any or all of the following tasks:

• Installing, configuring, and monitoring the WAAS Mobile server • Creating, distributing, and installing the WAAS Mobile client on end user machines • Providing support for Cisco WAAS Mobile end users

Document Outline

• Overview—briefly describes the overall WAAS Mobile system. • Hardware and Software System Requirements—hardware and software requirements for

optimal operation of the WAAS Mobile system. • Cisco WAAS Mobile System Installation- describes installation and upgrade procedures for

the WAAS Mobile server and client software. • Getting Started with the Cisco WAAS Mobile Manager – provides an overview of the Cisco

WAAS Mobile Manager, which provides centralized management and monitoring of all Cisco WAAS Mobile servers and clients from a single GUI.

• Configuring the Cisco WAAS Mobile Manager – provides instructions for configuring which servers are managed by the Manager, licensing and system-wide parameters.

• Configuring Cisco WAAS Mobile Servers – provides instructions for configuring server profiles, which describe a set of acceleration, networking, and other policies for groups of servers.

• Configuring the Cisco WAAS Mobile Client—provides instructions for configuring and managing clients.

• Managing WAAS Mobile - provides instructions for centrally managing and monitoring all servers and clients within an enterprise.

• Tips for Optimizing Application Acceleration – provides guidance for configuring Cisco WAAS Mobile to optimally accelerate applications and for configuring applications for optimum acceleration by Cisco WAAS Mobile.

• Diagnostics—provides a high level summary of the various types of diagnostic information that are generated.

• Troubleshooting—provides guidance on how to troubleshoot and resolve WAAS Mobile client and server issues.

• System Status Reports—provides detailed instructions for creating and using system status reports used by support personnel to isolate and diagnose problems.

Cisco WAAS Mobile Administration Guide vii

viii Cisco WAAS Mobile Administration Guide

Related Documents

In addition to this Administration Guide, the following documents are also available: • Cisco WAAS Mobile User Guide—A guide for the WAAS Mobile end user. This

complements the on-line help system and provides a reference for offline study. • Cisco WAAS Mobile Release Notes—Release-specific information regarding features added,

changed, and removed as well as known and resolved issues.

CHAPTER 1. Overview

Product Overview

Cisco Wide Area Application Services (WAAS) Mobile extends Cisco WAAS software application acceleration benefits to teleworkers, small and home office workers, and mobile employees who travel outside the branch office. Compared to corporate WAN and branch-office optimization, acceleration of mobile VPN connections over the public Internet brings additional technical challenges:

• Quality of the network connection is lower than the corporate WAN: Rather than using dedicated branch-to-corporate WAN leased lines, mobile users are using public Internet connections such as DSL, Wi-Fi, satellite, dial-up, cable, and cellular. These connections have lower bandwidth, higher packet loss and latency, and additional challenges such as time-slicing delay in cellular environments;

• Small footprint for the PC/laptop: In contrast to branch-office users who can rely on a dedicated branch-office device for application acceleration, mobile users have to share laptop or PC computing resources and the TCP software stack with numerous other PC applications;

• Support cost and manageability concerns: The open environment of a Windows PC, in contrast to the controlled environment of an appliance, has a very different class of stability and interoperability requirements, with a variety of operating systems, browser versions, end point security applications, VPN client software and a wide range of business applications.

To address these challenges, Cisco WAAS Mobile provides the smallest PC footprint and the lowest Total Cost of Ownership (TCO) normally associated with mass-user deployment of PC software, plus it achieves industry-leading performance under the most challenging network connectivity conditions by extending Cisco WAAS acceleration technologies to include the following:

• Advanced data transfer compression: Cisco WAAS Mobile maintains a persistent and bi-directional history of data on both the mobile PC and the Cisco WAAS Mobile server. This history can be used in current and future transfers, across different VPN sessions and during temporary network disconnects, to minimize bandwidth consumption and improve performance.

• Application-specific acceleration for a broad range of application protocols including: o Microsoft Exchange: Microsoft Outlook Messaging API (MAPI) o Windows Common Internet File System (CIFS) o HTTP, supporting enterprise web-based intranet and Internet applications o HTTPS for secured intranet applications without compromising security

• Transport optimization: Cisco WAAS Mobile handles the network variations found in packet switched wireless networks, the significant bandwidth-latency problems of broadband satellite links, and noisy Wi-Fi and DSL connections. The result is significantly higher link resiliency.

Cisco WAAS Mobile Administration Guide 1

Hardware and Software System Requirements

CHAPTER 2. Hardware and Software System Requirements

Server Hardware and Software Requirements

Requirements for Deploying WAAS Mobile Server Software on Dedicated Servers

This section details hardware and software requirements for proper system performance.

Table 1 Server System Requirements

Minimum1 Recommended

CPU 1.8 GHz dual core See Appendix A

System Memory (RAM) 2 GB See Appendix A

Disk Space Available for Cache 5 GB See Appendix A

Table 2 Server Software Requirements

Operating Systems supported: o Windows Server 2008 R2 x64 Standard Edition o Windows Server 2008 x64 Standard Edition (optionally with SP2) o Windows Server 2003 R2 x64, Standard Edition (optionally with

SP2) o Windows Server 2003 x64, Standard Edition o Windows Server 2003 R2, Standard Edition (optionally with SP2)

(See Appendix A) o Windows Server 2003, Standard Edition (optionally with SP1) (See

Appendix A)

NOTE: IIS 6.0 or later must be installed.

IMPORTANT: WAAS Mobile will not run on a Windows server that is also a Domain Controller.

1 Minimum server configuration supports 5-10 users.

2

Requirements for Deploying WAAS Mobile Server Software on Virtual Machines

WAAS Mobile Server Software may also be deployed as a Virtual Appliance. Use the guidelines outlined in Appendix A to define the size of the virtual machine that is needed for your deployment. Expect that the throughput of the Virtual Appliance will be 80-90% of a native appliance, so plan the CPU allocation accordingly.

Client Hardware and Software Requirements

The minimum PC hardware and software requirements are provided in the tables below:

Table 3 Client Hardware System Requirements

Minimum Recommended

CPU 750 MHz 1.5 GHz

System Memory (RAM) 512 MB 1 GB

Disk Space Available for Cache 80 MB 1 GB

Table 4 Client Software Requirements

Minimum Recommended

Windows XP SP2 Windows XP SP3 Vista Windows 7


Software Compatibility

Cisco WAAS Mobile has been tested and is compatible with the following applications. Other software packages not listed may also be compatible.

Protocol and Application Compatibility

This table contains the list of enterprise software applications that Cisco WAAS Mobile accelerates, including web browsers, email clients and other web-enabled applications.

Table 5 Protocols and Applications Compatible with Cisco WAAS Mobile

Protocol Application1

HTTP Microsoft Internet Explorer

FireFox

Chrome

Netscape

Netscape Communicator

Opera

Mozilla

Windows Explorer

HTTPS Microsoft Internet Explorer

Firefox2

Chrome

FTP Microsoft Internet Explorer

Netscape

Opera

Mozilla

FireFox

Windows Explorer

WS-FTP PRO

FTP.exe

SMTP/POP3 (email) Microsoft Outlook

Eudora

Netscape Communicator

Email-enabled MS Office Apps

Outlook Express

2 See CHAPTER 9 for information on configuring Firefox HTTPS optimization.

4 Hardware and Software System Requirements


Protocol Application1

Thunderbird

CIFS SMB Windows Explorer and other applications that use the CIFS protocol. Signed and unsigned SMB supported.

MAPI Microsoft Outlook 2007 Online, Cached mode, Encryption disabled

Microsoft Outlook 2003 Online, Cached mode

Microsoft Outlook 2002 Online, Offline

Microsoft Outlook 2000 Online, Offline

IMAP4 (email) Microsoft Outlook

Outlook Express

Lotus Notes (email) Lotus Notes

Microsoft Office Microsoft Office 2007

Microsoft Office 2003

Microsoft Office XP

SharePoint 2003 and 2007

Oracle Jinitiator

Java Runtime Environment

Misc. Applications Citrix ICA/RDP (compression and encryption disabled)

Microsoft Remote Desktop (Terminal Services)

Misc test utilities (wget, urlclient, curl)

1 Applications that do not appear on this list may be added by the enterprise administrator. The listed applications have been certified for use with Cisco WAAS Mobile.

VoIP bandwidth preservation

Cisco WAAS Mobile may be used to dynamically preserve bandwidth for real-time UDP traffic. The following soft phone VoIP applications, are supported by default, and others may be supported by adding them to the Accelerated Processes List via the Configure > Clients > Acceleration page:

• Cisco IP Communicator • Avaya Onex Agent • Nortel Unified Communications and Nortel soft phone • Microsoft Office Communicator

Antivirus/Security Software Interoperability

WAAS Mobile Client software is interoperable with a wide range of anti-virus software, including the following: • McAfee Virus Scan Enterprise • McAfee Internet Security Suite • Norton Internet Security • Norton 360 • Norton Anti Virus • CA Antivirus • Trend Micro PC-Cillin • Trend Micro Internet Security • Microsoft Windows Firewall • Panda Antivirus • Kaspersky Internet Security

o See the Kaspersky Internet Security section of CHAPTER 9 for configuration guidance.

• AVG Anti-Virus • Bit Defender • F-Secure • Symantec Data Loss Prevention (formerly Vontu)

o See the Symantec Data Loss Prevention section of CHAPTER 9 for configuration

VPN Software Interoperability

WAAS Mobile Client software is interoperable with a wide range of IPsec and SSL VPNs, including the following:

• A broad range of IPsec VPNs, including

o Cisco VPN Client o Nortel Contivity VPN Client o Microsoft Intelligent Application Gateway (IAG) VPN Client o Checkpoint VPN Client

NOTE: When interoperating with the Microsoft IAG or CheckPoint IPsec VPN clients, the network monitoring feature on the client should not be enabled. Note that this feature is disabled by default.

• SSL VPNs o Cisco AnyConnect Premium and Essentials o Juniper Network Connect, Secure Application Manager, and

Clientless Core Web Access o Nortel Net Direct, Enhanced Clientless, and Clientless Web Access

6 Hardware and Software System Requirements


o Citrix Secure Access Client o F5 FirePass Network Access o Neoteris

Accelerator Incompatibilities

The software programs below are not interoperable with the Cisco WAAS Mobile client because these applications redirect traffic in direct conflict with Cisco WAAS Mobile’s traffic redirection.

• Blue Coat Proxy Client • Riverbed Steelhead Mobile Client • Venturi VClient. • Bytemobile optimization client

Other Software Interoperability Notes

Microsoft ISA Server When deploying WAAS Mobile with Microsoft ISA server, the Flood Mitigation feature, which is on by default in ISA server, should be disabled. Additionally, the WAAS Mobile server addresses should be added to the ISA server’s flood mitigation IP address exclusion list.

Applications Employing Source IP authentication or tracking Several applications, including those listed below, employ source IP authentication to provide an added level of application security. The WAAS Mobile servers that are accelerating these application servers should be configured to either use Client IP Preservation, which can be enabled via the Configure > Servers > Networking page, or to bypass these applications. Applications requiring Client IP preservation include:

• Infosys Finacle • Some Lexis/Nexus applications • TACACS server GUI • Applications using the MSDNWS SOAP user agent • Video streaming using the RTSP protocol • VoIP, when SIP authentication is enabled

Cisco WAAS Mobile System Installation

CHAPTER 3. Cisco WAAS Mobile System Installation

This chapter describes the procedures an administrator will need to use in order to install the Cisco WAAS Mobile software. This chapter contains the following sections:

• Pre-Installation System Check • WAAS Mobile Server Installation • WAAS Mobile Client Installation

Pre-Installation System Check

1. Verify that the computer on which you intend to install the server software meets the system requirements listed in CHAPTER 2.

2. Do not run other applications, including the client software, on the computer running the WAAS Mobile server. If anti-virus software is installed on the server, it must be configured to allow outgoing ports that the WAAS Mobile server may use (e.g., SMTP port 25).

NOTE: When virus scanning is run on WAAS Mobile server, it is recommended that the delta cache file and the delta cache index file be excluded from the scan. Specifically, exclude the following files from being scanned by the virus scanner:

On Windows Server 2003 and 2003 R2:

C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile\DeltaCache\BD_ServerPage.acc

C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile\DeltaCache\BD_ServerControl.acc


C:\ProgramData\Cisco\WAASMobile\DeltaCache\BD_ServerPage.acc

C:\ProgramData\Cisco\WAASMobile\DeltaCache\BD_ServerControl.acc

3. Verify network routability from the client computers that will run the WAAS Mobile client to the WAAS Mobile server.

4. Verify network routability from the WAAS Mobile server to the content and application servers that will be accelerated.

5. Verify that the firewall on the Windows Server is configured to allow TCP and UDP access over port 1182. Optimized data is transmitted over UDP port 1182 and session initiation and control uses TCP port 1182.

8

IMPORTANT: Windows Server 2008 blocks port 1182 by default. Before running WAAS Mobile, this port must be opened for TCP and UDP traffic.

6. Verify that any firewalls between the WAAS Mobile server and computers running the WAAS Mobile client are configured to allow TCP and UDP access over port 1182.

7. It is generally recommended that WAAS Mobile be installed on a 64-bit Windows Server OS.

NOTE: If WAAS Mobile is being installed on a 32-bit Windows Server OS and the server is configured with 4 GB or more RAM, configure server memory management to allocate additional memory to the user process. To do this, modify the “boot.ini” file to allocate 3 GB of RAM for user space for the WAAS Mobile server, by adding the /3GB option to the appropriate line, as follows:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /3GB

IMPORTANT: When deploying with a Windows 32-bit OS, memory management must be properly configured to achieve desired server performance.

8. Read the Release Notes.


WAAS Mobile Server Installation

Installation of the WAAS Mobile Server Software

1. To perform the procedures in this section, you must be logged into the server computer as a user with administrator privileges.

2. Install the WAAS Mobile server as follows: 3. Verify that IIS is running.

NOTE: WAAS Mobile installs on IIS port 80.

4. Download software from link provided by Cisco. 5. Install server software by double clicking on the ServerSetup.exe file.

NOTE: WAAS Mobile requires that the inetpub directory be configured on the C: disk partition.

NOTE: WAAS Mobile Manager cannot be installed on a Windows Domain Controller.

6. When the installation completes, a browser window will open and display the WAAS Mobile Manager Login page. If this page does not open automatically or if you receive an error, verify that IIS permissions are set correctly.

NOTE: It may take some time to load the page for the first time.

7. Before proceeding, read the Release Notes thoroughly.

Starting a 30-Day WAAS Mobile Evaluation

1. Login to the WAAS Mobile Manager using the following default credentials:

• Username: admin • Password: default

2. Select the IP address that the client PCs will use to connect to this server from the drop-down list of IP addresses that have been configured on this server.

3. Check the “Start 30 Day Evaluation” checkbox

Figure 1 Starting a 30-Day Evaluation

4. Click “Submit” to start the 30-day evaluation.

10 Cisco WAAS Mobile System Installation


• The server will be started automatically.

• A default client distribution will be generated automatically, and a link to that software will be posted at the top of the WAAS Mobile Manager window.

• Click on the hyperlink at the top of the page to download and install the client software on the test PCs.

Starting Up WAAS Mobile in a Production Environment

1. Login to the WAAS Mobile Manager using the following default credentials:

• Username: admin • Password: default

2. Verify that the “Start 30-Day Evaluation” checkbox is not checked.

Figure 2 Starting Up WAAS Mobile in a Production Environment

3. For each acceleration server that you wish to deploy, obtain license key(s) by going to

http://www.cisco.com/go/license and inputting the Product Authorization Key (PAK) and Media Access Control (MAC) of one of the NIC cards on the server. Cisco will then send you an email with a key that is affliated with the PAK, server MAC, and the number of client user licenses you have purchased.

IMPORTANT: If your server is running on a virtual machine, a change to the Media Access Control (MAC) address may cause your license key to fail.

License keys are affiliated with MAC addresses, so try to preserve it when moving the WAAS Mobile server to a different virtual host. In the case where this is not possible, a new key will be required to re-host the WAAS Mobile server. Please contact the Cisco Licensing team (http://www.cisco.com/go/license) with your new Virtual NICs MAC address to obtain new keys prior to re-hosting your application

IMPORTANT: The NIC hosting the designated MAC address must be active in order for the license to be recognized.

4. Enter the license key sent in the license.dat attachment on the Configure > Manager > Licenses page by selecting a server and then selecting “Edit License Key.”

Figure 3 Enter License Information

NOTE: Licenses that are issued for evaluation and test purposes have an expiration date.

5. Verify Delta Cache size and location by navigating to the Configure > Servers > Acceleration > Delta Cache page.

IMPORTANT: Before starting the server for the first time, verify the size and location of the delta cache.

• By default, the delta cache is placed on the same disk partition as the server. For many deployments, it may be preferable to place the cache in its own RAID 5 partition.

• By default, WAAS Mobile will attempt to configure a 50 GB cache. To support this, the server should be provisioned with at least 80 GB capacity and 2 GB RAM.

IMPORTANT: If the minimum disk space is not available, then delta caching will not be supported and acceleration performance will be limited to transport optimization and compression.

NOTE: The minimum server delta cache that may be configured by the administrator is 5 GB.

6. Configure Client Distributions as described in the section entitled WAAS Mobile Client Installation below.

7. Start the Server(s). Navigate to the Manage > Servers page, select the server(s) to be started, and click the Start button.

Uninstalling the WAAS Mobile Server Software

To uninstall the WAAS Mobile server software: 1. From the Control Panel,

• On Windows Server 2003, double-click Add or Remove Programs. • On Windows Server 2008, double-click Programs and Features

2. Select Cisco WAAS Mobile Server from the list, and click the Change button. 3. The server software will be removed from the system.


Upgrading the WAAS Mobile Server Software

To upgrade the WAAS Mobile server software: 1. Stop the Server(s). Navigate to the Manage > Servers page, select all servers, and click the

Stop button. 2. Install the new software version; the previous version will be automatically uninstalled and

your current configuration will be automatically saved and reloaded. 3. The client software will be upgraded automatically, as described in the “Automatically

Upgrading WAAS Mobile Client Software” section below.

IMPORTANT: All servers managed by the Manager must run the same release version, and must be upgraded at the same time.


WAAS Mobile Client Installation

Initial Installation of the WAAS Mobile Client Software

The first time the administrator logs into the WAAS Mobile Manager, it creates a “default” client distribution that may be distributed to end users. Links to the client distribution page (Configure > Clients > Software ) are available on the dashboard and for evaluations, a link is posted at the top of the Manager page.

NOTE: For best operation, do not install the client software on the WAAS Mobile server machine.

While this default configuration covers the most common use cases, it may be necessary or desirable to tune the configuration or create additional client distributions to meet the needs of different user groups, as described below.

