Businesses spanning over multiple geographies use WAN links to interconnect multiple branches and headquarters. Thus acceleration of office applications while ensuring security becomes absolutely critical for enterprise success in order to combat the latency, slow response-time and potential threats introduced by WAN. Branch Repeater from Citrix helps you achieve this, inter alia, with specialized protocol acceleration for Windows network systems and Microsoft Outlook.

The Branch Repeater (release 6.1 and later) is now equipped with functionality to do compression on signed SMB and encrypted MAPI traffic resulting in lower latency and improved end-user experience for office-critical activities like file-sharing, Outlook email synchronization and more.

With the introduction of this feature, one no longer needs to compromise on network security (i.e. disable signing and encryption) in order to achieve WAN optimization benefits on SMB and MAPI protocols. Moreover, it is transparent to the servers and clients i.e. this feature can be used without doing any configuration changes in clients and servers.

What are signed SMB and encrypted MAPI?

Signing and encryption are used to prevent man-in-the-middle and reply attacks. Windows Vista and Windows 7 use signed SMB for protected shared access to files & printers over the network. Similarly, Microsoft Outlook 2007 and Microsoft Outlook 2010 use encrypted MAPI to communicate with Microsoft Exchange for protection against attacks. Both SMB and MAPI require a session key exchange to happen between server and the client for signing and encryption respectively. This session key exchange is done using NTLM or Kerberos authentication mechanism.

Branch Repeater has support for decrypting, followed by compressing or de-compression depending on whether it is a client-side BR or a server-side BR and then finally encrypting the traffic for signed SMB and encrypted MAPI. This support is now available for both NTLM and Kerberos mechanisms.

How to configure Branch Repeater for signed SMB and encrypted MAPI optimization?

Branch Repeater uses the concept of ‘Delegate user’ to intercept the session key exchange between the client and server and gain access to the session key. Steps to Branch Repeater devices for signed SMB and encrypted MAPI optimization are listed below along with an illustration:

Repeater configuration for signed SMB and encrypted MAPI

Step 1. Configure delegate user in active directory on Domain Controller.

Step 2. Add Server-side BR to the Windows domain.

Step 3. Add delegate user credentials in server-side BR.

Step 4. Configure Server-side BR and client-side BR as Secure Partners by building secure tunnel between the two devices.

So you can observe that this easy-to-configure feature ensures faster response time in the most frequently used office-applications and thus enables higher productivity.