WAAS is not optimizing

Unanswered Question
Jun 11th, 2009
User Badges:

we are installing WAAS demo for A customer has two sites are connected via Microsoft site-to-site over internet , and ISA servers terminate the VPN in the two sites (and not working as a firewall) , the WAAS devices are connected inline mode behind the ISA where all traffic coming in and out must pass through the WAE 's , the problem that they don't do any LZ compression or DRE caching ,it just TFO , the default policies are applied and I am sure that the CIFS is enabled on the WAE 's , the most important traffic is Oracle application and it is just TFO optimized although the default policies state full optimization , I even created an explicit policy with highest priority to full optimize the traffic destined to or sourced from the oracle servers and I made sure it transferred to all WAE 's but it didn't work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ldardon Wed, 06/17/2009 - 13:49
User Badges:

It is possible that ISA will not allow traffic other than TFO traffic to go through it. DRE LZ and CIFS optimization modify the traffic quite a bit, which can be problematic for devices that then analyze the flow of traffic. This is why it is always recommended to have that such devices located after WAAS, and not before it.

eng.malak Sun, 06/21/2009 - 04:37
User Badges:

Dear Idardon

Thanks a lot for your sharing... It's obvious from my question that the ISA blocks the DRE packets and i asked for a soulution not a total topology conversion due to a problem like this.

First of all you can't put the WAEs after the ISA as the WAEs will not optimize properly due to encryption and compression of the ISA as it uses PPTP in our situation.

Second we made a policy on the ISA to pass all traffic from any IP to any IP with any port and it also didn't work.

Third we did here a Lab that simulated the customer topology and the same thing happend.. only TFO and on the ISA monitoring tool we found that the ISA blocks the https (port 443) between the CM and the WAES and any packet with high port range (due to DRE optimization) it is also blocked as the ISA thinks it's a type of attack.

Finally...The solution of this problem is to dig an UDP tunnel between the two WAEs to through the optimized packets into it and to enable port 4050 in the ISA servers which allow this tunnel to pass through the ISA.

This tunnel is established using a mode that is called Direct-Mode on the two WAEs as the inlinegroups take an IP which is used for the tunnel establishment.


This Discussion