Creating a Client Distribution Go to the Configure > Clients > Software page. Note that a default client distribution has been created. On this page, the following actions can be taken:

• Add. Creates a new client distribution. When a client distribution is added, the software package is created, and a link to this software is placed in the table.

• Remove. Removes the selected client distribution. • Edit. Modify the name or server IP associated with the client distribution. • Copy. Creates a new distribution by cloning the parameters associated with the selected

client distribution.

Configuring a Client Distribution Prior to distributing the client distribution file, the administrator may wish to modify the default configuration for specific user populations, applications, or networks, as discussed in CHAPTER 7. For many installations, the default settings provide the appropriate configuration, and additional configuration may not be necessary.

NOTE: Parameters associated with a Client Distribution can be modified by navigating to the other pages under Configure > Clients and selecting the distribution to be modified from the pull-down menu at the top.

NOTE: The administrator may modify the client distribution after users install it; clients will automatically update their configurations the next time they connect to the server.

Distributing and Installing a Client Distribution Client Distributions may be distributed to clients by

• Emailing the “Client Software” link located on the Distributions tab of the Configure > Clients > Software page to users for them to download and install the



software. This mode is typically used during evaluations to send the software to specific test users and requires that the users have administrative rights to their PC.

• Distributing and installing the software via enterprise software distribution tools (e.g., Microsoft SMS or Active Directory, IBM Tivoli, or Computer Associates Unicenter).

o Distribute the .msi that can be downloaded from the “Client Software” link, or

o To manage the assignment of client distributions to computers via Active Directory, go to the Active Directory tab

Distribute the Unconfigured Client Software Package (.msi) and Use the auto-generated Administrative Template (.adm) file to

specify Active Directory group policies that map sets of Client Distribution names and server IP/hostnames to Active Directory groups.

NOTE: Active Directory group polices should be defined for machines (HKLM) versus users (HKCU).

Automatically Upgrading WAAS Mobile Client Software

The automatic upgrade feature enables WAAS Mobile client software to be automatically upgraded when the server software is upgraded. When the WAAS Mobile client connects to the server, it will detect that a new software version is available and automatically download and install it. This feature is enabled by default. To disable automatic upgrades, navigate to the Configure > Clients > Software page, select the Upgrades tab, and un-check the Enable Automatic Upgrades checkbox.

Getting Started With The Cisco WAAS Mobile Manager

CHAPTER 4. Getting Started With The Cisco WAAS Mobile Manager

The Cisco WAAS Mobile Manager provides a central management and configuration facility for all Cisco WAAS Mobile servers and clients.

Manager Functionality

Via the Manage menu, administrators may monitor system, server, and client performance, control servers and individual users, and diagnose issues affecting any server or client, as follows:

• Dashboard. The dashboard provides a summary of system health and status, with hyperlinks to pages where any needed actions should be performed. The dashboard also provides a system-level summary of usage and bandwidth savings versus time.

• Performance. View acceleration performance and traffic characteristics at the system level, server farm level, or client level across the time range of interest.

• Monitoring. View server resource utilization statistics from across all servers and drill down to view how individual servers are performing.

• Servers. View the health of all servers and drill down to control individual servers. • Clients. View the performance and diagnose client issues of any accelerated client. • Events. View the aggregated server event logs from all servers, and drill down by

severity, timeframe, and server. • System Reports. View the aggregated system reports from all servers and clients. • Backup and Restore. Export or import system configurations or the statistics database or

restore factory settings. Via the Configure menu, administrators may:

• Apply Settings. View pending configuration changes and apply them to the system.

IMPORTANT: Unless otherwise noted, configuration changes do not take effect immediately. When an administrator changes a parameter including the addition or modification of a license, the new settings are not activated until they are applied.

• Configure the Manager o Select the Management Authority. Select the server that will assume the Manager

role.

IMPORTANT: Only one server should be nominated to assume the Manager role.

16

NOTE: Upon initial startup, the Manager is configured to manage a single, local server. The Management Authority page allows the administrator to select a remote Manager for this server. When managed by a remote Manager, the local management GUI becomes inactive.

o Add Servers and assign them to Server Farms, and configure Licenses and Passwords. • Configure the Server(s). Define server profiles, acceleration, networking, and diagnostics

policies, server capacities, and security configurations.

NOTE: Servers are not configured at a device level, but rather via group policies called server profiles. Configuration parameters are applied to server profiles, which in turn are mapped to individual servers.

IMPORTANT: On each server configuration page, before modifying server profile parameters, select the profile that is to be modified from the drop-down list at the top of the page.

• Configure the Clients. Define client distributions, acceleration, networking, and diagnostics policies, and the user interface configuration.

NOTE: Clients are also not configured individually, but via policies that are associated with client software distributions or Active Directory group policies. When client configuration changes are applied, the deployed clients are automatically updated the next time they connect to the server.

IMPORTANT: On each client configuration page, before modifying client distribution parameters, select the distribution that is to be modified from the drop-down list at the top of the page.

Applying Configuration Settings

WAAS Mobile configuration changes are not applied to servers and clients until the “Apply Configuration Changes” button is clicked on the Configure > Apply Settings page. All Server settings and Client settings are applied when “Apply Configuration Changes” is selected; settings for the Manager are applied as follows:

• Settings that are applied by “Apply Configuration Changes”: Settings on the Server farm page and the password.

• Settings that are applied via a control on the page where they are entered: Settings on the Management authority, licenses, properties pages.


When a new configuration is applied, both the server and client configurations are pushed to the servers. When a client starts an acceleration session, it checks with the server to see if there is a pending configuration change, and updates its configuration as needed. The Configure > Apply Settings page provides the administrator with the ability to analyze the pending configuration changes:

• Client distribution changes. Most changes do not require that the servers be restarted, so applying client distribution changes does not automatically restart the servers.

• Server profile changes. Applying changes will result in servers associated with the changed profile being automatically stopped and restarted.

NOTE: Servers will automatically be restarted when their server profiles are updated.

Server and client configurations are implemented via registry key settings. The change summary shows how these keys will be modified, as follows:

• “+”(Plus sign). Registry key and value will be added. • “-“ (Minus sign). Registry key and value will be deleted. • “>” (Greater-than sign). Old value. • “<” (Less-than sign). New value

Figure 4 Applying System Settings

18 Getting Started With The Cisco WAAS Mobile Manager

CHAPTER 5. Configuring the Cisco WAAS Mobile Manager

The Cisco WAAS Mobile Manager is configured by the Configure > Manager menu, which includes the following selections:

• Management Authority. Select whether the server is the Manager or will be managed remotely.

• Managed Servers. Identify the servers that will be managed. These servers are also referred to as worker servers.

• Licenses. Centrally manage licences. • Farms. Identify the servers to be managed and group servers into server farms. • Password. Change the Manager password. • Properties. Modify system update intervals, time-outs, etc.

Establishing the Management Authority

Any server may assume the role of the Manager. The server hosting the Manager may also provide acceleration server functionality, or for large deployments, a stand-alone Manager may be deployed. By default, the server starts up assuming the Manager role, which is appropriate for single-server deployments. When multiple servers are deployed, a single Manager must be identified.

IMPORTANT. When more than one server is being deployed, one of the servers must be configured as the central manager.

On every server except the server running the Manager, select “Manager is Remote” on the Configure > Manager > Management Authority page and enter the IP of the remote Manager. Once this selection has been made, the local menu on the server will be grayed out and the server may only be managed remotely from the central manager.

Defining the Servers to be Managed

The servers that are to managed by the Manager must be identified to the Manager via the Configure > Manager > Managed Servers page. To add a server, click on “Add Server” and enter:

• Public IP. The IP address that clients will use to reach the server

NOTE: Only acceleration servers should be entered in the server table. When configuring a stand-alone Manager (i.e., a server that runs as a Manager but does not also run as an acceleration server), remove it from this table.


Additionally, when configuring a stand-alone Manager, configure the server IP used by the client distributions (on the Distributions tab of the Configure > Clients > Software page) to be the IP address of an acceleration server.

NOTE: Only enter a server’s public IP once in the Managed Servers table.

• Management IP. The IP address that the Manager will use to reach the server. If this field is left blank, the Manager will use the Public IP.

o By setting a separate management IP address, administrators can isolate the management network from the clients.

• License key. The client license key may be entered on this page or on the Configure > Manager > Licenses page.

• Farm. Each server must be mapped to a server farm. Server farms are used to map acceleration servers to accelerated networks and to define failover and load balancing. Farms must first be defined on the Configure > Manager > Farms page. By default, the server will be mapped to DefaultFarm.

NOTE: When deploying a single server, it is not necessary to define server farms.

• Profile. Each server must be mapped to a server profile, which is a configuration policy. Server profiles must first be defined on the Configure > Servers > Profiles page.

Pooled Client Licensing

WAAS Mobile licenses are managed centrally as a pooled resource. A connected user consumes a single license, no matter how many servers with which it establishes acceleration sessions. When all licenses are in use, no new users sessions will be accepted, and those users will not be accelerated. License usage may be monitored via the Dashboard and via the Active Users graph on the Manage > Servers > Statistics page. One or more servers should be provisioned with client licenses. Before a client will accelerate traffic, it must be granted a license from one of these servers. Client licenses should be entered on the Configure > Manager > Licenses page. When “Submit” is clicked, the licenses will be immediately pushed to the servers.

NOTE: Once licenses have been applied, the servers are automatically restarted. Servers that are not granting servers may be started via the Manage > Servers page.

Clients obtain WAAS Mobile licenses from servers as follows: • The first time the client starts, it will attempt to get a license from the server specified in

the client distribution. • The next the client starts, the client will first attempt to get a license from the servers it

accessed most recently for acceleration.

Configuring the Cisco WAAS Mobile ManagerError! Reference source not found. 20

• If a client is unable to obtain a license from any of the servers it most recently used, it will proceed to search through the farms to find a license. The client will continue to do this until a license becomes available.

A server will not grant a client license if

• The server is unavailable. • The server has exceeded its license capacity. • The server has exceeded its session capacity. See the Configuring Server Capacity section

of this document for more information. In the event that a license granting server fails

• All users that have license-granting sessions to that server will attempt to get a license from another server to which they are also connected, so that acceleration can continue without the user being disconnected.

• If that fails, the client session will be temporarily disconnected while the client searches for a new license from other servers.

• In the event that a client is unable to obtain a license, its traffic will not be accelerated.

Configuring Server Farms

A Server Farm is a group of servers that: • Accelerates the same set of subnets. • Load balances client connections and automatically fails over these connections to

another server in the farm in the event of a failure.

Defining Server Farms All servers need to be assigned to server farms. When a single server is deployed, it is automatically mapped to DefaultFarm, so a manual assignment is not required.

1. Before a server may be mapped to a farm, the farm name must be defined on the Configure > Manager > Farms page by clicking on “Add Farm” and entering a farm name.

2. To then map the server to a farm, drag and drop the server IP onto the farm.

NOTE: Servers placed in the same farm should be geographically co-located and will accelerate the same set of destination subnets.

High Availability To configure high availability within a server farm, administrators may employ load balancing or hot/standby server configurations.

• For load balancing, place all load balanced servers into the same farm. No additional configurations are required.

• For hot/standby servers, place the hot servers and standby servers in separate farms, and create pairs of rules that map all subnets and hosts to both farms. The first rule encountered will select the hot server farm. If that farm is not available, the next rule will select the standby server farm.


Load Balancing Methods The following load balancing methods may be configured for each farm via the Farm Options tab on the Configure > Manager > Farms page: Client-based Load Balancing. Recommended for best performance.

• Load balancing and failover are performed by client-side logic as follows: The first time a client forms an accelerated connection to a farm, it randomly selects a server. On subsequent accesses, it will first attempt to connect to that server in order to reap the benefits of Persistent Sessions and/or Delta Caching. If the server cannot accept the connection either because it has reached its capacity limit or is unavailable, the client will attempt to connect to another server. The client will make up to three attempts to reach a server in the farm and then failover to a backup farm.

Layer 7 switch load balancing.

• The clients address the farm via the Virtual IP (VIP), and the Layer 7 switch selects a server.

NOTE: Select the farm from the drop-down menu before configuring the load balancing option.

Internet Gateway Identification To enable the client to auto-detect the best Internet gateway to use the administrator should specify which Server Farms that are hosted at locations that also provide Internet Gateways by navigating to the Farm Options tab of the Configure > Manager > Farms page, selecting the farm from the drop-down menu, and checking the “This Farm has an Internet gateway” checkbox.

Changing the Manager Password

The Manager password may be modified via the Configure > Manager > Password page. “Apply Settings” to have password changes take effect.

NOTE: Changes to the Manager password affect the Manager and all servers managed by the Manager.

Changing Manager Properties

The administrator may modify the following Manager properties via the Configure > Manager > Properties page:

• Server Monitor Interval. By default, the Manager polls the servers for status every 15 seconds.

• Client Monitor Interval. By default, the Manager updates client data every 5 minutes. • Form timeout. By default, the Manager GUI times out after 10 minutes of inactivity.


CHAPTER 6. Configuring Cisco WAAS Mobile Servers

Servers are configured via group policies called server profiles which are defined and configured via the Configure > Servers menu, which includes the following selections:

• Profiles. Define server profiles and map them to servers. • Acceleration. Configure HTTP optimization and delta cache parameters • Networking. Specify addressing option to be used by the server when accessing

destination servers. • Diagnostics. Configure server diagnostic features and email alerts. • Capacity. Configure session and storage capacity limits. • Security. Specify user access control list.

All servers are initially mapped to a “Standard” server profile which may be modified to meet requirements. A single profile may suffice in many cases. Multiple profiles will be needed for the following scenarios:

• There is a mix of server capacities, where servers are provisioned with different RAM, CPU, and/or disk capacitities. Separate profiles should be created for each server configuration.

• Client IP aliasing is configured. Each farm must be aliased to different IP ranges, so separate sets of profiles must be generated for each farm.

• Client IP preservation is configured. Each server will require a separate profile. • There is a need to manage the configuration of server parameters in one farm differently

than in other farms.

Configuring Server Profiles

Server profiles are defined and mapped to servers on the Configure > Servers > Profiles page.

NOTE: Before a server profile can be applied to a server, the server needs to be defined in the Manager. This may be done by entering the Server IP address via the Configure > Manager > Managed Servers page.

Create server profiles using the “Server Profiles” table, via the following commands: • Add. Creates a new server profile. Once a server profile has been added, servers may be

mapped to it. • Remove. Deletes the selected server profile. • Edit. Modifies the name of the selected server’s profile. • Copy. Creates a new server profile by cloning the parameters associated with the selected

profile. Servers may then be mapped to server profiles in the “Map Servers to Server Profiles” section by dragging and dropping the server IP onto the appropriate profile.


Configuring Server Acceleration

The following paragraphs describe the configuration options available on the Configure > Servers > Acceleration page.

NOTE: Before configuring server profile acceleration parameters, select the desired profile from the drop-down menu at the top of the page.

Configuring the Server Delta Cache

The server delta cache may be configured via the settings on the Delta Cache tab on the Configure > Servers > Acceleration page, as described in the table below.

Table 6 Delta Cache Settings

Delta Cache Size in GB Enter the desired server delta cache size. The default delta cache size is 50 GB. See Appendix A for minimum delta cache sizing guidelines.

Delta Cache Location Enter the desired server delta cache location. The default pre-set setting for software installations is to place the delta cache in the All Users area.

Enable HTTPS Caching Enables caching of data received via HTTPS. This feature should be enabled when HTTPS acceleration is enabled. This feature is enabled by default.

Enable Cache Encryption Enables encryption of the server delta cache. Delta cache encryption is disabled by default. Encryption pre-requisites are as follows: In a domain environment, Group Policy must be set up with a Data Recovery Agent and valid X.509 certificate, and the policy(ies) must be configured to allow users to encrypt files using EFS. For additional information, on configuring a Data Recovery Agent, see HTTP://technet.microsoft.com/en-us/library/cc778448.aspx

Configuring HTTP Optimization Settings

Most HTTP optimization settings are configured as part of the client distribution, with the exception of HTTP pre-fetching settings, which are configured via the HTTP tab of the Configure > Servers > Acceleration page. HTTP prefetching is a server-side acceleration technique that models browser-to-web server behavior to predict and actively pre-fetch web objects prior to being requested.


http://technet.microsoft.com/en-us/library/cc778448.aspx


Table 7 HTTP Prefetching Settings

Enable Prefetching HTTP prefetching is enabled by default. Check the checkbox to disable it.

Files with the following extensions will not be prefetched

Provide a semicolon-separated list to prevent prefetching specific file types from all hosts. By default, the following file types are not prefetched: php, php3, php4, cgi, pl, asp, cfm, jsp, exe, dll, swe, aspx.

Files from the following hosts will not be prefetched

Provide a comma-separated list to prevent prefetching from specific host names. Do not leave any spaces between hostname entries.

Configuring HTTPS

In SSL communication, the secure server provides its certificate to the client; the client decides if the certificate represents the server and is trusted. When accelerating HTTPS with WAAS Mobile, the secure server’s certificate is reissued by the WAAS Mobile server, and it is the reissued certificate that the client compares with expectations. The WAAS Mobile server acts as a certificate authority (CA) to perform the reissuing function. There are two main scenarios:

• The WAAS Mobile server CA is a root authority (i.e., it is self-signed). • The WAAS Mobile server CA is a subordinate authority (i.e., its certificate is issued by

another CA). In production deployments, it is recommended that the WAAS Mobile server be configured as a subordinate CA, as follows:

• In the server profile of each server that will be supporting HTTPS acceleration, enable the use of a Subordinate CA via the HTTPS tab on the Configure > Servers > Acceleration page.

• Apply the updated server profile to the servers via the Apply Settings page; the servers will automatically be restarted.

• The server will generate a certificate request file named “<hostname>.req” and place it in the C:\WINDOWS\system32 folder.

• Submit the .req file to your Enterprise Certificate Authority (Enterprise CA) to get a subordinate CA certificate file.

• Import the certificate into the local machine (not user) store on the WAAS Mobile server machine.

• Restart the WAAS Mobile server. • Repeat this procedure for each server.

NOTE: The Root Authority for the Enterprise CA must be in each user’s trusted store on each client machine.


Configuring Server Networking

IP Addressing Options

TCP connections between clients and servers consist of three segments: • Client application to WAAS Mobile client connection (local) • WAAS Mobile client to WAAS Mobile server connection (WAN) • WAAS Mobile server to application server connection (LAN)

The Configure > Servers > Networking page allows the administrator to control how the WAAS Mobile servers assigned to each profile will address upstream application servers. Three addressing modes are provided:

• Use Server’s IP. TCP connections from the WAAS Mobile server to the application servers use the IP address of the WAAS Mobile server as the Source IP address. (The WAAS Mobile server checks the Windows Operating System’s routing table to determine the NIC through which data will be sent.) This is the default addressing mode.

