Lab test: Juniper WXC speeds WAN traffic
SSL acceleration and support for SMB-signed Windows traffic highlight a well-rounded offering
Accelerate your brain
Overall, the WXC 1800 did a good job of accelerating my traffic over the WAN. CIFS traffic showed a decent performance increase in both "cold" (first pass) and "warm" (subsequent) runs. Juniper posted a cold time of 54 minutes, 21 seconds (a 4.5 times improvement) when copying many small files (641 files totaling 9MB ) over my long, dirty T1, with the warm pass only marginally better at 53 minutes, 29 seconds (a 4.6 times improvement). In comparison, Riverbed's latest release posted a cold time of 23 minutes, 49 seconds (a 10.4 times improvement) and warm pass of 19 minutes, 8 seconds (a 12.9 times improvement). The baseline nonoptimized times took nearly four hours to complete.
FTP traffic also saw a significant increase over nonoptimized, but still lagged Riverbed's quicker times. A single ISO image (155MB) took a little less than 48 minutes (a 3.3 times improvement) to transfer over the T1; warm passes took just more than three minutes (a 50 times improvement). Riverbed's times were 11 minutes cold (a 14.6 times improvement) and 30 seconds warm (a 320 times improvement). Nonoptimized times were more than two and a half hours.
Optimizing SSL traffic is very important in the enterprise, and the list of vendors capable of doing it is relatively short. Juniper's SSL support is slightly different from Riverbed's. Riverbed automatically passes the server-side SSL certificate from the datacenter appliance to the branch office appliance, requiring the certificate to be present on each in order to encrypt/decrypt the traffic (classic man-in-the-middle).
Juniper also requires the SSL certificate on the datacenter appliance, but not the branch side. Instead, as a client requests an SSL connection to the server, the datacenter WXC transparently intercepts the request, establishes the session key, and passes this information to the branch office WXC. The branch office appliance does not store the session key or any other SSL information on disk; it is only kept in volatile memory for the duration of the SSL conversation. From this point on, the appliance can "see" the SSL traffic and apply optimization techniques to it. This works with client-side SSL certificates, too, allowing users of two-factor authentication to participate in accelerated traffic. I really like the ease of setup and the additional security provided by client-side certificates.
Unlike the Riverbed Steelhead and the Cisco Wide Area Application Engine, Juniper's WXC 1800 can optimize SMB-signed traffic. SMB signing, which is on by default on Windows 2003 and 2008 domain controllers, places a digital signature into each SMB packet to secure network communications between Windows clients and servers. To accelerate this traffic, Juniper requires a valid domain user account on each appliance in order to negotiate a key to decrypt each packet. Once decrypted, each traffic flow is tested against established policy and any optimization techniques are applied. Now network admins no longer have to disable SMB signing in order to optimize Windows traffic.