WAN optimization need

Here's the scenario: A client has a main office in Holland and they have opened a new office in the US. Right now they have a site-to-site VPN using Cisco ASA 5505 and they've had slowness when it comes to fetching data from servers housed in Holland. Long story short (given the current infrastructure and large archives / server setup in Holland) we need to optimize the WAN traffic. The company has an IT team and I am filling the role of a consultant in their US office to help them have a presence and assistance in the US.

The office in the US currently only has about 3-4 employees so WAN speeds aren't THAT big of deal but they will be important in 2015 once they recruit 6-10 engineers.

We've already started looking into optimizing the actual traffic going over VPN and some ISPs can help with that (We first lowered the encryption of the site-to-site from 256 bits to 128 and that didn't help much, next is looking into other IP-based VPN solutions rather than site-to-site that could be quicker).

At the moment, engineers will use a remote desktop (terminal) connection to a server in Holland so that they can work (I don't have a lot of details yet sorry).

For now I want to know your opinions on the following:

What is a good hardware WAN optimizer? I know a lot of vendors offer them but based on your experience any recommendations?

I am also going to look into using Squid as a web proxy at least for intranet purposes. Has anyone used Squid for RDP use?

Figured I would test the waters, thanks in advance and any feedback is appreciated on this!
Samir SaberFacultyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It would really help to know what kind of traffic/applications/protocols your client is using. Riverbed SteelHead is great from a technology standpoint. Easy to deploy, good reporting, easy to use, can handle encrypted traffic such as SSL / SMB / MAPI /RDP. They have virtual and physical appliances. I don't like their licensing which is per flow so I end up just passing through flows that don't optimize well or are too small to bother with. The other thing I don't like is that their current policy is to EOL all of their virtual and physical appliances. How you can with a straight face ask a customer to pay for a virtual appliance, and then 5 years of maintenance, and then sask the customer to pay for a new piece of software that functions exactly like the old software is beyond me. That said, it's really good stuff. There are a lot of other wannabe players but the only other quality competitor is Silver Peak. Their software isn't as good as Riverbed, but their licensing is better. Both companies allow you to trial their virtual appliances.
Fred MarshallPrincipalCommented:
You didn't say what speeds are provided at each end up and down.
That's very important.
Have a look at a network analyzer at UC Berkeley:
You wil need to work with HQ and make sure network diagnostics cross the VPN link in question.
It is capable of identify: high network latency, excess network buffering, misconfigured DNS, you will see the rest.
Put Your Flow Data to Work

SolarWinds® Flow Tool Bundle combines three easy-to-download, easy-to-use flow analysis tools that can help you quickly distribute, test, and configure your flow traffic.

Samir SaberFacultyAuthor Commented:
Thank you for the responses.

kevinhsieh - I agree that listing all of the protocols/applications that they're using would help but I don't know the entire picture yet and I have limited info - for now we'll just say site-to-site VPN with Cisco ASA and RDP. Thanks for your insight on Riverbed and Silver Peak. This local consulting firm uses Barracuda's hardware wan optimizer for a lot of their customers - any insight on those?

fmarshall - speed in US is Comcast 100/20 Mbps - we're looking into AT&T's gigabit connections which of course cost a lot more $ but could be a solution. They offer symmetrical speeds which is good (I'd much rather have 50/50 than 100/20). I've already asked them to give me an FTP server or a way to test their connection from our building to Holland at least to check the network (traceroutes, etc). The office in Holland has a 100/50 connection which they are looking to upgrade as well. So all in all we're looking to find a balance between investing into a good wan optimizer versus dishing out a lot of $ for bandwidth - to keep a happy medium in between (it's a work in progress that's why I'm testing the waters).

gheist - that's for the suggestion - I ran the tool and a lot of it was blocked due to the firewall but I will see. Thanks again.
Fred MarshallPrincipalCommented:
It seems to me that the provided speeds are at least "OK" for what you're trying to do.
Maybe we should define what "slowness" means for the users.

