Blue Coat SG800 WAN accelerator boosts SSL traffic

Balance of flexibility, performance stacks up well against market rivals

Blue Coat Systems’ SG line of WAN accelerators builds on traditional WAN optimization methods by adding a couple of their own, including support for SSL encrypted traffic and streaming media. Based on a series of protocol- and application-specific proxies, the SG appliances balance flexibility and performance with ease of use, and they support basic bandwidth management and content filtering.

Performance particulars

I tested a pair of SG800 appliances in my lab and found the 1U appliances to be comparable in performance increase and time savings to the Riverbed and Silver Peak WAN solutions. I used the same test suite as in those previous reviews to put the SG800 through the paces, and in each case it performed as expected. It scored within a percentage point or two of Riverbed’s results, and in some cases outperformed Riverbed, as in my Excel read/write test.

The SG800 seems to top out at about 30Mb/s through the appliance, even when serving cached or optimized traffic. The appliance has a rated upstream limit of 45Mb/s and my tests showed that was indeed true. For smaller offices, this bandwidth should be sufficient, but for networks that require greater bandwidth, SG800’s big brother, the SG8000 appliance, would be a better fit.

Installing the SG800 into my test WAN was not overly difficult but did take longer than either of the Riverbed or Silver Peak installs. Part of the installation requires definition of the ADN (Application Delivery Network), a table of routes to each appliance and the subnets behind each one.

The primary ADN keeps track of all registered appliances and broadcasts routes to every peer device. This enables redundant paths to resources in case a primary connection is unavailable. ADN requires ports to be open in the forward-facing firewall for proper communication between peers, so plan your time accordingly.

Instead of simply performing generic TCP acceleration, Blue Coat includes a large number of predefined proxies, and IT can create its own as necessary. There are proxies for instant messaging as well as for SOCKS, Telnet, and DNS. I had no trouble creating a custom HTTP and CIFS proxy during testing.

Each proxy has a series of parameters that allow for further performance tweaks. Unlike Silver Peak, there is no UDP-specific acceleration in the Blue Coat appliance; the proxies determine if traffic should be optimized, passed through, or dropped. Blue Coat also allows for a moderate level of configurability. For example, IT can choose to optimize all HTTP traffic or only that traffic destined for a specific subnet or port.

The most interesting proxy is the SSL proxy. Most WAN acceleration appliances will not touch SSL encrypted traffic – they simply pass it through untouched and unoptimized. Blue Coat, however, will optimize and accelerate HTTPS traffic just as it does normal HTTP traffic.

The secret is that the SG800’s SSL proxy actually intercepts and decrypts the secure traffic before applying optimization techniques and re-encrypting the packets. When the other SG800 receives the packets, it decrypts the optimized traffic and re-encrypts with the correct key and cipher for transmission on to the destination server.

I was a bit concerned about this man-in-the-middle decryption of secure traffic, but found that it isn’t nearly as dangerous as I first thought. For instance, IT can determine which SSL traffic will be decrypted and optimized, and which traffic will be passed through untouched.

For HTTPS connections to a backend HR portal, IT can decrypt and accelerate traffic while ignoring secure traffic bound for an external banking Web site. Nothing of a secure nature is entered into log files and no other information that someone could use to compromise the system is accessible. Blue Coat provides support for local certificates and also external Certificate Authorities, which makes integration easier.

Ruling class

Policy rules control all aspects of the appliance. The policy defines how and when traffic is accelerated, when to require user authentication, and even whether traffic information should be logged. I used Blue Coat’s Visual Policy Manager to create my policy and found the process to be relatively straightforward. IT can also import existing policies from other SG appliances to reduce setup time.

I also liked the SG800’s capability to provide URL content filtering through its own database or in conjunction with eight other popular filtering systems. It also works with ICAP-ready virus scanning servers, such as Finjan, Symantec, Trend Micro, and WebWasher to help remove Internet-based threats. IT can also apply some basic bandwidth management to traffic as it passes through the appliance, but it doesn’t integrate with existing QoS infrastructures, limiting its overall effectiveness.

Reporting is well done, with all traffic types broken out into individual real-time and historical graphs. I found the graphs to be easy to interpret at a glance, showing previous 60-minute, 24-hour, and 30-day periods on one screen. Other graphs display system statistics, overall efficiency, bandwidth management statistics, and system health. Event logging can be sent to a Syslog server or e-mailed to a user, but unfortunately there is no way to export the graphs to an external system.

Blue Coat SG800’s performance is right up there with the other top accelerator players, and raises the ante by adding support for SSL encrypted traffic. The level of configuration available in each proxy allows for great flexibility, while the Visual Policy Manager streamlines policy creation. Support for ICAP and content filtering is an added bonus. Even though its maximum throughput was only around 30Mbps, the SG800 does improve poorly performing links at roughly half the price of competing products.

InfoWorld Scorecard
Protocol support (25.0%)
Value (10.0%)
Performance (40.0%)
Setup (10.0%)
Reporting (15.0%)
Overall Score (100%)
Blue Coat SG800 9.0 9.0 8.0 7.0 9.0 8.4