• Use Client IP preservation. TCP connections from the WAAS Mobile server to the application servers use the IP address of the WAAS Mobile client as the Source IP address. When using this mode, traffic from the application servers will be addressed to the client Source IP and must be redirected to the WAAS Mobile server via an external Layer 4 switch.

NOTE: The layer 4 switch must be configured to return traffic upstream via MAC address. Depending on the switch vendor, this feature may be referred to as MAC stickiness, return-to-sender, nPath, or direct server return.

NOTE: A separate NIC should be used for IP preservation. Verify that the NIC supporting IP preservation on the WAAS Mobile server has been configured with Receive Side Scaling disabled and with TCP Checksum Offload disabled. These options are configured as part of the NIC Advanced Options.

To utilize the IP preservation feature:

1. Install the IP preservation driver on each WAAS Mobile server for which IP preservation is to be employed.

a. Stop the server(s). b. Run the IP driver installer msi file, which is located in

i. Windows Server 2003: C:\Program Files\Cisco Systems\WAASMobileServer\IP Preservation Driver\

ii. Windows Server 2008: C:\Program Data\Cisco Systems\WAASMobileServer\IP Preservation Driver\

c. Start the server(s) 2. Configure IP preservation via the Manager

a. Enter the IP address of the network interface that is facing the LAN.


NOTE: A separate profile should be created for each server for which IP preservation is enabled, as the server IP address configured for IP preservation will reference a single server.

• Use Client IP aliasing. A pool of aliased IP addresses are created on the WAAS Mobile server, each of which have a static 1:1 mapping to a client Source IP address. TCP connections from the WAAS Mobile server to the application server use the aliased server address as the Source IP address. In this mode, each client Source IP address is presented as a unique aliased address to the upstream application servers.

Client IP aliasing is configured as follows:

Table 8 Configuring Client IP Aliasing

Public Network Interface Name

Name of the network interface that the server is using for aliasing. (e.g., Local Area Network)

Client Source IPs For each address range, enter the <ClientIP addresslowaddress1> and the <ClientIPaddresshighaddress1>

Server Source IPs and Subnet Masks

For each address range, enter the <ServerIP addresslowaddress1> and the <ServerIPaddresshighaddress1> and the mask that will be applied to the network interface.

NOTE: The number of client addresses, when summed across all ranges must equal the number of server addresses.

Server Source IP for Unmapped Client IP addressess

In the event a client accesses the server with a source address that does not fall within the specified Client Source IP, it will be mapped to this address.

Configuring Server Diagnostics

Cisco WAAS Mobile has a sophisticated diagnostic system which sends detailed system reports— from either or both the client and the server—when requested by the end user or administrator or when abnormal behavior is detected in the acceleration system.

Contents of a System Report A System Report is a .cab archive several files, including the following:

• Description.txt: This file contains the problem description entered by the end user when the system report was generated. Administrators should encourage users to enter a comprehensive and detailed description of the actions that led up to the issue that was observed.


• Blackbox.txt: This file contains a wealth of information about the machine from which the report was sent including other software running, networking configuration, as well as the WAAS Mobile software configuration. This information is often very useful for troubleshooting configuration or connectivity issues.

• CustomInfo.xml: This contains information about the user sending the report, including the User Name with which they logged onto the system.

• Instrument.dat: This file contains instrumentation data about what happened on the machine in the time leading up to the triggering of the report.

NOTE: System reports may only be analyzed by the Cisco Technical Assistance Center (TAC). Cisco technicians use these reports to validate configuration settings, inspect performance, and perform advanced troubleshooting and diagnostics.

Triggering System Reports When system reports are generated for clients, a set of reports is generated – one from the client plus one from each server to which the client is connected. These system report sets may be generated as follows:

• Administrator-generated reports are generated via the Manage > Clients page. • End-user generated reports are generated by right-clicking the desktop icon and selecting

System Report. This capability is enabled by default but may be disabled via the Configure > Clients > User Interface page.

System reports for specific servers may also be generated via the Manage > Servers page.

Server Diagnostics Settings Before configuring server diagnostics parameters, select the desired profile from the drop-down menu at the top of the Configure > Servers > Diagnostics page.

Table 9 Server Diagnostics Settings

System Reports URL Identifies the WAAS Mobile worker server where the server system reports are sent and stored. When the value is “default,” system reports generated by the worker server are stored on that worker server. To post system reports to another server, enter: HTTP://<server-ip>/SystemReportsReceiver/ReportReceiver.ashx?

• <server-ip> is the address of the WAAS Mobile server that is going to receive the system reports

• The “?” is required at the end of this path The Manager provides an integrated view of all system reports from all servers, which may be viewed via the Manage > System Reports page.


NOTE: System reports are posted to one of the following locations on the specified WAAS Mobile server, depending on the type of system report that is genererated.


C:\Documents and Settings\All Users\Application Data \Cisco\WAASMobile\Inbox, or to

C:\Documents and Settings\All Users\Application Data \Cisco\WAASMobile\Exceptions


C:\ProgramData\Cisco\WAASMobile\Inbox, or to C:\ProgramData\Cisco\WAASMobile\Exceptions

NOTE: System reports are transmitted from the client to the worker servers over port 80.

NOTE: The server that receives the system reports must be defined as a server on the Configure > Managed Servers page.

System Reports Directory

Identify the directory for the system reports inbox if a location other than the default is desired. The amount of storage allocated for server system reports may be configured via the Configure > Servers > Capacity page. The default location is:

On Windows Server 2003 and 2003 R2: C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile\Inbox.

On Windows Server 2008 and 2008 R2: C:\ProgramData\Cisco\WAASMobile\Inbox.

Enable E-mail Alert Enables e-mail alerts when system reports are created.

From Name of sender.

To Name(s) of recipients.

Subject Email subject

Frequency in minutes

How often e-mail alerts are sent.

Outgoing mail server (SMTP)

Name of SMTP server used to deliver alerts.


Port Port to use for outgoing mail.

Enable SSL Enables SSL security.

User Name SMTP server user name credentials.

Password SMTP server password credentials.

Enable Network Monitoring

If checked, enables packet captures to be included in system reports.

Accessing System Reports System Reports may be downloaded from the WAAS Mobile Manager by navigating to Manage > System Reports.

Configuring Server Capacity

Before configuring server capacity settings, select the desired profile from the drop-down menu at the top of the Configure > Servers > Capacity page.

Session Capacity Enter the maximum number of accelerated client sessions that the server will support.

System Reports Storage Limit 2000 MB, default allocation. When the storage limit is reached, old reports are deleted to make room for new reports.

Configuring Client Access Control

Client Access Control lists may be used to allow or deny acceleration to users based on their source IP addresses. This function may be configured via the Configure > Servers > Security page. Before configuring ACLs, select the desired profile from the drop-down menu at the top of the page. Access Control Settings support the deployment of WAAS Mobile in conjunction with WAAS branch office appliances. This feature should be used to support users who access applications and content via a combination of remote connections and fixed branch offices (e.g., laptop users). Access Control settings allow administrators to disable WAAS Mobile acceleration for subnets on which WAAS or other acceleration appliances have been deployed by including them in the “Deny List” so that they are not accelerated by WAAS Mobile.

Table 10 Access Control Settings


Access Control List Type

When the Access Control List is enabled, administrators may specify which client IP sub-networks should be accelerated or denied.

Allow List/Deny List If Allow List is selected, then any client connecting with an IP in any of the sub-networks added to the allow list will be accelerated. If the client is connecting from an IP not in one of the ranges, then the software will disable itself and the user will not experience acceleration and all traffic will bypass WAAS Mobile completely. In deployments where WAAS Mobile is provisioned for VPN users and WAAS appliances are provisioned for the branch workers, the Allow List may be configured with the VPN IP range to ensure that WAAS Mobile is only used when users connect remotely. Alternatively, as described below, a deny list may be used instead. If Deny List is selected, the list of sub-networks serves as a “blacklist”, indicating the client IP addresses that will NOT be accelerated. Enter all subnets accelerated by Cisco WAAS appliances here.

WAAS Mobile Security

Control Channel Encryption

WAAS Mobile encrypts the initial TCP exchange on port 1182 between the client and the server using a public/private key exchange.

Data Channel Encryption

By default, the data traffic between the WAAS Mobile client and WAAS Mobile server is not encrypted. In most deployments, the client-server traffic is encapsulated in a VPN, so an additional level of encryption is not required. However, if strong encryption is required for your deployment, please contact Cisco Technical Assistance Center (TAC) who will confirm that you meet US export requirements and then provide you with an additional license key (a Security License Key) for enabling strong link encryption, following the process described below:

1. Once export approval has been granted, obtain the following identification information from the server and provide it to the Cisco Technical Assistance Center (TAC):

a. MAC address b. Unique ID. The Unique ID is obtained by running the following in a command

window: C:\Program Files\Cisco Systems\WAASMobileServer\GetWinInstId.exe The program will print a string that looks something like S-1-5-21-2073471693-1124288435-3808008820, which is the unique ID for this server.

2. The Cisco Technical Assistance Center (TAC) will then send you a file called license1.dat.


32 erence source not found. Configuring the Cisco WAAS Mobile ManagerError! Ref

3. Install license1.dat in the following folder: For Windows Server 2003 and 2003 R2:

C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile. For Windows Server 2008 and 2008 R2:

C:\ProgramData\Cisco\WAASMobile 4. Stop and restart the WAAS Mobile server(s).

Delta cache encryption

The delta cache on both the client and server may be encrypted (see the Delta Cache tabs on the Configure > Servers > Acceleration and Configure > Clients > Acceleration pages). When encryption is enabled, the Windows Encrypted File System (EFS) is used to provide AES-256 encryption by default. When Windows is configured for FIPS 140-2 mode, encryption is 3DES on Windows XP and AES-256 on Windows Vista and Windows 7.

Manager-client isolation

In larger deployments, it may be desirable to host the Manager on a dedicated server with a firewall between the users and the Manager to prevent any user from having access to the server. Since the Manager does not communicate directly with clients, but routes all communications through a server, the central management platform can be completely isolated from the users.

Server management isolation

Server management may be configured on a separate IP that is only accessible via a management LAN. Additionally, the server may be placed behind a NAT device, with Manager access over private IPs and client access over public IPs.

Network monitoring

Network monitoring is enabled by default on the servers to support advanced troubleshooting, and may be disabled via the Configure > Servers > Diagnostics page. When network monitoring is enabled, network packet captures are included in the system report.

Access Control Lists

Client Access Control Lists may be used to allow or deny acceleration to specific IPs or subnets of users.

CHAPTER 7. Configuring the Cisco WAAS Mobile Client

The Cisco WAAS Mobile client configurations are managed through the Configure > Client menu, which includes the following selections:

• Software. Manage client software distributions/policies. • Acceleration. Configure Accelerated Processes list, HTTP/HTTPS acceleration, file share

acceleration, and delta cache parameters. • Networking

o Map subnets to be accelerated to acceleration server farms and identify subnets to be bypassed.

o Configure high speed bypass and persistent connections. o Define ports whose traffic should be bypassed.

• Diagnostics. Configure diagnostic features for the client. • User Interface. Configure client interface preferences.

Configuring Client Software

Client Distribution Management

The Distributions tab on the Configure > Clients > Software page allows administrators to add, copy, delete, and change properties for client distribution files. On this page, the following actions may be taken:

• Add. Creates a new client distribution. When a client distribution is added, the software package is created, and a link to this software is placed in the table.

• Remove. Deletes the selected client distribution. • Edit. Modifies the name or server IP associated with the selected client distribution. • Copy. Creates a new distribution by cloning the parameters associated with the selected

client distribution. The fields in the Client Distribution table are described below:

Table 11 Client Distribution Configuration Settings

Name The name assigned to the distribution by the administrator. A default distribution is provided. It is recommended that changes be made to a copy of this distribution.


Client Software This URL links to the Windows Installer (.msi) package associated with this software distribution.

NOTE: This link will display the IP address via which the server is currently being accessed. If the Manager is being accessed via localhost, the URL will contain “localhost..” Before distributing the link to this software, make sure that a routable IP address is inserted in the URL.

Server IP The address of the server to which the client will connect after the software has been installed. After this initial connection, the client will connect to acceleration servers based on information specified in the Accelerated Networks tab on the Configure > Clients > Networking page.

Created and Last Modified

Time the client distribution was created and last modified.

Software Upgrade Management

Automatic upgrades, which are enabled by default, automatically upgrades the installed clients when the server software is upgraded. Software upgrades typically require the end user to reboot the computer to complete the installation and the Cisco WAAS Mobile client will be inactive until the reboot is performed. This setting may be modified on the Upgrades tab on the Configure > Clients > Software page.

Active Directory Management of Client Configurations

Instead of distributing different software distributions to different user groups, enterprises may alternatively distribute a common software distribution to everyone and use Active Directory group policies to assign users to “distributions.” (In this case, the term “distribution” refers to a set of policies for a group of users instead of actual distributions.) The files needed to support Active Directory management are posted on the Active Directory tab of the Configure > Clients > Software page. When using Active Directory management, distribute the .msi file to end users via standard enterprise software distribution tools and then use the .adm file to configure the following policies:

• Autostart. The “unconfigured” .msi file does not start when Windows starts, enabling administrators to distribute it broadly to end users and then selectively turn on the software for select user groups.

• Client Policy. Maps groups of end users to a specific client policy/distribution. • Server Name. The name and address of the server to which the client will connect when

the software runs for the first time. After this initial connection, the client will connect to acceleration servers based on information specified in the Accelerated Networks tab on the Configure > Clients > Networking page.

Tips for adding the WAAS Mobile Group Policies on the Windows Domain Controller:

34 Configuring the Cisco WAAS Mobile Client

• Save the .adm file in the %SystemRoot%\inf directory (e.g., c:\Windows\inf). • Open AD, select Properties, select the Group Policy Tab, and Open. • Right-click on the OU (Organizational Unit) that corresponds to the template that is to be

applied and click Edit. • Right-click on Administrative Templates, select Add/Remove Templates, click Add, and

Open the WAAS Mobile adm file, then Close the Add/Remove Templates window. • In the GPO Editor window, select View > Filtering and clear the checkbox next to Only

show policy settings that can be fully managed, and then click OK. • Double click on the WAAS Mobile settings to bring up the Properties window. Verify

the properties settings are enabled.

Configuring Client Acceleration

The Configure > Clients > Acceleration pages provides configuration settings for selecting which applications will be accelerated, for configuring protocol optimization settings for HTTP, HTTPS, and file shares, and for configuring the client delta cache as described below.

NOTE: Before configuring client acceleration parameters, select the desired client distribution from the drop-down menu at the top of the page.

Configuring the Accelerated Processes List

The Accelerated Processes tab on the Configure > Clients > Acceleration page defines a white list of application processes that will be accelerated by the client. On this page, the following actions may be taken:

• Add. Add a new process to the white list. • Remove. Remove selected process from the white list. • Edit. Modify the selected process’ acceleration parameters. • Export. Export the Accelerated Process table to a .csv file. • Import. Import the Accelerated Process table from a .csv file

NOTE. When exporting and re-importing this table, confirm that all entries remain text. For example, verify that the command line entries such as “-k LocalService” have not been inadvertently modified.


Figure 5 Accelerated Processes Table

Configuring the Cisco WAAS Mobile Client

Table 12 Accelerated Processes Settings

Process Name Name of the process to be proxied.

Application Name Common name for this application.

Min/Max Versions Minimum and maximum version of the process that will be accelerated. By default, all versions of the process will be accelerated.

Command line Use this field to specify command line options that are applicable to the specified process. For example, to enable acceleration of Microsoft SharePoint Explorer View’s WebDAV protocol, the svchost.exe process with the “-k LocalService” command option must be specified.

36

Acceleration Type Select one of the following from the drop-down menu: • Normal Acceleration • Generic Acceleration • VoIP (RTP) Monitoring Only • Generic Acceleration with VoIP (RTP) Monitoring

Normal Acceleration includes application protocol optimizations, differencing and compression, and transport optimizations.

Generic Acceleration includes differencing and compression and transport optimizations.

VoIP Modes VoIP modes enable soft phones to interoperate with WAAS Mobile by reserving bandwidth for voice calls. This function works as follows:

• Link bandwidth is continuously measured. • When voice/video traffic associated with the identified

process is present, bandwidth is reserved. • If the link bandwidth is:

o less than 142 kbps, 85% of the bandwidth is reserved.

o between 142 and 800 kbps, 120 kbps is reserved.

o greater than 800 kbps, 20% of the link is reserved.

NOTE: The bandwidth and percentile thresholds may be modified via registry key settings. Contact the Cisco Technical Assistance Center (TAC) for assistance in changing these settings.

• When the voice/video traffic stops, the bandwidth reservation ends.

• VoIP (RTP) Monitoring Only provides bandwidth reservation for the UDP traffic of the accelerated process.

• Generic Acceleration with VoIP (RTP) Monitoring will provide generic acceleration for all TCP connections from the process while providing bandwidth reservation for the UDP traffic.

NOTE: VoIP UDP traffic is not placed into the accelerated connection and is not destined for the WAAS Mobile server.


Auto Reset Connection Acceleration of certain applications does not begin immediately if Cisco WAAS Mobile starts after the application has established TCP connections. If the Auto Reset Connection is enabled for a given process, then when WAAS Mobile starts, it will terminate the TCP connection(s) for that process so that when the process reconnects, it is accelerated. Auto Reset Connection is typically enabled when optimizing dynamic web applications (e.g., SharePoint).

Configuring HTTP Optimization

HTTP optimizations are configured via the HTTP tab on the Configure > Clients > Acceleration page.

Table 13 HTTP Settings

Additional HTTP Ports By default, HTTP traffic on ports 80 and 8080 are accelerated. To accelerate HTTP traffic on other ports, add them to this list. Port numbers should be separated by commas with no spaces.

Configuring HTTPS Optimization

HTTPS optimizations are configured via the HTTPS tab on the Configure > Clients > Acceleration page.

Table 14 HTTPS Settings

Enable HTTPS Acceleration

By default, HTTPS traffic is not accelerated. When HTTPS acceleration is enabled, the default configuration uses a self-signed certificate to provide acceleration for web traffic that uses Microsoft Internet Explorer or that uses the Microsoft certificate store API (e.g., Google Chrome) or that uses the Oracle certificate store. In production deployments, it is recommended that the Cisco WAAS Mobile server be configured as a Subordinate CA. (See “Configuring HTTPS”.) This will not only ensure that trusted enterprise certificates are used, but will enable Cisco WAAS Mobile to accelerate HTTPS from browsers that don’t use the Microsoft certificate store (e.g., Firefox) and from other applications.

