SAAS Optimization at the Edge of the Cloud
May 14, 2020
As new applications move to the cloud, the need for more granular data and analytics follow in order to measure the rate of acceleration of SaaS (Software-as-a-Service) access. While CRM represents the largest of the SaaS markets, other segments such as digital marketing and collaboration, are both seeing a rapid shift from on-premises to the cloud, much of which can be attributed to the strong focus service providers are placing on edge-network agility in rapidly making new functionality available to customers.
In a recent Gartner survey assessing the impetus for the surge in SaaS migration, over 440 SaaS strategy decision makers cited enhanced or continuous functionality as the top driver when migrating to a SaaS offering. How can you ensure that quality of experience for end-user applications is fully optimized at the access point closest to the user?
Versa Networks has just updated its SD-WAN software (Release 21.1) to incorporate even more SaaS optimization features that bolster core functionality such as: TCP Optimization; Application Visibility, Forward Error Correction, Packet Cloning, Packet Striping, Traffic Conditioning and QoS Traffic Management.
First Packet Based Traffic identification and Traffic Management
Today an even larger percentage of business applications used by enterprises are consumed as a service. The SaaS model means that applications are hosted in a public cloud, resulting in business-critical traffic exiting to the Internet.
Customers expect that configured policies (e.g., QoS, path selection, forwarding policy) are applied for the flow as soon as possible preferably on the first packet. Traditionally, application detection requires visibility into the first few packet exchanges for the application to be identified. Once the application is identified, caching of the IP address to the respective application mapping data makes sure that application-specific policies are applied for most flows from the first packet, which works out well for hosted applications as the number of IP addresses from where the application is served are limited.
However, in a SaaS-provisioned model, application delivery is dynamic in nature and can span across tens if not hundreds of IP addresses. Therefore, convergence of an IP address to an application ID often takes too long, resulting in many applications assigned default policies while the application is being detected. Versa’s new feature resolves that inherent problem to ensure that all flows to specific applications are always detected on the first packet and thus are associated with the appropriately configured policies.
Many Cloud SaaS providers advertise the IP address range and fully qualified domain names (FQDNs) used to serve the application. Since these IP addresses and FQDNs are owned by the application service provider, Versa can reliably map a flow toward these advertised IP addresses or FQDNs to the application, and do it from the very first packet of the very first flow to the application.
DIA and DCA (SaaS) Traffic Optimization
Versa also offers various SaaS optimization capabilities for direct Internet access (DIA) and dedicated cloud access (DCA). In Release 20.1, Versa extended the capability to monitor best paths to prominent SaaS providers, utilizing inline performance measurements on single-ended Versa VOS™ (formerly FlexVNF) deployments. Release 20.2 SaaS optimization addressed support for:
- Monitoring of SaaS applications from branches and hubs
- Distribution of path performance metrics between the branches
- And the use of ICMP-based error detection probes to obtain response time data from well-known cloud sites
Release 20.3 extends Versa’s DIA/DCA scope further by adding support for TCP and HTTP probes. With the use of TCP and HTTP-based probes, Versa can measure the response time for Cloud SaaS FQDNs more accurately. Additional enhanced capabilities for DIA/DCA SaaS traffic optimization delivered by Versa 20.3 include:
- Traffic steering and optimization for established SaaS providers
- Dynamically select the best path to reach the SaaS location
- DIA/DCA application identification
- DNS Proxy for FQDN resolution
- SD-WAN app flow traffic steering and anchoring
- Application experience metrics establishment for each flow destined to FQDN
- DIA steering from spoke or hub sites
- Flexible deployment options (dual broadband, hybrid)
- Export SaaS performance metrics to other sites
- Actively monitor SaaS locations from hub sites, and incorporate actively learned metrics into the path selection decision
- Leverage spoke sites to select either a direct access path, or one through a hub site
- Each site can now make its own analysis
Finally, in addition to its full security software stack (NGFW, UTM, NG-IPS, SWG) Versa introduced support for certificate-based (network) device authentication and certificate management using Microsoft NDES and SCEP (Active Directory certificate) infrastructure. With 20.3, Versa supports the SCEP protocol, which interoperates with Microsoft infrastructure to obtain and manage certificates to control network access in environments where Microsoft systems are used for certificate-based authentication.
NAC is key to authenticating and authorizing a device’s access to an environment and application with the right set of privileges and access control. Versa will continue building up on its NAC class of features to provide an even more comprehensive solution to customers who are using different environments and third party software to manage user and device level access control.