You have 50 up in Holland and 100 down in US so getting files from Holland.  
So the Holland to US speed will be limited at 50.
You have 20 up in US and 50 100 down in Holland.  
So the US to Holland speed will be limited at 20.
Speeds from 20-50 are "OK". for most purposes.

It's the Holland to US speed that you seem to be concerned about.  50 seems likely to be fine for almost any situation where there are only 3 or 4 workstations involved.  This suggests that perhaps you should be looking elsewhere for the "problem".  So this gets back to "What is being slowed?"  "How slow is "slow"?"  etc.

The VPN itself shouldn't take up too much bandwidth with overhead so I'd not be looking there first.
Have you done any speed tests?  You can find files of various sizes at: http://www.coastal-computers-networks.com/id12.html . I would recommend moving one of the large files in both directions and time the transfer with a stopwatch.  That will tell you what the inherent speed capabilities are.  Good information to have for further diagnosis.
Justin EllenbeckerIT DirectorCommented:
I have to agree with Marshall we limit all of remote offices to 1Mbps per user over a vpn when they are using remote desktop. The RDP session itself should only need a few hundred kbps here and there when it is running. I am thinking you are having a latency issue not a bandwidth issue. What is the latency between the sites? I assume that those connections are carrying over a rather large latency. If it is latency you are more than likely better off placing machines in the US office and only transferring files back and forth. There are a lot of solutions for file share caches and if it is running a domain setup you can use Branch Cache from Microsoft to speed that process up. Squid and a few other devices can do caching as well. Cisco Meraki has a caching option when you buy the MX60 or above. We have used the Meraki to enable caching between site but we actually had to turn it off because it was not playing well with RDP traffic.

There may not be any better options for improving latency since you are going between to countries. Short of getting a private satellite link between the two facilities which is outrageously expensive you may be stuck with using a VPN and at the mercy of the latency you are given. Looking into MPLS VPN from a provider that is in both countries may help though.
Yes yes yes latency issue. Thats why premium network diagnostics tool was proposed.
Samir SaberFacultyAuthor Commented:
fmarshall - bandwidth that goes through any given VPN will get cut down significantly depending on the encryption levels. The distance between Holland and the US doesn't help and the bandwidth gets sliced as you hit more & more networks/routers over a given distance. I have done a speed test via RDP and it takes about 2 minutes to transfer a 100MB file which is too slow. FTP is a little better. Their engineers will be using AutoCad and fetching files from an archive (file will be on a network share).

to all: I don't think there's a latency issue because the same speed tests have been stable and we don't get abnormal spikes in response times - it's really just a bandwidth issue and VPN issue which is why I am looking into possible WAN optimizers. Right now we can live with the current speeds but as they get more employees we'll most likely need to upgrade the bandwidth to cover the video conferencing, email, web traffic, etc.

StrifeJester - thanks for the feedback. The guys in Holland are looking at a MPLS VPN solution with Vodafone (company there) and we'll see how that goes.

I'm going to contact different vendors of WAN optimizers directly and see what they propose and maybe I can score some trial devices.
This is a long fat pipe issue, which is high latency and a high bandwidth connection. Normal TCP can't fill a long fat pipe with a single TCP session due to the way that TCP works.


Now, if you are using RDP, I am not sure why you are trying to transfer a file anyway. Manipulate the files from a computer in Holland and then just access that via RDP/Citrix/VMware.

If you want to manipulate the files locally in the US, a product like Riverbed is really good because it can give you better throughput by making TCP optimizations, compress data, deduplicate and cache data, and make improvements to the CIFS and SMB protocols. In addition, Riverbed can proactively download and cache files from a Windows share.

Microsoft DFS-R with or without global file locking can also replicate all files between Holland and the US, and that should be relatively inexpensive.