IMPORTANT: When enabling HTTPS acceleration, it is recommended that HTTPS delta caching be enabled on the server (go to the Delta Cache tab on the Configure > Servers > Acceleration page.

NOTE: When enabling HTTPS acceleration, it may be desirable to encrypt the delta cache on the server and client.


To encrypt the server delta cache, go to the Delta Cache tab of the Configure > Servers > Acceleration page. To encrypt the client delta caches, go to the Delta Cache tab of the Configure > Clients > Acceleration page.

NOTE: The traffic between the client PC and the acceleration server is unencrypted by default for export control purposes. To enable link encryption and provide an additional layer of security above what is provided by your users’ VPN, contact your Cisco sales representative to obtain a Security License Key. Follow the instructions in the WAAS Mobile Security section of CHAPTER 6 to install the key.

Accelerate All HTTPS Sites

All HTTPS traffic will be accelerated if this radio button is selected.

Accelerate Inclusion List

HTTPS acceleration can be restricted to accelerate intranet sites only by selecting the Accelerate Inclusion List and adding the IP addresses of select HTTPS servers to the list. Only hosts listed in the Host Inclusion List will be accelerated by the HTTPS optimizer.

• Use Add, Remove, and Edit to create the list.

NOTE: Although host name and IP address fields are provided, only the IP address is used; the host name is for descriptive purposes only.

For more information on HTTPS Optimization, see the Cisco WAAS Mobile Integration Guide.

HTTPS Port Inclusion List

By default, only HTTPS traffic on port 443 is accelerated. To accelerate HTTPS traffic on other ports, add them to this list. Port numbers should be separated by commas with no spaces.

HTTPS Process Acceleration List

When HTTPS acceleration is enabled, only traffic associated with selected processes from the Accelerated Process list are accelerated. The default HTTPS Process Acceleration List accelerates Internet Explorer and processes used by Microsoft SharePoint. To accelerate other applications that communicate via HTTPS, first verify that the processes have been added to the Accelerated Processes table on the Configure > Clients > Acceleration page. Then, enable these processes for HTTPS acceleration navigating to the HTTPS tab, clicking the Add button in the HTTPS Process Acceleration List table and then selecting a Process name.

NOTE: Before adding new processes to this list, verify that either a) Subordinate CAs are enabled and certificates have been installed or b) the process uses the Microsoft certificate store API.


Configuring File Shares Optimization

File share acceleration optimizations are configured via the File Shares tab on the Configure > Clients > Acceleration page.

Table 15 File Shares Settings

Enable Transparent SMB Acceleration

This checkbox enables acceleration of CIFS file share traffic.

SMB over TCP (port 445)

Enable SMB over TCP to accelerate most file shares.

SMB over NetBIOS (port 139)

To accelerate older Windows file shares and Novell file shares, SMB over NetBIOS acceleration will need to be enabled. This feature is disabled by default.

NOTE: To accelerate NETBIOS traffic over port 139 on PCs running Vista and Windows 7, in addition to enabling SMB over NETBIOS, Port 9025 must be opened for TCP traffic on the end user’s PC firewall. The PC will not accept connections on this port; this port is required for an internal loopback connection.

Configuring the Client Delta Cache

File share acceleration optimizations are configured via the Delta Cache tab on the Configure > Clients > Acceleration page.

Table 16 Delta Cache Settings

Desired Delta Cache Size Enter the desired client delta cache size. The default is 1024 MB. The client delta cache size must be smaller than the server delta cache.

Maximum Delta Cache Size If the Advanced Settings tab has been enabled in the client configuration (via the Manager’s Configure > Clients > User Interface page), users can change the size of their delta cache. Administrators can use this setting to control the maximum size of the user’s delta cache. The default maximum client delta cache size is 10240 MB.

Enable Reduced Size If there is insufficient disk space and the client is unable to create the desired delta cache size, it will, if this option is checked, attempt to create a reduced size delta cache.

Reduced Delta Cache Size The fallback delta cache size is 256 MB by default, and may be


modified by the administrator.

Delta Cache Location Used to specify the delta cache location, if other than the default. By default, the delta cache is placed in the All Users area.

Enable HTTPS Caching Enables caching of data received via HTTPS. This feature should be enabled when HTTPS acceleration is enabled. To enable HTTPS acceleration, navigate to the HTTPS tab on this page. This feature is enabled by default.

NOTE: After modifying the HTTPS Caching configuration, the WAAS Mobile worker servers should be restarted.

Enable Cache Encryption Enables encryption of cached data on the clients’ PCs. Cache encryption is disabled by default. Encryption pre-requisites are as follows: In a domain environment, Group Policy must be set up with a Data Recovery Agent and valid X.509 certificate, and the policy(ies) must be configured to allow users to encrypt files using EFS. For additional information, on configuring a Data Recovery Agent, see HTTP://technet.microsoft.com/en-us/library/cc778448.aspx

NOTE: Delta cache encryption leverages Windows EFS, which is only available for Windows XP Professional, Windows Vista Business and Ultimate, and Windows 7 Professional, Enterprise, and Ultimate editions. (Not supported for XP Home, or Vista or Windows 7 Starter, Home Basic, and Home Premium editions).

This capability is only supported when the delta cache is built on NTFS.

Supports FIPS-140 evaluated cryptographic providers, and default encryption for XP SP2 and later is AES-256.

Configuring Client Networking

The Configure > Clients > Networking pages provides configuration settings for selecting which networks will be accelerated, configuring connection bypass settings, and for exluding specific ports from acceleration, as described below.

NOTE: Before configuring client networking parameters, select the desired client distribution from the drop-down menu at the top of the page.




Defining Networks to be Accelerated

The Accelerated Networks tab on the Configure > Clients > Networking page defines which destination networks should be accelerated and by which server farm.

NOTE: In the case of a single-server deployment, the server is identified as the “Default” server farm.

The Accelerated Networks table consists of a set of rules that are sequentially processed by the client, with the rule at the top of the list checked first. The first rule that matches is executed. In order for a rule to fire, the destination address must match and the client must be able to establish an accelerated connection to a server in the farm selected in the “Server Farm” field. Each entry in the table consists of a

• Network. Variable length subnet mask (e.g., 10.10.10.1/24). • Server farm. Select the server farm that should accelerate the network from a

drop-down menu as follows: o Closest Farm. Server farm that has the lowest latency to the client will

be selected. o Closest Farm with Gateway. Server farm that has the lowest latency to

the client and is an Internet gatway will be selected. The default rule, 0.0.0.0/0 is configured to select the Closest Farm with Gateway, which routes Internet traffic through those farms.

NOTE: The association of server farms and Internet gateways is configured via the Farm Options tab on the Configure > Manager > Farms page.

o Do Not Accelerate.

NOTE: The default rule (0.0.0.0/0) accelerates all traffic. If the desired default behavior is to not accelerate all other traffic, change the rule behavior to “Do Not Accelerate.”

o <farm name> or DefaultFarm

NOTE: It is recommended that enterprise application server subnets (e.g., Microsoft Exchange, file servers) be explicitly mapped to farms to ensure consistent access by end users.

On this page, the following actions may be taken:

• Add. Add a new rule. • Remove. Remove a rule. • Edit. Edit a rule. • Move Up. Move the rule higher in the list. • Move Down. Move the rule lower in the list


NOTE: Rules are matched in the order that they appear in the list. The default rule (0.0.0.0/0) should always be placed at the bottom of the list as it matches all traffic.

• Export. Export the Accelerated Networks table to a .csv file. • Import. Import the Accelerated Networks table from a .csv file.

Configuring High Availability with Accelerated Network rules In the event a client is unable to reach the preferred server farm, the rules in the Accelerated Networks table will be used to select an alternate acceleration server farm. Some examples of how these rules can be used to define high availability behavior are below:

• Example: Active-active data center failover. o All traffic goes to the closest available data center and each data

center has an Internet gateway. o No configuration required. The default rule (0.0.0.0/0 to Closest

Farm with Gateway) will route traffic appropriately. • Example: Applications are hosted redundantly, but in different data centers. For

example, email is hosted via one set of active-active data centers and the ERP system is hosted in another.

o Use separate rules to map each data center network to an acceleration server farm (e.g., 10.0.0.0/16 to Farm1, 10.1.0.0/16 to Farm2, etc.).

NOTE: Since the Manager only communicates with servers, a high degree of scalability and fault tolerance is achieved. Failure of the Manager does not cause a loss of acceleration functionality.

Configuring Client Connection Settings

Client connection settings may be modified via the Connection Settings tab on the Configure > Clients > Networking page.


Table 17 Connection Settings

Enable Latency-Based Bypass

Latency-Based Bypass is used to accelerate individual TCP connections if the latency of the network between the client machine and the destination content server exceeds the threshold value. Use this setting for mobile workers that access a combination of local and remote servers. By default, latency-based bypass is enabled. When Latency-Based Bypass is enabled, once the client connects to a content server, the bypass decision for the IP and port associated with that TCP connection is cached and the client will not perform another latency check until the client is restarted or the network connection changes.

NOTE: The client will still connect to the WAAS Mobile server when this feature is enabled. Once WAAS Mobile has performed a latency check to a specific content server, it will either bypass or accelerate that connection for the remainder of the session.

Enable High Speed Bypass

High Speed Bypass disables acceleration when a low latency connection to the WAAS Mobile server is detected, as defined by the Round-Trip Time Threshold. Use this setting when the user and all WAAS Mobile servers to which the user will connect are on the same LAN. By default, high speed bypass is disabled.

NOTE: When High Speed Bypass is enabled, the WAAS Mobile client will not connect to, or request a license from, the WAAS Mobile server for which the latency threshold is not met and a license will not be consumed.


Enable Persistent Connections

Persistent connections are disabled by default, and should be enabled for highly mobile workers. Persistent Connections insulates the end-user from problems with RF coverage in wireless networks as well as from problems in poor quality dial-up access. It allows the acceleration system to support advanced wireless network features such as automated Wi-Fi/cellular switchover or hand-offs when roaming through different cellular networks. In some deployments, clients may not have the same IP when they reconnect or when they roam to a different network. The WAAS Mobile server will recognize the client even if the IP presented to the server has changed. When persistent connections are enabled and communications are disrupted, the WAAS Mobile client will maintain an active session with the application process on the client. Similarly, the WAAS Mobile server will maintain an active session with the application server, keeping the TCP connections alive.

NOTE: The persistent connections feature is not currently supported for SMB CIFS traffic.

When a client cannot connect to any server, it will enter a persistent connection mode; it will exit this mode when it can connect to at least one acceleration server. Many web browsers, email clients, and application servers will terminate a session if they detect an inactive connection. During the time that the client-proxy link is unusable, WAAS Mobile keeps the TCP connections to the client and server applications open for a predetermined period of time. It also sends application layer messages for HTTP and email that prevent shutdown of the application session before service is restored. The accelerated application(s) whose connections are being kept alive by persistent mode will time out according to their tolerated interval of inactivity. With Persistent Connections, the server always assumes that the most recent session from a client is still active. The server closes a session when one of 3 events occurs:

• The server receives a restart message from the client. • A request for a new session is received from a client who has

an existing session. • A session remains inactive for an interval longer than a

threshold defined in the registry (currently set to 1 hour). The client closes a session when one of 3 events occurs:

• The client receives a restart message from the server. • A session remains inactive for an interval longer than a

threshold defined in the registry (currently set to 1 hour). • When a network connection is present but the client has not

received any data from the server after a pre-defined time period (20 minutes, by default).


Port Exclusions Tab

TCP connections whose destination port is on the exclusion list will not be proxied or accelerated. By default, ports 554 (RTSP) and 1627 (Cisco MeetingPlace) are excluded.

Configuring Multiple Traffic Flows to the Same Acceleration Server

In some cases, it may be desirable to create multiple traffic flows between the WAAS Mobile client and the WAAS Mobile server, which could then be separately managed over the network using destination IP address-based QoS rules. For example, an organization may want to place all corporate application traffic in one traffic flow and all Internet traffic in another, so that different QoS rules may be applied. The Servers table on the Configure > Manager > Managed Servers may be used to define multiple endpoints on a single server. To configure these endpoints, enter a pair of management/public IP addresses for each flow, using the same management IP address in each pairing. (Each of these IPs needs to be defined on the NIC as well.) When entering the IP address pairings, map each pairing to a separate farm. Then, on the Accelerated Networks tab on the Configure > Clients > Networking page, map each farm to separate subnets.

Configuring Client Diagnostics Settings

The Configure > Clients > Diagnostics pages provides configuration settings for logging, system reports, and network monitoring, as described below.

NOTE: Before configuring client diagnostics parameters, select the desired client distribution from the drop-down menu at the top of the page.

Table 18 Diagnostics Settings

Enable Large Client System Reports

Use this feature to create a system report that captures a longer time period of events than is captured by default. By default, client system reports are 4.5 MB. When large system reports are enabled, 40 MB is allocated. Since the system report buffers reside in RAM, selecting large system reports will increase the RAM utilized by the client.

Enable Network Monitoring

When network monitoring is enabled, network packet traces are included in the system report. By default client network monitoring is disabled. See CHAPTER 12 for more information on system reports.

System Report URL Identifies the WAAS Mobile worker server where the client system reports are sent and stored. When the value is “default,” system reports generated by the client are pushed to the worker server from which it received a license grant. To post client system reports to another server, enter: HTTP://<server-


ip>/SystemReportsReceiver/ReportReceiver.ashx? • <server-ip> is the address of the controller WAAS Mobile

server • The “?” is required at the end of this path

The Manager provides an integrated view of all system reports from all servers, which may be viewed via the Manage > System Reports page.

NOTE: System reports are posted to one of the following locations on the specified WAAS Mobile server, depending on the type of system report that is genererated.


C:\Documents and Settings\All Users\Application Data \Cisco\WAASMobile\Inbox, or to

C:\Documents and Settings\All Users\Application Data \Cisco\WAASMobile\Exceptions


C:\ProgramData\Cisco\WAASMobile\Inbox or to C:\ProgramData\Cisco\WAASMobile\Exceptions

NOTE: System reports are transmitted from the client to the worker servers over port 80.

Enable Client Logging Client logging is enabled by default. When client logging is enabled, administrators may select the number of logs and the maximum size of the log. When a log is full, logging rotates to the next log.

Configuring the Client’s User Interface

The administrator may configure the functionality that is displayed to the end user via the Configure > Clients > User Interface page.

NOTE: Before configuring client user interface parameters, select the desired client distribution from the drop-down menu at the top of the page.



Table 19 Client User Interface Settings

Use a Simplified User Interface

If this checkbox is checked, the client user interface is simplified to just a tray icon with an Exit option. The Client Manager is not displayed and the user may not generate system reports.

NOTE: The first time the user interface starts, the full client GUI is enabled. When it then connects to the Manager, it will be configured with the Simplified User Interface.

Enable Advanced Options

Enables the Advanced Settings tab in the Client GUI, which provides the user with the ability to control select configuration settings. By default, the Advanced Settings tab is not displayed.

Enable User Diagnostics Enables the user to generate system reports. This is enabled by default.

Enable Client Registration

By default, users will be identified in the Manager by their computer name. This enables administrators to correlate session monitoring data with users, which is helpful when troubleshooting user problems. When Client Registration is enabled, users will instead be prompted to enter a name and email address the first time they start WAAS Mobile. The email address will be used in place of the computer name to identify the end user in the Manager.

NOTE: Client Registration information is only used for internal system management and is not used to register the software with Cisco Systems, Inc. or any other third party.

Enable Client Messages By default, the administrator may send the end user messages or the system may inform the user of a configuration update or software update via balloon messages. Unchecking this checkbox disables balloon messages from being sent by the system, though administrators may still send messages to users.

CHAPTER 8. Managing Cisco WAAS Mobile

Via the Manage menu, administrators may monitor and manage all Cisco WAAS Mobile servers and accelerated client s from a single interface. The Manage menu includes the following:

• Dashboard. The dashboard provides a summary of system health and status, with hyperlinks to pages where any needed actions should be performed. The dashboard also provides a system-level summary of usage and bandwidth savings versus time.

• Performance. View acceleration performance versus time and protocol at the system level, server farm level, client subnet, or individual client level across the time range of interest.

• Monitoring. o Resource Monitoring. View server CPU, memory, and delta cache resource

utilization statistics from across all servers and drill down to view how individual servers are performing.

o Connection Monitoring. View number of users who are connected, number of accelerated sessions at a system level, farm level or individual server levels. Monitor TCP connection failures, licenses exceeded failures, etc. centrally.

• Servers. View the health and status of all servers via a summary table. Click on any server to drill down to view detailed server status, start/stop it, generate system reports, or clear its delta cache.

• Clients. o Manage all the clients in the enterprise from this page. Filter to view users that

received licenses from specific farms or servers, view user groups by subnet, PC operating system, and/or client distribution, or look for a single user by username or computer name.

o For any user or group of users, generate detailed diagnostics (system reports), disconnect them or send them administrative messages.

o Drill down to individual users by clicking on the user, to view detailed status and configuration information, performance, TCP connections, accelerated sessions, and event logs.

• Events. View all events; filter by server farm, specific server, or type of event. • System Reports. View system reports that have been generated. • Backup and Restore. Fully backup and restore all configuration settings and the back end

database.


Using the Cisco WAAS Mobile Dashboard

The dashboard provides a thumbnail summary for system health and performance, and provides links to the pages that the administrator should use to gather further information or take action to fix the issue.

Figure 6. The Cisco WAAS Mobile Dashboard

50 Managing Cisco WAAS Mobile

Performance Management

The Manage > Performance page allows the administrator to view: • Performance of select server farm • Performance of a select server • Performance during the last hour, day, week, month or over a specified data

range • Performance of one or more users, as defined by a variable length subnet (e.g.,

10.10.10.5/32) • Performance by protocol • Traffic either in both directions, download only, or upload only

The Traffic Summary tab graphs the aggregate traffic before optimization versus traffic after optimization for each application protocol. The table below the graph provides a summary of this data, along with the compression ratio for each application protocol. The Traffic Timeline tab graphs the traffic before optimization versus traffic after optimization as a function of time for each server and provides totals across all servers.

