Blue Coat SG800 WAN accelerator boosts SSL traffic

Blue Coat Systems’ SG line of WAN accelerators builds on traditional WAN optimization methods by adding a couple of their own, including support for SSL encrypted traffic and streaming media. Based on a series of protocol- and application-specific proxies, the SG appliances balance flexibility and performance with ease of use, and they support basic bandwidth management and content filtering.

Performance particulars
I tested a pair of SG800 appliances in my lab and found the 1U appliances to be comparable in performance increase and time savings to the Riverbed and Silver Peak WAN solutions. I used the same test suite as in those previous reviews to put the SG800 through the paces, and in each case it performed as expected. It scored within a percentage point or two of Riverbed’s results, and in some cases outperformed Riverbed, as in my Excel read/write test.

The SG800 seems to top out at about 30Mb/s through the appliance, even when serving cached or optimized traffic. The appliance has a rated upstream limit of 45Mb/s and my tests showed that was indeed true. For smaller offices, this bandwidth should be sufficient, but for networks that require greater bandwidth, SG800’s big brother, the SG8000 appliance, would be a better fit.

Installing the SG800 into my test WAN was not overly difficult but did take longer than either of the Riverbed or Silver Peak installs. Part of the installation requires definition of the ADN (Application Delivery Network), a table of routes to each appliance and the subnets behind each one.

The primary ADN keeps track of all registered appliances and broadcasts routes to every peer device. This enables redundant paths to resources in case a primary connection is unavailable. ADN requires ports to be open in the forward-facing firewall for proper communication between peers, so plan your time accordingly.

Instead of simply performing generic TCP acceleration, Blue Coat includes a large number of predefined proxies, and IT can create its own as necessary. There are proxies for instant messaging as well as for SOCKS, Telnet, and DNS. I had no trouble creating a custom HTTP and CIFS proxy during testing.

Each proxy has a series of parameters that allow for further performance tweaks. Unlike Silver Peak, there is no UDP-specific acceleration in the Blue Coat appliance; the proxies determine if traffic should be optimized, passed through, or dropped. Blue Coat also allows for a moderate level of configurability. For example, IT can choose to optimize all HTTP traffic or only that traffic destined for a specific subnet or port.

The most interesting proxy is the SSL proxy. Most WAN acceleration appliances will not touch SSL encrypted traffic – they simply pass it through untouched and unoptimized. Blue Coat, however, will optimize and accelerate HTTPS traffic just as it does normal HTTP traffic.

The secret is that the SG800’s SSL proxy actually intercepts and decrypts the secure traffic before applying optimization techniques and re-encrypting the packets. When the other SG800 receives the packets, it decrypts the optimized traffic and re-encrypts with the correct key and cipher for transmission on to the destination server.