A Riverbed virtual appliance that can pump out 50 Mbit of post-optimized traffic (which can be the equivalence of a 200+ Mbps connection) will cost about $25-30K USD. The US device can be much smaller because the receiving bandwidth isn't  limited, only the sending bandwidth is.

I have read that AutoCAD can rescramble all of the bits in a file when it is saved, effectively making the entire file look new to most deduplication engines. I know that Riverbed has worked hard on this issue, and I believe that they have it figured out. Something that only looks at the bitstream of a TCP session won't be able to find all of the commonalities between different versions of the same file and performance will be much more like a cold transfer than a warm transfer.

Here is the Riverbed documentation for optimizing AutoCAD file transfers.

I don't like how Riverbed handles their licensing, your situation is really one of the core use cases for Riverbed, and they have been doing it a long time. I don't believe that anybody else has worked on the specific problem of AutoCAD over long distances as Riverbed, and they have shown themselves to attempt to optimize at every possible level of the stack to give the user the best possible experience. Silver Peak likes to say that they operate really at the IP TCP and UDP layers and are otherwise traffic agnostic. Riverbed optimizes IP, TCP, further up the stack to SMB, and then they even know that it's AutoCAD so they can apply even more logic there. It's a methodology that's hard to beat.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
A simple way to think of the effect of latency:
Require a handshake (of sorts) for every 10Mb of bulk data transfer.
Assume 100Mbps bandwidth.
Assume 2 seconds of round trip latency.
To transmit 100MB = 1,000Mb:
Transmit 10Mb in < 0.2 seconds and wait 2 seconds for the handshake.
Repeat 55 times.
110 seconds for handshakes
10 seconds for bulk data transfer.
120 seconds for a 100MB transfer as you experienced.

Well, some of these numbers may be way off but I hope you get the idea of the major affect of latency.

I don't expect a VPN by itself (without latency as above) to be worse than 80%.
But I can well imagine that a VPN with inherent 90% efficiency could "look like" it was slower unless compared to a non-encrypted data transfer of the same data using the same end protocols, etc.
With more practical numbers:
Before RFC1323 maximum TCP segment was 64k-1 Bytes which had to be acknowledged.
For light to travel across atlantic takes about 30ms
Count any way you want - one connection makes 1kB/ms or 1MB/s or 8Mbps maximum across atlantic at that level of protocol.
Suffice to say most firewalls reduce protocol to exactly that archaic level.
Samir SaberFacultyAuthor Commented:
kevinhsieh - super valuable information, thank you! I will def look into Riverbed and that's good to know they specialize in AutoCAD file transfers. I also hear Blue Coat is good: http://www.ndm.net/wanoptimization/pdf/Accelerate_and_Optimize_Autodesk_AutoCAD_Workflows.0.pdf
They start at 20K but also have virtual appliances that you can run on VMware (appliance starts at $3K and license is $3K / 3 yrs for 25 users).

fmarshall - nice example and latency does play a big part in this problem and the goal is for one of these WAN optimizers to
cache enough data (especially documents that engineers would fetch for example) so that we don't have to send as much data back & forth.

gheist - interesting calculation - I was getting 3.4Mbps for an FTP test between Texas & Holland. Another interesting test was FTP from Schiedam to a server in Canada was 21 Mbps (this was on the public, no VPN).
I'd say 2nd experiment made use of some more of TCP extensions, while first used less.
You can try different network frame sizes with iperf just to see how much it takes to get to reasonable performance, and how much more is needed to saturate pipes. (Yes, it needs tuning of all systems' TCP/IP stack.)
I looked at the Blue Coat document and the cold transfer performance was pretty bad. Typical improvement should be close to 50% for a cold transfer of documents that are compressible. Blue Coat should be considered when you are needing their leading QoS and security features. Any WAN optimization they have is a bolt on technology that they picked up many years ago and should not be considered in the same category as the dedicated WAN optimization vendors where WAN optimization is their core business.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.