Figure 7 Traffic Summary Graph


Monitoring System Resources and Usage

The Manage > Monitoring page provides graphs of resource utilization versus time. From this page, administrators may view:

• Resource utilization statistics of all servers, overlaid on a single graph. • Resource utilization of all servers in a specified farm, overlaid on a single graph. • Resource utilization of a single server. • The timelime may be adjusted to show the last hour, day, week, month or utilization

over a specified data range. The following server statistics may be viewed via this page:

• CPU utilization • Disk utilization • Memory Utilization • Delta Cache Utilization • Delta Cache Depth • Active Sessions • Active Users • DNS Lookup Failures • TCP Connection Failures • License Exceeded Login Failures • Login Failures

Managing Servers

Monitoring and Controlling Servers

The status of all Cisco WAAS Mobile servers are summarized on the Manage > Servers page. For each server, the following information is displayed:

• Farm. Farm to which the server belongs. • Server. This is the IP address that the Manager uses to manage the server. • Status. Server status. • Profile. Server profile that was applied to the server • Last Config Update. Last time the server configuration was updated • Session capacity. This is the maximum number of users that can be simultaneously be

accelerated by the server.

NOTE: The session capacity of the server must always be at least as large as the number of licenses provisioned for that server.

NOTE: A single user may form acceleration sessions with multiple Cisco WAAS Mobile servers simultaneously, while consuming only a single license.


• Current sessions. Number of user sessions currently active on the server • TCP connections. Number of TCP connectons currently active on the server • Licenses provisioned. Number of licenses that have been provisioned for the server • Licenses in use. Number of licenses that are currently in use on the server

For more detailed server information, click on a server in the Server Status and Control table. Included in the server details is the following information:

• Hardware information: CPU type, speed, and number of cores; RAM, disk space • Software Information: Windows Server version • Server delta cache utilization:

o Size o Percent used

NOTE: Once the cache fills up, this value will remain at 100%.

o Depth, in days. Depth is a measure of the amount of traffic history that is being retained in the delta cache. When the delta cache fills up, it makes room for new byte sequences by deleting old traffic, based on a least recently used algorithm.

• Other status information (health, configuration, connection, licenses) The Manage > Servers page may also be used to control servers as follows:

• Start or Stop. Starts or stops one or more servers. • Request system report. The system reports generated through this request are posted

on the Manage > System Reports page. • Clear cache. This button will stop the server, clear its delta cache, and then restart the

server.

NOTE: Clearing the delta cache deletes both the cache index file and the cache file. When the server restarts, these files are recreated.

Managing Clients

The Manage > Clients page lets administrators manage all clients centrally, and drill down to specific users or user communities. The filters at the top of the page allow the administrator to select:

• All clients (default) • All clients who get their license from a particular farm • All clients who get their license from a particular server • Clients using a specific computer, by computer name • A specific user, identified by domain name (e.g., domain\username)

NOTE: If client registration is enabled, this filter will use the email address that was entered by the client during the registration process.


• A specific user or group of users by variable length subnet • Connected users (default) or all users to date • Users that are working with a particular client distribution • Users that are running a particular Operating System

The Manage > Clients page may also be used to control clients as follows:

• Send Message. The message will be sent to the selected clients and will appear as a pop-up balloon message over the Cisco WAAS Mobile desktop icon.

• Disconnect User. The WAAS Mobile client running on the end user’s PC will be forced to exit.

• Request System Report. System reports will be generated for the WAAS Mobile client running on the end user’s PC and on all servers to which that user is connected, thereby capturing a full client/server diagnostic snapshot. For more information on System Reports, please see CHAPTER 10.

Managing a Specific Client

For more information about a particular user, click on a user in the table on the Manage > Clients page to view Detailed Client Information. For each connected user, the following information is provided on this multi-tab page:

• Status tab o User information

User name. By default, the username is <domain>\<username>. If client registration is enabled, the username is the email address the end user entered.

IP address. This is the IP of the client as presented to the server. If the client IP is NATed, then this is the NATed IP.

Alias IP. The aliased IP presented by the server for this client. If Alias IPs are not being used, the field contains 0.0.0.0.

o Accelerated session information Status. Status of the accelerated session to the server. Session Duration. Elapsed time since the accelerated server session

started. Licensor. IP address of the server that granted the client a license.

o User PC information Operating System. Version of Windows that the client is running. CPU. Describes the CPU on the client’s PC. Total Disk Space. Size of the disk on the client’s PC. Disk Space Available. Free disk space on the client’s PC. RAM. Size of the RAM on the client’s PC. Number of CPUs. Number of processor cores on the client’s PC.

o WAAS Mobile software information Software version. WAAS Mobile software version, formatted as Major

Release.Minor Release.Maintenance Release.Build Number.


Distribution Name. Name of the client distribution that the client is running.

o Delta cache statistics Delta Cache Size. Size in MB of the client’s delta cache. Delta Cache % used. The cache fills until it reaches 100%. From that point,

the % used remains at 100%. Delta Cache Depth (Days). Cache depth is a measure of the amount of

traffic history that is being retained in the delta cache. When the delta cache fills up, it makes room for new byte sequences by deleting old traffic, based on a Least Recently Used algorithm.

• Performance tab. Graphs and tables showing traffic breakdown and compression by protocol.

• TCP Connections tab. For each client TCP connection, the following information is provided: o Application name. Identifies the process that is being accelerated. o Acceleration server. The IP address of server that is accelerating this TCP

connection. o Destination IP. The destination IP address of the client’s TCP connection. o Status. Acceleration status for the TCP connection. If the TCP connection is not

being accelerated by WAAS Mobile, the status field provides an explanation as to why not.

o Performance for each TCP connection, including: Data reduction. Percent data reduction achieved for this TCP connection. Before Optimization. Bytes before the TCP connection was optimized. After optimization. Bytes after the TCP connection was optimized.

NOTE: TCP session view is available for PCs running Windows XP SP2 and later OSs.

• Acceleration Server Sessions tab. For each acceleration session between the client and WAAS Mobile server, the following information is provided: o Start time. Time when the client formed an acceleration session with a server. o State. State of the acceleration session. o Performance statistics for each acceleration server connection, including:

Bandwidth Down (bps) Bandwidth Up (bps) Latency (ms) Packet Loss (%) Data Reduction (%) Before Optimization (Bytes) After Optimization (Bytes)

• Event log tab. Events logged by the client are displayed on this page.


Managing Events

Server alert messages may be viewed on the Manage > Events page. Using the filters at the top of this page, the administrator may view:

• All events • Events associated with a particular server farm or server • Events by severity (error, warning, or informational) • Events in the last hour, day, week, month or in a specified date range

Managing System Reports

Links to system reports generated by all clients and servers are posted on the Manage > System Reports page.

Figure 8 System Reports Download Page

Reports listed on the System Reports page use the following naming convention: • SysRepID_C or S_datetime_ IPaddress.cab:

where:

• SysRepID is a unique identifier for each set of client and server system reports that are generated. When a system report is requested by a client, a report is simultaneously generated on the client and on all servers to which that client is connected. If a crash occurs on the WAAS Mobile server, only the server report will be generated. If a crash occurs in the WAAS Mobile client, report will be generated for the client (if client system reports are enabled) and for all servers to which the client is connected.

NOTE: When providing system reports to Cisco support, send all reports associated with a given SysRepID.

• C or S identifies the system report as being from either a client or a server. • datetime is the timestamp when the system report was generated. Datetime is

expressed in GMT (Greenwich Mean Time), and is formatted as yyyy-mm-ddThhmmss.

• IPaddress is the address of the machine that created the system report.


NOTE: When deleting system reports, use the WAAS Mobile manager GUI to select and remove the system reports that are to be deleted. Do not manually delete the files from the system folders.


Backing Up and Restoring the Manager

Via the Manage > Backup and Restore page, administrators may: • Backup and restore configurations as follows:

o Restore all configurations to factory defaults. This will completely wipe out any modifications that have been made to any configuration.

o Import a previously saved configuration. o Export the current running configuration.

NOTE: Backup and Restore will export the current running configuration but not any pending changes.

NOTE: When configuring a backup Manager, use the Backup and Restore functionality. If configurations are manually cloned, the client will perceive them as different configurations and download configuration updates to all clients when the client connects.

IMPORTANT: It is highly recommended that the operating state of the WAAS Mobile Manager be backed up to facilitate rapid restoration of service in the event of a hardware device failure.

• Manage the performance monitoring and statistics database as follows: o Clear all statistics. o Import a previously exported database.

Export the current database.

SNMP Support

This section describes WAAS Mobile’s support for native Windows SNMP alarm generation and access to SNMP counters. In addition, these same values are accessible via Windows NT Events and Windows performance counters respectively.

MIB

The WAAS Mobile server MIB is installed in the WAAS Mobile server software folder. The file name is WAAS MOBILE-SERVER-MIBv1_3.5.TXT. The syntax of the MIB file has been checked using the online MIB checker at HTTP://www.muonics.com/Tools/smicheck.php. This MIB is also used to document the available Windows Performance Counters and NT Events, which use the same names as the SNMP values.


http://www.muonics.com/Tools/smicheck.php

SNMP Deployment Pre-requisites

• The IP address of the servers must be accessible to the network monitoring station or OAM if SNMP monitoring is desired.

• The firewall must allow TCP and UDP access to port 161 from the network monitoring station (OAM) if it will be querying for SNMP counters.

Configuring the SNMP Service

Ensure the SNMP service is installed and running on the servers. Note that SNMP is not installed on Windows by default. To manage the SNMP service,

• For Windows Server 2003 o Navigate to Control Panel > Add or Remove Programs > Add/Remove

Windows Components o In Components, click Management And Monitoring Tools, but do not select or

clear its check o Click Details o Select the Simple Network Management Protocol checkbox, and click OK o Click Next. The SNMP service starts automatically after installation.

• For Windows Server 2008, install the SNMP service in Windows Server 2008, using the Server Manager snap-in to add the SNMP Service feature.

Configure the SNMP service on the Traps tab so that it sends SNMP packets to the management station. The example below shows the OAM management station running at 192.168.1.160.

Figure 9 Windows SNMP Service Configuration

Ensure the SNMP service accepts the community name you are planning to use to access the performance variables, for example, traps. Read-only access is adequate.

Preparing the SNMP Management Station


To monitor the traps sent by the WAAS Mobile service and to request and display counter information requires an application that can send and receive SNMP data over the network, interpret it according to the WAAS Mobile MIB and display it. Such an application is part of SNMP management station software, which is usually remote from the WAAS Mobile server (in a test environment, it might run on the server machine). There are many such applications available, and they are all managed in a similar fashion. The main configuration aspects, common to all SNMP management station software and relevant to testing traps from WAAS Mobile, are:

• Ensure any needed software is available. For example, on Windows the management station software might rely on the service called “Windows Trap Service” to receive traps (service this is not required by WAAS Mobile – it only provides for receiving traps).

• Import (compile) the WAAS Mobile MIB. This provides the management station with information to interpret the OIDs in the trap data.

• Tell the management station to listen to the WAAS Mobile server. This means to tell it the IP address of that machine and the port it is using to send SNMP traps (via UDP). The port is determined by the SNMP service on the server machine and is usually left at the default (162). You may need to specify the trap community name as well, consistent with the setting used by the Windows SNMP service.

• Tell the management station which “community” to listen to for traps. The default for Windows SNMP traps is “trap”, which is set on the Traps tab of the SNMP service. The community is a primitive security mechanism. If you don’t listen for the right community, you will not see the trap.

• Tell the management station which community to use for requesting performance counters. Because all WAAS Mobile performance counters are read-only, it is reasonable to use the community public.

• Tell the management station whether to use SNMPv1 or SNMPv2. • When setting up SNMP, it may be useful to have NetMon or a similar packet capture

application available to capture the SNMP packets that the WAAS Mobile server will send to the management station.


CHAPTER 9. Tips for Optimizing Application Acceleration

Outlook 2007

Outlook 2007 encrypts email, by default. For optimum acceleration, Outlook 2007 encryption should be turned off. The Outlook encryption feature may be disabled using Office Group Policies (see instructions at HTTP://support.microsoft.com/kb/924617/en-us) or by manually changing the feature on the client by opening Outlook 2007, selecting Account Settings from the Tools menu, selecting Change account, clicking More Settings, clicking the Security tab, and then unchecking the Encrypt data between Microsoft Office Outlook and Microsoft Exchange checkbox.

Firefox HTTPS acceleration

When WAAS Mobile HTTPS acceleration is enabled, a self-signed certificate that is placed in the Microsoft certificate store is used by default. Firefox uses a different certificate store, so Firefox HTTPS traffic is not accelerated with the default configuration.

• If the WAAS Mobile Server is configured as a subordinate certificate authority (CA), and

Firefox is already configured to trust the enterprise CA, the Manager must be configured to recognize and accelerate Firefox as described below.

• If the WAAS Mobile Server is configured as a subordinate CA, and Firefox is not configured to trust the enterprise CA, install the root CA for your enterprise in the Firefox trusted certificate store. In addition the WAAS Mobile Manager must be configured to recognize and accelerate Firefox as described below.

• If the WAAS Mobile Server is configured as a self-signed (root) CA the WAAS Mobile Manager must be configured to recognize and accelerate Firefox and the user must also install the WAAS Mobile Server CA in the Firefox trusted certificate store as described below.

Firefox setup - WAAS Mobile Manager steps On the HTTPS tab on the Configure > Clients > Acceleration page of the WAAS Mobile Manager:

• Enable HTTPS Acceleration • Add hosts to be accelerated to the Host Inclusion List or accelerate all HTTPS sites • Add firefox.exe to the HTTPS Process Acceleration List • Apply the new configuration


http://support.microsoft.com/kb/924617/en-us

62 Tips for Optimizing Application Acceleration

Additional Firefox setup steps when WAAS Mobile is using the default self-signed certificate It is generally not recommended that the self-signed certificate be used in production deployments with Firefox. However, for lab testing it may be desirable to configure Firefox HTTPS acceleration without having to setup the WAAS Mobile server as a subordinate CA by manually installing the self-signed certificate into the Firefox certificate store as follows:

a. Exit and restart WAAS Mobile after the above Manager changes are completed. b. After WAAS Mobile reconnects, open Firefox and click Tools > Options. c. Select the Content tab and then click the Certificates button. d. In the Certificates dialog, select the Trusted Root Certification Authorities tab. e. Scroll down until you can see the certificate(s) issued by Cisco and click on the one with

the latest expiration date. Click Export, and then click Next. f. Leave the "Select the format you want to use..." at the default and click Next. g. Click the Browse button and browse to a convenient location to save the certificate file. h. Enter a meaningful name into the File Name field, such as "Cisco Cert," and then click

Save. i. Click Next, and finally Finish. Close the remaining windows by clicking OK. j. Open the Firefox browser and click Tools > Options. k. Click the Advanced button in the upper right of the dialog, and then select the

Encryption tab. l. Click the "Select One Automatically" radio button, and then click View Certificates. m. In the Certificate Manager, select the Authorities tab. n. Click Import, and then navigate to and double-click the certificate file you saved in step

h; follow the prompts to import. o. Check the "Trust this CA to identify websites" checkbox and click OK. p. Click OK to close all open windows.

Microsoft ISA Firewall Client

The Microsoft ISA Firewall Client intercepts traffic in the Winsock stack and redirects it to an ISA server. It does this redirection at a level above where Cisco WAAS Mobile intercepts traffic, so traffic that is redirected by MFC will be accelerated between the client and the ISA server. For optimum acceleration, the ISA server should be located near the destination applications.

Virtual Desktops

Configuring VMWare VDI over Microsoft RDP

To optimize VMware VDI traffic, the encryption and compression employed by the underlying Microsoft RDP protocol should be disabled. Microsoft RDP is one of the underlying protocols supported by VMware VDM and is currently the predominant protocol used by the various VMware VDI implementations.

To disable encryption on RDP, the settings on the virtual desktop must be changed. The changes can be made either by group policy settings or by changes to the registry. Both methods can also be distributed to large groups of virtual desktops using Microsoft Active Directory. To disable compression, the settings on the VMware VDM client must be modified. These can be configured by group policy and thus can easily be deployed to large groups of clients using Microsoft Active Directory. Disabling Compression via the RDP File To disable compression via the RDP configuration file, follow these steps:

• Step 1. Open the RDP connection (.rdp) file in Notepad. • Step 2. Change the line compression:i:1 to compression:i:0. • Step 3. Save the file.

After the change is made, any new connection using the changed file will not use RDP compression. Configuring VMware VDM to Use Uncompressed RDP Sessions To configure VMware VDM to use uncompressed RDP sessions, follow these steps:

Step 1. Copy the c:\ Program Files\VMware\VMware VDM\Server\ADM\vdm_client.adm file from the connection broker server to the VMware VDI client PC. Step 2. Import this file to the group policy object (GPO). Step 3. In the GPO, choose User Configuration > VMware VDI Client and disable the Enable Compression policy.

Disabling Encryption Changing the following registry keys disables encryption on Windows virtual desktops:

• Set HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 1.

• Create HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer as a DWORD value and set it to 0.

• After changing the above keys the server running VMWare VDM must be rebooted. Large deployments should use Microsoft Active Directory to push these changes to the virtual desktops.

NOTE: On Windows XP 32 bit Virtual Desktop Machines, a hot-fix from Microsoft is required to add the capability to disable RDP protocol encryption. (See HTTP://support.microsoft.com/KB/956072.) This hot-fix is not required to disable RDP protocol encryption on Windows Vista and Windows 7 desktops.


http://support.microsoft.com/KB/956072

Citrix ICA

WAAS Mobile accelerates Citrix ICA traffic with its default settings. Additional performance improvement can be gained by configuring the Citrix server for login encryption only (no session encryption) and no compression. WAAS Mobile data reduction algorithms provide far better compression levels than can be realized with native Citrix compression. Additionally, when users request previously viewed screen content, WAAS Mobile eliminates redundant data transmissions and only sends deltas. Also, WAAS Mobile optimizes the packet flows, eliminating ICA’s high level of unnecessary 64-byte acknowledgement packets, and improving throughput efficiency over the WAN. To enable low encryption (authentication only) on the Citrix Management Console for Metaframe XP:

• Right-click (serverfarm) Policies, and select "Create a new policy". • Double-click the policy to edit, select "Required Encryption Level". • In the policy window right pane select "Rule enabled" and set the encryption level to

"RC5 (128bit) logon only", then click "Apply" and "OK". To enable low encryption (authentication only) on the Citrix Connection Configuration console:

• Double-click the ica-tcp connection. • In the “edit connection” dialog window, select "Advanced". • Under security, verify that required encryption is set to "RC5 (128bit) logon only" and

click “OK”. To disable compression in the Citrix Program Neighborhood console:

• Select the server farm to modify, right-click select "Properties", then select the "Default Options" tab.

• Uncheck the checkbox next to "Use data compression". Click "Apply" and "OK". To configure the client ICA file, edit the client ICA template file as follows:

• If a line exists that begins with "Compress=", change the line to show "Compress=Off". Otherwise, add a line that says "Compress=Off".

• If a line exists that begins with "EncryptionLevelSession=", change the line to show "EncryptionLevelSession=EncRC5-0". Otherwise, add a line that says "EncryptionLevelSession=EncRC5-0".

