Design and Deployment

To design a network using SaaS Express, it is important to understand how SaaS Express interacts with other mechanisms as traffic traverses the Branch Gateway. Given the particular nature of SaaS Express, both control and data plane components must be considered.

Control-Plane Integration

The following elements are used in a control plane:

The synthetic probe works similarly like the underlay health checks. Probes are sent through every uplink interface configured in SaaS Express to all optimized (every 60 seconds) and monitored-only (every 10 seconds) applications. SaaS probes always take the underlay path.

The DNS component is a little more nuanced, as there are potential overlaps with other mechanisms. Firstly, Branch Gateways do not do DNS Snooping for only SaaS applications, this can be done for any type of session and has been enabling name-based firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. aliases in ArubaOS. When configuring PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. policies to locally breakout SaaS traffic, name-based aliases can also be used to locally breakout SaaS traffic. Nevertheless, it is generally simpler to use the application group aliases created by SaaS Express (ending in _saas). SaaS Express optimization must be enabled for such applications for the aliases to work.

Secondly, Branch Gateways can also serve as a DNS server for the branch (ArubaOS runs a small dnsmasq that can cache up to 150 entries). In such a case, Branch Gateways can selectively redirect DNS requests on a per-domain basis (up to 32 domains) using the Redirect DNS feature. It is configured in System > General > DNS. For more information, see Redirect DNS Servers .

When using SaaS Express, DNS requests going to the domains corresponding to the applications being optimized, are captured by the Branch Gateway’s Data Plane. DNS requests are then proxied to the DNS server that is learned from a given ISP or configured in the SaaS Express Exit Profile. SaaS Express intercepts DNS requests in the Branch Gateway Data Plane and takes precedence over DNS redirect.

Figure 1  Control plane—SaaS front door

Data Plane Integration

In a data plane with data traversing the gateway, the following components are related to the SaaS traffic traversing the Branch Gateways:

For the security component, SaaS Express requires Advanced subscriptions, and the fact that these may not be present in all the members of a group (where security policies are defined), complicates the use of the _saas aliases. As a result, SaaS Express aliases are not available for use in session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port..

The global routing in combination with PBR determines the next hop(s). It provides up to four active (best cost/priority) paths to the WAN engine. WAN policies (SaaS/DPS) determines which path must be taken for each traffic flow. For SaaS Express to be effective, traffic for the optimized SaaS applications must locally breakout. Therefore, routing must determine the next hop and WAN must choose the path(s).

When SaaS and DPS policies coexist, SaaS policies always get index, 1-32, while DPS policies get index, 33-64. SaaS Express policies therefore always take precedence over DPS policies for any traffic going to the domains or IP addresses associated with the SaaS application being optimized.

Figure 2  Data plane—Policy Based Routing