Kaspersky Internet Security

To interoperate with Kaspersky Internet Security, WAAS Mobile must be configured as follows: • Verify that the AVP.exe process is listed in the Accelerated Processes table on the

Configure > Clients > Acceleration page; this is the default configuration.


This is required because Kaspersky intercepts traffic before WAAS Mobile, and all traffic destined for WAAS Mobile will come from the AVP.exe process. Since the AVP.exe process selects the traffic that will go through WAAS Mobile, the other processes listed in the table are ignored. Accordingly, to constrain which traffic should be accelerated when using Kaspersky Internet Security, use the Accelerated Networks table on the Configure > Clients > Networking page to limit acceleration to specific hosts and applications.

• Disable Latency-based bypass. This control is located on the Connection Settings tab of the Configure > Clients > Networking page. No traffic will flow if latency-based bypass is enabled.

To interoperate with Kaspersky Internet Security, Kaspersky must be configured as follows:

• On the main page of Kaspersky, go to settings (upper right corner) -> Options -> Threats and exclusions -> exclusions settings - > Trusted Applications (2nd tab).

• Click “Add” and then browse to the WAAS Mobile application and open it. • On the next dialog screen, check “Do not scan network traffic,” hit “OK,” and then apply. • Reboot the PC.

Symantec Data Loss Prevention (formerly Vontu)

To interoperate with Symantec Data Loss Prevention, Symantec needs to be configured as follows:

• Add the application fingerprint for WAAS Mobile to the “Do Not Monitor These Activities” list and select Network, Print/Fax, and Clipboard. Binary name is waasmobileproxy.exe.

• On the “Agent Monitoring” tab, add a folder called “Cisco WAAS Mobile” to the Local Drive Ignore list. The folder path is c:\programfiles$\Cisco Systems\WAASMobile\*.

• Then add a monitoring filter to ignore all files in folder c:\programfiles$\Cisco Systems\WAASMobile\*.

FTP over the Internet

When the FTP server being accelerated is not near the WAAS Mobile server, there are scenarios where FTP transfers may fail. Failures may occur when the user is accessing an FTP server at another enterprise (a business partner), or across the Internet. This is due to the behavior of the data exchange in an accelerated environment versus the native behavior of the FTP “handshakes” and is dependent on the configured time-out value of the FTP client software. When FTP is accelerated, the transfer between the WAAS Mobile client and the WAAS Mobile server occurs very quickly, but the transfer between the WAAS Mobile server and the FTP server may be slow, causing the FTP session on the user’s PC to time out. To address this behavior, the FTP client’s connect and session time-outs should be increased; an initial value of 300 seconds is recommended, though this may need to be adjusted depending on network conditions and file sizes.



Optimizing Acceleration over Satellite

Many satellite modems employ TCP performance enhancing proxies. By default, WAAS Mobile employs a latency measurement to determine if traffic should be accelerated or bypassed. When there is a satellite modem with a TCP proxy in the path, there is almost no latency between the WAAS Mobile client and the modem, so the traffic is bypassed. To interoperate with these modems, disable latency-based bypass via the Connection Settings tab on the Configure > Clients > Networking page. Additionally, to mitigate round trip latency associated with DNS lookups, when optimizing Internet traffic, deploy a web proxy cache on the LAN-side of the WAAS Mobile server and configure users’ browsers to point to this cache. (With Internet Explorer, this may be done via Active Directory group policies or manually via the Tools > Internet Options > Connections tab > LAN settings button.)

Virus Scanning Best Practices

In order to ensure that all servers remain free of viruses, many organizations require that virus scanning software be run periodically on all computers and servers. When virus scanning is run on WAAS Mobile servers, it is recommended that the delta cache file and the delta cache index file be excluded from the scan.

NOTE: When virus scanning is run on WAAS Mobile server, it is recommended that the delta cache file and the delta cache index file be excluded from the scan. Specifically, exclude the following files from being scanned by the virus scanner:


C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile\DeltaCache\BD_ServerPage.acc

C:\Documents and Settings\All Users\Application Data\Cisco\WAASMobile\DeltaCache\BD_ServerControl.acc


C:\ProgramData\Cisco\WAASMobile\DeltaCache\BD_ServerPage.acc

C:\ProgramData\Cisco\WAASMobile\DeltaCache\BD_ServerControl.acc

NOTE: The administrator may change the location of these files via the WAAS Mobile Manager. If the file location has been modified, the administrator‐specified URNs should be used instead.

IMPORTANT: Failure to exclude these files may result in a significant loss of acceleration.

CHAPTER 10. Diagnostics

WAAS Mobile includes a comprehensive set of diagnostics tools that provide detailed information on system health and performance. This chapter describes the various types of information that are available and how to access and use the diagnostic tools. Diagnostics include:

• Server-side diagnostics o Client monitoring, including visibility into client’s TCP connections and

acceleration sessions. o System monitoring, including server resource utilization statistics. o System events, which are displayed in the GUI but are also available as NT

events or via SNMP o System reports, which capture additional server-side information that can be

used by the Cisco Technical Assistance Center (TAC) to assist in troubleshooting. o Logs, including installation logs.

• Client-side diagnostics o TCP connection monitor, which provides real-time information regarding the

acceleration of each active TCP session. o Accelerated session monitor, which provides real time information regarding the

acceleration sessions between the client and each server to which it is connected. o Event log, which is a persistent log of client events. o System reports, which capture additional client-side information that can be used

by the Cisco Technical Assistance Center (TAC) to assist in troubleshooting

Server-Side Diagnostics

Client monitoring

Client monitoring enables the administrator to monitor each user’s acceleration performance, link capacity, delta cache capacity, software version, and configuration. From the Manager, the administrator can view the TCP connections and acceleration sessions active on any end user’s PC, to diagnose application acceleration or networking issues.

System monitoring

System monitoring enables the administrator to monitor overall acceleration performance, system performance and server status. The data that is displayed in these graphs is obtained from Windows Performance Monitor (PerfMon) counters. These PerfMon counters may be monitored directly using standard tools. Additionally, the same data that is available via the PerfMon counters is also available via the MIB, and may be displayed via any standard network management tool.


System events

The most recent events are displayed on the Manage > Dashboard page. Internally, these events are generated as NT events and, as such may be monitored by Microsoft System Manager or, using any number of 3rd party utilities, may be pushed to a syslog. In addition, for each NT event, an SNMP trap is also set, enabling standard network management tools to monitor WAAS Mobile system events. The WAAS Mobile server MIB is installed with the server software in the C:\Program Files\Cisco\WAASMobileServer folder.

System reports

See CHAPTER 6 for a complete description of system reports. System reports are not human-readable, and are sent to Cisco for advanced troubleshooting support. To ensure that all necessary troubleshooting information is captured:

• Enable Network Monitoring (prior to generating the system report) by navigating to the Configure > Clients > Diagnostics menu. This feature is disabled by default, as there may be interoperability issues with certain IPsec VPNs (e.g., CheckPoint).

• Ensure that both the WAAS Mobile client and server are running. If the user Disables the client, the troubleshooting information is preserved, but if he/she Exits the client, all debug information is lost.

• Generate the system report shortly after an event occurs since, by default, the system report only covers a short traffic interval. To enable the capture of more history, enable Large Client System Reports by navigating to the Configure > Clients > Diagnostics menu, but still ensure that the system report is generated as soon after the event occurs as possible.

• Enter a concise description of the issue in the system report description field, including the sequence of steps that led up to the occurrence of the issue. This will guide the Cisco engineers who examine the report.

• Capture both a client and server system report. The GUID (which is the prefix in the system report title) and the time of day (which is also included in the system report title) facilitate matching the server and client system reports associated with the same event.

Logs

There are multiple types of logs that may be generated, including: • Installation log.

NOTE: Installation logs are only created by PCs running Windows Installer 4.5 or later. To check the version level of the Windows installer on a PC, open a command prompt window and type “msiexec /?”.

• Event logs. Event logs are displayed on the Manage > Events page.

68 Diagnostics

Client-Side Diagnostics

Icon Colors

While running, an “acceleration icon” will be displayed in the Windows system tray to indicate the WAAS Mobile software status.

Figure 10 Acceleration Icon in System Tray

The icon states and corresponding descriptions are as follows:

Cisco WAAS Mobile is accelerating traffic.

Cisco WAAS Mobile is not accelerating traffic.

Client Diagnostics

When the user double-clicks the tray icon or selects Client Manager from the tray icon menu, the Cisco WAAS Mobile GUI is launched in a browser. From this page, select the Diagnostics tab which consists of the following tabbed pages:

• TCP Connections. Real time information regarding the acceleration of each active TCP connection, including: o Application process name. o Acceleration server that is accelerating this TCP connection. o Destination IP of the TCP connection. o Acceleration status. If the TCP connection is not being accelerated by WAAS Mobile,

the status field provides an explanation as to why not. o Performance for each TCP connection, including data reduction, data before

optimization, and data after optimization.

NOTE: TCP session view is available for PCs running Windows XP SP2 and later OSs.

• Acceleration Server Connections. Real time information regarding the acceleration sessions between the client and each server to which it is connected, including o Start time.


o Connection state. o Performance of each acceleration server connection, including bandwidth up and

down, latency, packet loss, data reduction, data before optimization, and data after optimization.

• Event Log. Persistent log of client events. See CHAPTER 11 for a listing of the client messages and recommended diagnostic actions.

Figure 11 Client Manager Diagnostics – TCP Sessions Tab

TCP Session Status Each TCP session will have one of the following acceleration status indicators:

• Accelerated. The TCP session is being accelerated via the designated acceleration server. • Bypassed : Acceleration Server Unavailable. The client has successfully established an

acceleration connection with a license granting server, but the acceleration server that has been designated to handle this connection by the Accelerated Network rules is unavailable.

• Bypassed : Per Accelerated Networks Rules. The Accelerated Network rules specify that TCP connections to this address should be bypassed.

• Bypassed : Low Latency. The latency between the client and the application server is less than the latency threshold, which is 10 ms by default. This threshold may be modified on the Connection Settings tab on the Configure > Clients > Networking page.

• Bypassed: Client is Not Connected. The client cannot connect to the server because either a. Client has been disabled b. Client is close to the server and is in High-Speed Bypass c. Client is unable to obtain a license d. Client is unable to connect to a license granting server. See CHAPTER 11 for

troubleshooting tips. • Bypassed: Not on Accelerated Processes List. The process name associated with this TCP

connection is not on the Accelerated Processes white list. Processes may be added to this list via the Accelerated Processes tab on the Configure > Clients > Acceleration page.

70 Diagnostics

• Bypassed: Pre-existing Connection. When WAAS Mobile is started after other applications, the existing TCP connections associated with those applications will not be reset unless the “Auto Reset Connection” property has been selected for the process in the Accelerated Processes table, and hence, these pre-existing connections will be bypassed.

• Bypassed: Inderterminate routing rule. When multiple WAAS Mobile server farms are deployed, the Exchange servers must be explicitly mapped to the server farms that will accelerate them via the Accelerated Networks tab on the Configure > Clients > Acceleration page.

• Bypassed: Pre-existing or Low Latency. See above. • Bypassed : Reason Unknown. This message will occur when an attempt to reset a TCP

connection associated with an application that has been configured to have these connections be automatically reset (via the Accelerated Processes table on the Configure > Clients > Acceleration page) fails.

NOTE: The TCP session status table displays established TCP connections to applications; it does not display TCP connections that are in the listening, time_wait, or close_wait states and it does not display TCP connections to localhost or connections associated with the Cisco WAAS Mobile client proxy process.

Acceleration Server Connections Accelerated traffic will be sent to one or more acceleration servers over an Acceleration Server Connection. For each acceleration session between the client and WAAS Mobile server, the following information is provided:

• Start time • Connection state • Performance of each acceleration server connection, including bandwidth up and down,

latency, packet loss, data reduction, data before optimization, and data after optimization At start-up, the client forms acceleration connections to up to 3 servers. One of these connections will be the license-granting session. If the client needs to establish additional connections to other acceleration servers, these sessions will be set up on-demand as traffic arrives. Each Acceleration Server Connection will be in one of the following states:

• Not connected. The client has a license and is connected to at least one acceleration server, but traffic has not yet flowed over an accelerated connection.

• Connecting. The client is in the process of connecting to the acceleration server. • Persistent. Networking has been interrupted, and the connection is being persisted

through the outage. • Active. The connection is being used to accelerate traffic. • Blank. If connection state is blank, then the client has not yet connected to any

acceleration server. • Dormant. There has been no activity on a connection to an acceleration server during the

last hour, and the client no longer has an accelerated connection to that server. Dormant connections reduce the initial connection times for TCP sessions destined to the acceleration server.


System Reports

CHAPTER 6 provides a complete description of how to generate a system report. Note that system reports must be generated while the WAAS Mobile client is running and shortly after the issue has occurred. When the client generates a system report, information is captured on the WAAS Mobile client and all servers to which the client is connected. The client system report is automatically uploaded to the WAAS Mobile server from which it obtained a license. When a server generates a system report, it is stored on that server. The Manager’s Manage > System Reports page provides an integrated view of all of the system reports on all of the servers, and provides links to these reports.

72 Diagnostics

CHAPTER 11. Troubleshooting

This chapter is divided into two sections: the first is intended to guide administrators in determining exactly what type of issue the user is having, and the second can then be used to help troubleshoot and resolve the issue. If necessary or if the support issue is beyond the scope of this document, escalate the issue to the Cisco Technical Assistance Center (TAC) for assistance.

Installation & Integration Troubleshooting

• General installation issues o Please confirm that the client or server in question meets the minimum hardware

requirements and that the server meets all software requirements as noted in CHAPTER 2.

• For server issues, see Table 20 in this chapter. • For client issues, see Table 21 in this chapter. • Networking issue relating to server integration.

o Refer to Table 20 in this chapter; in general, the server should be setup in similar fashion to other application servers co-located with it.

NOTE: The Cisco WAAS Mobile system is not in the critical path, which means when properly configured it will never restrict access to resources. If the server or client crashes the client machine will simply lose acceleration to network resources, not access.

Troubleshooting Client Connection Issues

• Client unable to connect to WAAS Mobile server. o This could be a problem on the client machine, server machine or the network so,

while a common problem, it is also complex in nature. Check the Event Log tab of the Diagnostics page of the Client Manager and then refer to Table 22.

• Server not running. o Was the server stopped? Check the Manage > Servers page and attempt to start

the server. o Is a valid license key being used? Check that licenses are properly provisioned on

the Configure > Manager > Licenses page. o Check the Manage > Events page for related messages. o Refer to Table 20 for additional guidance.

• Client unable to connect to network resource when connected to the WAAS Mobile server.

o Does the problem occur when WAAS Mobile is not running? o Does the WAAS Mobile server have access to the resource?

Can the WAAS Mobile server ping the resource? If not, can the WAAS Mobile run the application that the client is trying

to run? If it can’t perform the action, it can’t proxy the application on the client’s behalf.


Troubleshooting Performance Issues

If acceleration is not occurring • Verify that the desktop icon is green, indicating that the client has formed an acceleration

session with at least one acceleration server. • If green, then

o Check the TCP Sessions tab of the Diagnostics page of the Client Manager and verify that the TCP sessions associated with the application are being accelerated.

o Check the Acceleration Server Sessions tab of the Diagnostics page of the Client Manager to verify connectivity and that the sent/received statistics are incrementing.

• If gray, then o See Troubleshooting Client Connection Issues above.

Refer to Table 21 for further troubleshooting techniques.

Troubleshoooting HTTPS

Verify that HTTPS is properly configured • Start WAAS Mobile client. • Open a browser. • Visit a secure site. It should open without any problems (i.e., no pop-up dialog boxes). • Double-click the padlock icon. A certificate will be displayed. (This is for Internet

Explorer. Other browsers also display padlocks but displaying the certificate may require a different action).

• The issuer name that is displayed should end with a GUID. The GUID should be the same as the registry value Options\HTTPS\HostId on the WAAS Mobile server.

HTTPS Troubleshooting Steps • Verify that HTTPS acceleration has been enabled and that the destination server is on the

HTTPS inclusion list. • When using the WAAS Mobile self-signed CA:

o After the client has been run and the certificate popup accepted, check that the WAAS Mobile server CA certificate is in the user’s trusted certificate store. If not, send a System Report to the Cisco Technical Assistance Center (TAC) for analysis.

• When WAAS Mobile server is configured as a subordinate CA: o Check the messages relating to the SSL Proxy in the WAAS Mobile server log on

startup. If the message following, “The result of the attempt is” is not “certificate request created” or “success,” send a System Report to the Cisco Technical Assistance Center (TAC) for analysis.

o Check that the WAAS Mobile server CA certificate is present in the personal machine store on the WAAS Mobile server machine. If not, it must be obtained and installed.

74 Troubleshooting


o Check that the WAAS Mobile server CA certificate is trusted on the WAAS Mobile server. If not, the certificate chain for the Enterprise CA used to issue the WAAS Mobile server CA certificate must be imported into the personal machine store, and the root of the chain must be imported into the trusted machine store.

o Run the WAAS Mobile client on a client machine. After it connects successfully, check that the WAAS Mobile server CA certificate is in the user’s personal certificate store on the client machine after the WAAS Mobile client has been run. If not, send a System Report to the Cisco Technical Assistance Center (TAC) for analysis.

o Check that the WAAS Mobile server CA certificate in the user’s personal certificate store on the client machine is trusted. If not, send a System Report to the Cisco Technical Assistance Center (TAC) for analysis.

Popup (or other alert) On Client On occasion you may visit a secure web site and the browser will present you with a popup dialog box. The dialog box presents information about the reissued web server certificate that has been created by the WAAS Mobile server from the original web server certificate. There are usually three things to look at:

• Is the reissued certificate trusted? • Is the reissued certificate within its date range? • Is the name on the reissued certificate correct?

If the reissued certificate is not trusted, it means the original certificate was not trusted on the WAAS Mobile server. The usual cause of this is that the root of the certificate chain for the web server certificate is not in the trusted machine store on the WAAS Mobile server machine. Web server certificates are almost always issued by a globally recognized CA that is pre-installed on all major operating systems. Lack of trust for a certificate from a public web server strongly suggests that the original certificate should be viewed with suspicion. The situation is entirely different when the web server is inside your own enterprise. In that case the likely cause for this error is that the root of the web server certificate has not been imported into the trusted machine store on the WAAS Mobile server machine. This will almost certainly be the case in three common scenarios:

• The web server certificate is self-signed. In this case, import the web server certificate itself into the trusted machine store on the WAAS Mobile server machine.

• The web server certificate is signed by an enterprise CA that is self-signed. In this case, import the CA certificate into the trusted machine store on the WAAS Mobile server machine.

• The web server certificate is issued using a two-level enterprise CA, in which the root certificate is self-signed. In this case, import the root CA certificate into the trusted machine store on the WAAS Mobile server machine.

On Windows operating systems, use the certificates MMC snap-in to import, export and view certificates. Another cause of lack of trust is date range problems. The WAAS Mobile server issues an untrusted certificate in this case. If everything else is OK and the date range is wrong, it is common practice to accept the certificate.

Troubleshooting Delta Cache Encryption

If Delta cache encryption is not working or is not allowed on a domain computer.

• Verify that the Group Policy for the domain is setup with a Data Recovery Agent; additional information can be found at HTTP://technet.microsoft.com/en-us/library/cc778448.aspx.

• Check if the Group Policy is setup with a Data Recovery Agent but its certificate is invalid or expired. Additional information on renewing certificates can be found at HTTP://support.microsoft.com/default.aspx/kb/937536.

• Verify that the Group Policy is configured to allow File Encryption. This requires a checkbox to be checked in the Encrypting File System Properties window.

• For more information on Windows EFS, see HTTP://technet.microsoft.com/en-us/library/bb457116.aspx.

Troubleshooting SNMP

Troubleshooting SNMP Notifications (“Traps”) 1. Is the WAAS Mobile Server process running? If not, start it and make its start

automatic.

2. Are NT Events enabled on the WAAS Mobile server? If not, enable them.

3. Is the SNMP Service running? If not, start it and make its start automatic.

4. Is AccelSnmpXa.dll loaded? If not, check if it is installed and registered properly as described above. If it is correctly installed and registered but not loaded, the DLL is corrupt and the WAAS Mobile server software should be reinstalled.

5. Check SNMP Service Properties Traps tab. Is the community name what you expected? Is the monitoring station address in the list of trap destinations? If either of these conditions is not met, make the appropriate changes.

6. Are traps from the WAAS Mobile server reaching their destination? To troubleshoot, trace the packet trail as follows:

a. Using NetMon on the WAAS Mobile server, capture SNMP packets generated when the server process is restarted, monitoring on the interface on which they are sent. If none are captured, return to step 1 of this troubleshooting guide.

b. If the packets are being sent, inspect their content to see if they are being sent to the expected host and port.

c. On the monitoring station, capture packets on the interface on which they should arrive. If none arrive when they are known to be generated on the server, check the local firewall (if any), network connections and the IP routing arrangements of your network.

7. Check that the server machine IP address corresponds to one of the entities to which the management station is listening, and that the entity is set to use SNMPv1 or SNMPv2.

After all these steps are successfully completed the traps will be displayed.

Troubleshooting SNMP Statistics

76 Troubleshooting



http://support.microsoft.com/default.aspx/kb/937536

http://technet.microsoft.com/en-us/library/bb457116.aspx

http://technet.microsoft.com/en-us/library/bb457116.aspx


1. Is the WAAS Mobile Server process running? If not, start it and make its start automatic.

2. Are NT performance counters enabled on the computer hosting the WAAS Mobile server? If not, enable them.

3. Is the SNMP Service running on the computer hosting the WAAS Mobile server? If not, start it and make its start automatic.

4. Is AccelSnmpXa.dll loaded? If not, check it is installed and registered. If it is correctly installed and registered but not loaded, the DLL is corrupt and the WAAS Mobile server software should be reinstalled.

5. Check SNMP Service Properties Security tab. Is the community name what you expect (e.g., public)? Is the monitoring station address in the list of trap destinations? If either of these conditions is not met, make the appropriate changes.

6. Requests for counters originate on the monitoring station. To troubleshoot, follow the packet trail using NetMon.

7. Using NetMon on the monitoring station, capture SNMP packets generated when the management station tries to access the performance variables, monitoring on the interface on which the packets are sent. If none are captured, check that the management station is sending to the correct host.

8. If the packets are being sent, inspect their content to see if they are being sent to the expected host and port.

9. On the WAAS Mobile server, capture packets on the interface on which they should arrive. If none arrive when they are known to be generated on the server, check the local firewall (if any), network connections and the IP routing arrangements of your network.

10. If the packets are arriving, check if any packets are being sent back. It is common for the SNMP service to notify of problems in a response packet. If the returned packets contain “authentication failure” indications, check the Accepted Community Names on the Security tab of the SNMP Service, and check the security name associated with the Context that is being used in by the management station.

After all these steps are successfully completed, the counters will be displayed.

Problem Isolation

WAAS Mobile Server Issues and Isolation

Table 20 WAAS Mobile Server Issues and Isolation

Activity Symptom Possible Causes Resolution

Installation License key issues No license key has been input, or invalid license key input

Input a valid license key on the Configure > Manager > Licenses page. Make sure that there are no space characters either before or after the license string.

General installation issues

Missing operating system components (for example, IIS)

Verify server software and hardware requirements found in CHAPTER 2.

Networking Network or Specific Resource is Inaccessible

General Networking Issue on Server During Setup

Use the command line tool ipconfig.exe along with Windows Network Connections module to verify the WAAS Mobile server has the proper network settings.

Starting WAAS Mobile Manager

An “Under Construction” page is presented when opening the WAAS Mobile Manager

Incorrect URL or Firewall issues

Verify the URL is in the form of HTTP://ServerName/ControllerWeb/manSummary.aspx. Verify network path to the server and that the Manager will open using the browser on the server.

Accessing System Reports

The following error message is displayed “Security Alert… Your current security settings do not allow this file to be downloaded.”

Manager is being accessed from localhost, and the system report, which uses the server’s IP, is not trusted.

In the browser settings, add the host IP to the local intranet zone list. For Internet Explorer, go to Tools > Internet Options > Security to configure this.

78 Troubleshooting

WAAS Mobile Client Issues and Isolation

Table 21 WAAS Mobile Client Issues and Isolation


Client Installation

Client Fails to Install. The client installation components may be inaccessible if hosted on a network share.

Restart the client computer and retry the installation. If that does not succeed, redownload the installation file to the PC and reinstall. If a Windows error message is provided during the installation, search online for that error message for further information.

Client Installation

Client Fails to Install. In the rare case where an install fails after multiple attempts a machine may have a bad OS configuration.

Contact Cisco support for assistance.

Client Connection

Icon in system tray shows not connected. If this is happening for all users, the server(s) may not be running. If this is happening for a single user, then client may be disabled or may not be able to reach the server.

First, go to the Manage > Dashboard page to verify that the server(s) is (are) running. Then, on the client PC, open the Client Manager, click on the Diagnostics tab, view the Event Log, and refer to Table 22.

Client User Interface

The user is unable to launch the Client Manager.

The browser is configured to use an upstream proxy server.

Enable “Bypass proxy server for local addresses.” For Internet Explorer 8, do this via the Tools > Internet Options > Connections > LAN Settings menu.



Client Operations

WAAS Mobile is connected but HTTP traffic is not being accelerated.

Proxy settings can cause protocol specific errors.

Check the user’s browser settings for an incorrect proxy address. Also check the user’s TCP sessions tab, which can be accessed in either the client GUI or the Manager GUI.

Client Operations

Unable to access site or network share. The WAAS Mobile server may not have access to the site.

Confirm this issue occurs when WAAS Mobile is not running. Once WAAS Mobile is running, all accelerated traffic is routed through the WAAS Mobile server; confirm that the server’s DNS server is properly resolving the names of the servers to be accelerated and that there is a routable path from the WAAS Mobile server to this resource. Confirm that the same application can be run on the WAAS Mobile server; after doing this, uninstall the application from the WAAS Mobile server if it had to be installed for this test.

80 Troubleshooting



Client Operations

Application is not being accelerated. Configuration issue can result in traffic bypassing WAAS Mobile.

Determine if the traffic is passing through WAAS Mobile by viewing the client TCP Session statistics. If it is not being accelerated, the reason the traffic is being bypassed is displayed in this table. Review the settings on the server, making certain that there is no rule that causes the traffic of interest to not receive acceleration. If the reason for the lack of acceleration can not be determined, trigger a system report and contact Cisco Technical Assistance Center (TAC).

Client Operations

HTTPS traffic is not being accelerated. WAAS Mobile is bypassing a network resource.

Check the TCP Sessions view to determine if the traffic is being bypassed because the latency to the server is below the threshold. If latency bypass is not causing the problem, verify HTTPS settings and certificates as described in CHAPTER 6.

Client Event Messages

The table below summarizes the client event log messages. These messages may be displayed on the client PC by navigating to the Event Log tab of the Diagnostics tab of the Client Monitor. Alternatively, these messages may be viewed on the Manager by navigating to the Manage > Clients page, clicking on the client for you would like to view Detailed Client Status, and then selecting the Event Log tab.

Table 22 WAAS Mobile Client Event Messages

Event Text Cause Resolution Unable to connect to server <IP or hostname>. UDP port <port number> is blocked.

Port 1182 has not been opened Check to see if a firewall on the user’s machine or anywhere between the client and the server is blocking port 1182 UDP

Session connected: Server <IP or hostname>. Downlink bandwidth is xx kbps, Uplink bandwidth is yy kbps, round trip time is zz msec

Client has successfully connect to the server None required. Informational only.

Session status: Connected to server <IP or hostname>

Informational only. None required.

Session status: Persisting to server <IP or hostname>

Client has disconnected from the server Persistent sessions is enabled and the server is maintaining the session.

None required if this is the desired behavior. If you do not want the disconnected session to be maintained, disable the persistent sessions feature on the server.

Session status: High speed bypass of server <IP or hostname>

Client traffic is bypassing the WAAS Mobile server because there is a low latency connection between the client and the server.

If this is not the desired behavior disable the High Speed bypass feature on the server.

Session status: Client unable to connect to server <ip or hostname>: Inconsistent configuration detected. Farm name could not be matched.

Farm or server configuration on client's accelerated networks table has not been configured in the farm list.

Verify accelerated networks table and server farm settings in the Manager match for the appropriate client distribution.

Session status: Client unable to connect to server <ip or hostname>: Client failed to create TCP connection to the server.

This is typically related to a network configuration or a connectivity issue.

Verify that client path to server is functional and the firewall allows access over TCP port 1182.

Session status: Client unable to connect to server <ip or hostname>: Server not reachable

This is typically related to a network configuration or a connectivity issue.

Verify that client path to server is functional and that the appropriate ports are open on the firewall.

Session status: Client unable to connect to server <ip or hostname>: Authorization Timeout

Client was unsuccessful trying to obtain login credentials from external source

Verify server configuration for RADIUS authentication and verify connectivity to RADIUS server from WAAS MobileServer.

82 Troubleshooting


Event Text Cause Resolution Session status: Client unable to connect to server <ip or hostname>: Server licenses exceeded

Server license limit has been reached. If multiple servers are configured, the client will attempt to connect to a different server.

Verify license parameters and either reduce the number of users or provision additional licenses

Session status: Client unable to connect to server <ip or hostname>: Server is busy

Server is experiencing high load. If multiple servers are configured, the client will attempt to connect to a different server.

Wait a few minutes and instruct user to try again. If problem persists check server memory and CPU parameters for the user load via the Manage > Monitoring page.

Session status: Client unable to connect to server <ip or hostname>: Unknown connection problem

Client is unable to interpret reason for inability to connect.

Have user try again. If problem persists trigger a system report and contact Cisco Technical Assistance Center (TAC).

Session status: Client unable to connect to server <ip or hostname>: Login problem

Client was unable to successfully complete the login process with the WAAS Mobile server. If multiple servers are configured, the client will attempt to connect to a different server.

Have user try again. If problem persists trigger a system report and contact Cisco Technical Assistance Center (TAC).

Session status: Disconnected from server <IP or hostname>: Network problem

Connection to the WAAS Mobile server was unexpectedly terminated

Verify network health. Connection should be automatically restored once connectivity is available. If the physical network is not the problem, trigger a system report on client and server then contact Cisco Technical Assistance Center (TAC).

Session status: Disconnected from server <IP or hostname>: Session problem

Client needed to reset the connection to the server.

Connection should automatically be reestablished. This will automatically trigger a client system report at the time of the problem. If the problem persists, contact Cisco Technical Assistance Center (TAC) and provide the system report.

Session status: Disconnected from server <IP or hostname>: Server disconnected

The server has restarted due to a problem or the administrator action.

If this is a server restart, check the Manager’s system report page for presence of a server-triggered system report and contact Cisco Technical Assistance Center (TAC).

Event Text Cause Resolution Session status: Disconnected from server <IP or hostname>: Client disconnected

Typically this is an informational message only.

Verify the client has disconnected intentionally. If that is not the case verify the issue is reproducible and provide system report to Cisco Technical Assistance Center (TAC).

Session status: Disconnected from server <IP or hostname>: Server problem

The server needed to restart the connection to the client

Check the Manager’s system report page for presence of a server-triggered system report and contact Cisco Technical Assistance Center (TAC).

Session status: Client unable to connect to server <ip or hostname>: Login timed out

During the login process excessive delays were encountered.

Request user try again. If problem persists. Trigger a system report on the client and contact Cisco Technical Assistance Center (TAC).

Session status: Client unable to connect to server <ip or hostname>: ACL bypass

Informational only. Server is being bypassed due to ACL configuration.

None required.

Persistent session to server <IP or hostname> is terminated. This session was inactive for too long.

Informational only. Client has been disconnected from server for longer than configured persistent session timeout value.

None required.

Persistent session to server <IP or hostname> is terminated. This session does not exist on the server anymore.

informational only. Client has been disconnected from the server for longer than the configured persistent session timeout value, so the session has been terminated. A new session should be established when the client tries to connect.

None required.

On-demand connection to <IP or hostname> completed


On-demand connection to farm '<farm_name>' started -- application traffic to <IP or hostname>


Session to <IP or hostname> timed out due to inactivity


84 Troubleshooting


Event Text Cause Resolution License status: Granted from server <IP or hostname>


License status: Denied from: server <IP or hostname>

Occurs when a server runs out of licenses. If client was unable to obtain a license from any server, verify that a sufficient number of licenses have been provisioned.

Configuration status: Update received from: server <IP or hostname>


Configuration status: Successfully applied Informational only. None required.Configuration status: Failed to apply Client configuration change was unsuccessful. Exit and restart the client. If problem is not

resolved, reboot client PC. If problem is still not resolved, obtain a system report and contact Cisco Technical Assistance Center (TAC).

Software upgrade: Upgrade received from: server <IP or hostname>


Software upgrade: Successfully applied. Informational only. None required.Software upgrade: Failed to apply. Client software upgrade was unsuccessful. Reboot client PC. If problem is still not

resolved, delete the client via Add/Remove Programs on the Control Panel and reinstall. If still unsuccessful, obtain a system report and contact Cisco Technical Assistance Center (TAC).

Failed to initialize the client GUI shared state. Error code x, x.

Attempted to start client while a client process was still running.

The client will continue trying to startup for 15 seconds. After that time, the user will receive the following pop-up message, “The WAAS Mobile Client GUI failed to initialize. Please try starting the WAAS Mobile Client again.”

Configuration warning: Insufficient disk space on client. The client delta cache file is located at <delta_cache_directory>. Delta caching disabled.

Insufficient disk space on the PC. The PC disk must have sufficient capacity to support at least the fallback delta cache size, which is 256 MB, by default, and which can be modified via the Manager.

Event Text Cause Resolution Configuration warning: Insufficient disk space on server <server_addr>. Please contact your administrator. Delta caching disabled.

Server is improperly configured and does not have sufficient space available to create a delta cache file.

Free up appropriate disk space on the server or change the server delta cache size via the Manager.

Failed to contact server <IP or hostname> while initiating server system report

Client was trying to tell the server to generate a system report and was unable to do so.

May be a result of a network connectivity issue or a server problem. If all users are experiencing this issue, verify permission settings on the server. Verify network connectivity and that the reports were generated on both the client and server and then contact Cisco Technical Assistance Center (TAC).

Failed to send data to <IP or hostname> while initiating server system report

Client was trying to upload a system report and was unable to do so.

Verify network connectivity and server status. If all users are experiencing this issue, verify permission settings on the server. Contact Cisco Technical Assistance Center (TAC) if problem persists.

Initiated server system report to server <IP or hostname>

Client has generated a system report and triggered the matching report on listed server.

Contact Cisco Technical Assistance Center (TAC) if appropriate.

Initiated server system report to primary server <IP or hostname>

Client or another server in the server farm has triggered a system report.

If the report was generated by a server check for log messages related to that server and contact Cisco Technical Assistance Center (TAC) if appropriate.

User Action: Client Restarted. Informational only. None required.User Action: Restored default settings. Informational only. None required.User Action: Changed delta cache size. Informational only. None required.User Action: Cleared delta cache. Informational only. None required.User Action: Cleared Client Manager statistics. Informational only. None required.User Action: Enabled Start when Windows starts checkbox.


User Action: Disabled Start when Windows starts checkbox.


User Action: Acceleration disabled. Informational only. None required.

86 Troubleshooting


Event Text Cause Resolution User Action: Acceleration enabled. Informational only. None required.User Action: Created System Report. Informational only. None required.User Action: Client Started Informational only. None required.User Action: Client Exited Informational only. None required.Log rotation: <timestamp>. This should be the first message in the new log file upon completion of a rotation event. The old log file is archived at <archived_filename>.


Creating <Process Name> System Report. Informational only. None required.<Process Name> System Report is temporarily written to <File path for Temporary Dat File>


The System Report will be sent to <Url> Informational only. None required.Compiled System Report Archive at <File path for Cab File> with <Number of Files Archived> files


Send System Report using Connection Type <Connection Type>


System Report failure: Unable to send System Report data to the System Report receiver.

A system report was generated by a client. The attempt to send it to a server failed. The user will be prompted to save the system report locally on the PC.

Ensure connectivity to server and verify system report exists on client.

Sending System Report succeeded. Informational only. Verify the creation of the system report and contact Cisco Technical Assistance Center (TAC).

No connection attempts to the System Report Receiver succeeded. Please inform your Administrator.

This event usually occurs in conjunction with the event about WAAS Mobile client System Report process (BlackBoxThrow.exe) being unable to open a TCP connection to the System Report Receiver.

Check that the machine can connect to the System Report Receiver correctly. The Receiver's machine may not be running currently or there may be a firewall blocking access. By default all clients will upload their System Reports to the server they received a license from. This can be seen in the client Event Log.

Event Text Cause Resolution System Report failure: Unable to access a local network device.

A network configuration problem occurred on the local client machine.

Please check the network configuration settings on the client that reported the problem.

System Report failure: Unable to access System Report data.

The System Report was not created correctly. Check that the location of the System Report exists. If it does not exist, make sure that WAAS Mobile process has permissions to write to the local user's temporary directory (WAAS Mobile runs as the local user). The location appears in a previous log message. If it does, enable System Report logging and send a BlackBox.log file to the Cisco Technical Assistance Center (TAC). To enable this log on the client side create the following registry key: HKLM\Software\ICT\Blackbox\EnableLogging (DWORD) set it to 1 and restart the client.

System Report failure: Invalid System Report URL <Url>.

The system report receiver site set in the client's configuration is invalid.

Have a System Administrator review and modify the client's configuration system report receiver URL under Configure > Clients > Diagnostics.

System Report failure: System Report receiver site <Url> must use HTTP or HTTPS.

The system report receiver site set in the client's configuration is not using HTTP or HTTPS.

Have a System Administrator review and modify the client's configuration system report receiver URL under Configure > Clients > Diagnostics.

System Report failure: Unable to create a TCP connection using Connection Type <Connection Type>.

WAAS Mobile client System Report process (BlackBoxThrow.exe) is unable to connect to the System Report receiver site.

The user should check his or her network connection to the server.

System Report failure: Unable to create a TCP connection to System Report receiver site <Url>.

WAAS Mobile client System Report process (BlackBoxThrow.exe) is unable to connect to the System Report receiver site.

The user should check his or her network connection to the server.

88 Troubleshooting


Event Text Cause Resolution System Report failure: Cannot create request to send System Report.

WAAS Mobile client System Report process (BlackBoxThrow.exe) was able to create a TCP connection to the System Report Receiver but was unable to create an HTTP request to send to the Receiver.

This indicates that there is a problem with BlackBoxThrow.exe. In this case, enable System Report logging and send a copy of BlackBox.log to the Cisco Technical Assistance Center (TAC). To enable this log on the client side create the following registry key: HKLM\Software\ICT\Blackbox\EnableLogging (DWORD) set it to 1 and restart the client.

System Report failure: Unable to send System Report due to a proxy authentication failure with account <username>.

This problem can only occur if WAAS Mobile client System Report process (BlackBoxThrow.exe) needs to send a System Report through a proxy server before it reaches the System Report Receiver. The proxy server needs authentication and the proxy authentication account set in the client's configuration is incorrect.

Check where the server is located in the network map. All machines that use WAAS Mobile must be able to connect to it directly. By default all clients will upload their System Reports to the server they received a license from. This can be seen in the client Event Log.

System Report failure: Unable to complete sending the System Report due to a proxy authentication failure with account <username>



System Report failure: Unable to send System Report using proxy authentication with account <username>



Event Text Cause Resolution System Report failure: Unable to set the System Report size in the request.

WAAS Mobile client System Report process (BlackBoxThrow.exe) is unable to set the content length header in the HTTP request that is sent to the System Report Receiver.

Save the System Report locally and send it to the Cisco Technical Assistance Center (TAC). If the problem continues, enable System Report logging and send a copy of BlackBox.log to the Cisco Technical Assistance Center (TAC). To enable this log on the client side create the following registry key: HKLM\Software\ICT\Blackbox\EnableLogging (DWORD) set it to 1 and restart the client.

System Report failure: Unable to send the request to the System Report receiver site <Url>.

A failure occurred while sending an HTTP Get request to the System Report Receiver. The content length of the request is invalid or the application is in offline mode.

Check that the machine's network device is active and connected. If that is true, save the System Report locally and send it to the Cisco Technical Assistance Center (TAC).

System Report failure: Unable to read the response from the System Report receiver site <Url>.

Unable to read the HTTP status code header value from the System Report receiver's response.

This usually means there is a problem with the System Report Receiver service on the WAAS Mobile server. Send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue.

System Report failure: Unable to read the content type from the System Report receiver's response.

Unable to read the content type header value from the System Report receiver's response.


System Report failure: There is not enough space on the local machine to read the System Report receiver's response.

Resource constraints on the local machine causes if WAAS Mobile client System Report process (BlackBoxThrow.exe) to be unable to read the System Report receiver's response.

Close applications to free up memory or increase virtual memory page size.

System Report failure: A problem occurred while reading the System Report receiver's response.

This problem occurs if WAAS Mobile client System Report process (BlackBoxThrow.exe) cannot read the HTTP content-type header from the System Report receiver response.


90 Troubleshooting


Event Text Cause Resolution System Report failure: Failed to download data from the System Report receiver site <Url>.

A failure occurred while WAAS Mobile client System Report process (BlackBoxThrow.exe) read a portion of the response data from the connection to the System Report receiver.

This can indicate that the network connection was unexpectedly terminated in the middle of a System Report transfer. Check that the machine's network status is functional before attempting to send a new System Report.

System Report failure: Failed to upload the System Report data to the System Report receiver.

A failure occurred while WAAS Mobile client System Report process (BlackBoxThrow.exe) was sending a block of the System Report data to the System Report receiver.


System Report failure: Did not upload all of the System Report data to the System Report receiver.

The WAAS Mobile client System Report process (BlackBoxThrow.exe) sends blocks of System Report data. It must send each entire block of data to avoid corruption of the System Report. If the entire block of data is not sent, this error occurs.


System Report failure: HTTP error response received from System Report Receiver: Internal Error 500 - Please check that the acceleration server's Web Server is functioning properly.

The System Report Receiver was unable to process the System Report and sent back an error response.

This usually means there is a problem with the System Report Receiver service on the WAAS Mobile server. Try restarting the Controller Service on the server. If there are still issues send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue.

System Report failure: HTTP error response received from System Report Receiver: Bad Gateway 502 - Please check that the acceleration server's Web Server is functioning properly.


This usually means there is a problem with the System Report Receiver service on the WAAS Mobile server. Try restarting the Controller Service on the server. If there are still issues send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue.

Event Text Cause Resolution System Report failure: HTTP error response received from System Report Receiver: Unauthorized 401 - Please supply username and password information when sending System Reports.

The System Report Receiver requires that all connections must be authenticated. The client or server configuration does not include a username and password to send with System Report requests or the username and password is invalid.

The System Report Receiver should not require authentication. In IIS Manager on the Central Controller server, check that authentication is disabled for the System Report Receiver's virtual directory. Also confirm that “Everyone” has read\write\modify access to the following IIS folder: \SystemReportsReceiver\Data

System Report failure: HTTP error response received from System Report Receiver: Request Timeout 408 - The acceleration server's Web Server timed out while waiting for the System Report to upload.

The connection between the System Report Receiver and the WAAS Mobile client System Report process (BlackBoxThrow.exe) was terminated because it took too long to send the System Report. This is a common problem with connections over very slow network speeds.

Send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue. Also indicate how long it took to send the system report before the problem occurred.

System Report failure: HTTP error response received from System Report Receiver: Proxy Authentication Required 407 - Please supply proxy server username and password information when sending System Reports.

This problem can only occur if the WAAS Mobile client System Report process (BlackBoxThrow.exe) needs to send a System Report through a proxy server before it reaches the System Report Receiver. The proxy server needs authentication and the proxy authentication account set in the client's configuration is incorrect.


System Report failure: HTTP error response received from System Report Receiver: Forbidden 403 - Please check that the acceleration server's Web Server is functioning properly.


This usually means there is a problem with the System Report Receiver service on the Acceleration server. Try restarting the Controller Service on the server and check the IIS settings. If there are still issues send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue.

92 Troubleshooting


Event Text Cause Resolution System Report failure: HTTP error response received from System Report Receiver: HTTP status code <status code>

The System Report Receiver was unable to process the System Report and sent back an unknown error response.

This usually means there is a problem with the System Report Receiver service on the Acceleration server. Try restarting the Controller Service on the server and check the IIS settings. If there are still issues send a server system report to the Cisco Technical Assistance Center (TAC) to report the issue.

Server Event Messages

The table below includes commonly seen messages displayed on the Manage > Events and/or the Manage > Dashboard pages.

Table 23 WAAS Mobile Server Event Messages

Event Text Cause Resolution

The server encountered an error during license validation. The license key was not found.

The license key was not found. Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. The license key appears to be invalid.

The license key appears to be invalid or missing.

Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. The license key was not valid.

The license key was not valid. Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. Unable to create network info object.

Unable to create network info object. Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. The license key did not match required parameters.

The license key did not match required parameters, i.e. something is different on the machine from when the license was created.


The server failed to initialize. Server Health Check failed at startup.

Server health check failed at startup. Verify that the delta cache was created properly by navigating to the Manage > Servers page and clicking on the server to view Detailed Server Status. Check that the delta cache size is as expected and verify that the machine is not running low on disk space.

94 Troubleshooting



Server failed to initialize. Failed to run the proxy system manager.

Failed to run the proxy system manager. This is a general error in response to a more specific one. Make note of any error events prior to this in the Windows Event Viewer. View server log (if enabled) for more information.

Server failed to initialize. Failed to run the server link manager.

Failed to run the server link manager. This is a general error in response to a more specific one. Make note of any error events prior to this in the Windows Event Viewer. View server log (if enabled) for more information.

Event logging was initialized. Informational only. None required.

The server license check succeeded. Informational only. None required.

Starting WAAS Mobile Server. Informational only. None required.

Shutting down WAAS Mobile Server. Informational only. None required.

Generating a black box, request received from usersession.


Transport Thread Health Check Failed. The transport thread was hung for at least 60 seconds. The server will now restart.

None required.

3-GB switch enabled. Informational only. None required.

3-GB switch disabled. Informational only. None required.

The server internet connection check failed. The server internet connection appears to be broken.

Fix the server’s internet connection.

Server failed to initialize. Failed to initialize the SSL proxy.

Failed to initialize the SSL proxy. This is a general error in response to a more specific one. Make note of any error events prior to this in the Windows Event Viewer. View server log (if enabled) for more information.


Server failed to initialize. Failed to initialize the persistent delta.

Failed to initialize the persistent delta. Verify that the delta cache was created properly by navigating to the Manage > Servers page and clicking on the server to view Detailed Server Status. Check that the delta cache size is as expected and verify that the machine is not running low on disk space.

Server failed to initialize. Server Health Check failed at startup.

Server health check failed at startup. Verify that the delta cache was created properly by navigating to the Manage > Servers page and clicking on the server to view Detailed Server Status. Check that the delta cache size is as expected and verify that the machine is not running low on disk space.

Server failed to initialize. Failed to run the proxy system manager.

Failed to run the proxy system manager. This is a general error in response to a more specific one. Make note of any error events prior to this in Windows Event Viewer. View server log (if enabled) for more information.

Server failed to initialize. Failed to run the server link manager.

Failed to run the server link manager. This is a general error in response to a more specific one. Make note of any error events prior to this in Windows Event Viewer. View server log (if enabled) to see if there is any more information.

The server encountered an error during license validation. The license key was not found.

The license key was not found. Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. The license key appears to be invalid.

The license key appears to be invalid or missing.


96 Troubleshooting



The server encountered an error during license validation. The license key was not valid.

The license key was not valid. Make sure your license is valid, reapply it and restart the server.

The server encountered an error during license validation. Unable to create network info object.

Unable to create network info object. A memory error occurred while trying to verify the license key. Verify that the server has sufficient memory available, and restart.

The server encountered an error during license validation. Maximum number of total users in license terms exceeded in user database.

Maximum number of total users in license terms exceeded in user database.

Decrease number of users or buy more licenses.

The server encountered an error during license validation. The license key did not match required parameters.

The license key did not match required parameters, i.e. something is different on the machine from when the license was created.

On the Configure > Manager > Licenses page, verify the key displayed exactly matches the key that was issued.

The Manager encountered a run error. Failed to initialize the FIF Config.

A memory error occurred while trying to initialize the configuration subsystem.

Verify that the server has sufficient memory available, and restart.

98 System Status Reports

CHAPTER 12. System Status Reports

System status reports are used by Cisco support technicians and software engineers when in-depth system analysis is required for problem isolation. These reports include system state as well as a brief history up to the point in time when the system report was generated. In the unlikely event the WAAS Mobile client crashes, it will trigger a report automatically. System reports may also be triggered manually from the server or any of the client computers. This is often helpful when system anomalies are observed. Reports generated from a client computer will also generate matching reports on the server(s) to which the client is connected.

Generating a System Report from a Client Computer

1. Click the acceleration icon in the system tray and select System Report.

Figure 12 WAAS Mobile System Tray Icon Menu

When the Cisco WAAS Mobile: Description and Additional Information window appears:

• Enter any information that could be helpful in diagnosing the situation you have encountered, including a description of the problem and what you were doing when the problem occurred. If the issue involves the transmission of a particular file, select Add File to attach the file to the System Report (multiple files may be attached).

• When finished, click Send Report and the system report will be sent to the server where it can be downloaded along with the matching server-side report. All system reports can be retrieved from the Manage > System Reports page. By default, system reports can also be found in the following directory:

o On Windows Server 2003 and 2003 R2: C:\Documents and Settings\All Users\Application Data\Cisco\Inbox.

o On Windows Server 2008 and 2008 R2: C:\ProgramData\Cisco\Inbox

Generating a System Report from the WAAS Mobile Server

There are two options for generating system reports from the WAAS Mobile server: • From the Manage > Servers page, select the servers and click Request System Report to

generate server status reports. • From the Manage > Clients page, select one or more users and click Request System

Report to generate reports for the selected clients and the servers to which they are connected.

If system reports cannot be sent to the WAAS Mobile server, they may be saved locally on the client’s PC by choosing Save Report on the Product Description and Additional Info window.


Appendix A. Hardware and Software Configuration Guidelines

When configuring WAAS Mobile servers, the following hardware and software guidelines are provided:

o Windows Server x64 Standard Edition (2003 or 2008) is required to support 500 or more concurrent users.

o Delta cache storage should be provisioned to provide the desired history depth. The desired history depth may vary, but 1-2 weeks of traffic history typically suffices. When the cache is full, the least recently used data is overwritten. Server cache depth in days may be viewed on the Manage > Monitoring page.

o For best performance, the sum of the server delta cache capacities across all servers should be at least 1/3 to 1/2 the sum of the provisioned client delta cache capacities across all clients.

The table below provides specific guidance for configuring WAAS Mobile servers to meet a range of capacity requirements for typical use cases. The administrator should configure the size of the server delta cache for each server profile per the guidelines on this table via the Manager, by navigating to Configure > Servers > Acceleration > Delta Cache.

Table 24 Server Hardware and Software Requirements

Storage Allocation Software Hardware

Number of Concurrent Users

Delta Cache*

OS and WAAS Mobile files

Minimum Windows Server Edition

Min. CPU Min. RAM

Min. # Hard Disks

Min. Disk Speed

Recom‐mended Disk Config.

Min. Raw Capacity per Disk

Less than 75 39 GB 35 GB Standard 1.8 GHz Dual‐core

2 GB 1 7200 RPM

NA 80 GB

75 to 200 171 GB 61 GB Standard 1.8 GHz Dual‐core

2 GB 1 or 2 7200 RPM

If 2 disks, RAID 1

250 GB

200 to 500 405 GB 61 GB Standard 2.0 GHz Quad‐core

4 GB 2 7200 RPM

RAID 1 500 GB

500 to 2000 1297 GB 100 GB x64 Standard

Dual 2.0 GHz Quad‐

core

6 GB 4 7200 RPM

RAID 5 500 GB



core

12 GB 6 15000 RPM

RAID 5 300 GB



core

16 GB 6 15000 RPM

RAID 5 600 GB

6000 to 8000 4+ TB 100 GB x64 Standard


core

24 GB 15000 RPM

RAID 1 OS/

RAID 50 cache**

External storage array

* This column shows the maximum delta cache supported by the disk configuration listed in the table. If additional storage is provisioned, larger delta caches are supported. ** In high capacity configurations, it is suggested that the operating system and WAAS Mobile system files run on a pair of RAID 1 disks, with the delta cache in a RAID 5 or RAID 50 configuration.

100 Hardware and Software Configuration Guidelines

NOTE: This sizing guidance may also be applied to sizing virtual WAAS Mobile servers. Expect that the throughput of the virtual server will be 80-90% of a bare metal server, so plan the CPU allocation accordingly.

NOTE: For every 1 TB of additional delta cache that is configured, 1 GB of additional RAM of must be provisioned. Delta caches larger than 1 TB should only be configured on x64 operating system editions.

NOTE: Disk storage is specified in gigabytes (GB), and Windows file storage is specified in gibibytes (GiB), so

Windows storage = 109 ÷ 230 × disk storage .

In other words, a 100 GB disk will provide 93 GB of file storage on a Windows OS.

NOTE: In a RAID 5 array, disk storage is (Num disks -1) x storage per disk.

In a RAID 1 array, disk storage is (Num disks ÷ 2) x storage per disk.

In a RAID 50 array, typically 2 sets of RAID 5 arrays are configured, in which case disk storage is ((Num disks ÷ 2) -1) X storage per disk.


Appendix B. List of Acronyms

Acronym Definition

API Application Programming Interface

ASP Active Server Page(s) (Microsoft web scripting language and file extension)

CGI Common Gateway Interface (web scripting facility)

CIFS Common Internet File Services (Microsoft)

DNS Domain Name Service/System

EVDO Evolution Data Only (optional version of CDMA 2000)

FTP File Transfer Protocol

GB Gigabyte

GbE Gigabit Ethernet (IEEE 802.3z-1998)

GUI Graphical User Interface

HTTP Hypertext Transfer Protocol (world wide web protocol)

HTTPS Hypertext Transfer Protocol over SSL

ICA Independent Computing Architecture (Citrix)

IMAP4 Internet Messaging Access Protocol 4

IP Internet Protocol

IIS Internet Information Services (Microsoft)

IT Information Technology

LAN Local Area Network

MAPI Microsoft Outlook Messaging API

MSSQL Microsoft SQL Server

NetBIOS Network Basic Input/Output System

NIC Network Interface Card (PC Ethernet network card)

NTFS New Technology File System (Microsoft Windows)

OS Operating System

PC Personal Computer

POP3 Post Office Protocol version 3 (Internet email protocol)

RAID Redundant Array of Independent Disks

RAM Random-Access Memory

RDP Remote Desktop Protocol

102 List of Acronyms

Acronym Definition

RPM Revolutions Per Minute

RTT Round-Trip Time

SMB Server Message Block (protocol)

SMTP Simple Mail Transfer Protocol (internet email)

SNMP Simple Network Management Protocol

SQL Structured Query Language (database query lanquage)

SSL Secure Sockets Layer (Netscape; web security protocol)

TAC Technical Assistance Center

TCP Transmission Control Protocol

UDP Universal Datagram Protocol

URL Uniform Resource Locator (world wide web address)

UTC Coordinated Universal Time (Greenwich Mean Time, GMT)

VoIP Voice Over IP

VPN Virtual Private Network

WAAS Cisco Wide Area Application Services

WAN Wide Area Network

WiFi Wireless Fidelity (IEEE 802.11b wireless networking)

This page intentionally left blank.


THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)

Cisco WAAS Mobile Administration Guide Copyright © 2011 Cisco Systems, Inc. All rights reserved.