Link Search Menu Expand Document

SaaS Optimization Template

Use this template to select the SaaS applications/services you want to optimize.

To use this template, your EdgeConnect appliance must be registered with an Account Name and Account Key for the SaaS optimization feature.


SaaS optimization requires three things to work in tandem: SSL (Secure Socket Layer), subnet sharing, and Source NAT (Network Address Translation).

Enable SaaS optimization enables the appliance to contact the Cloud Intelligence Service and download information about SaaS services.

  • If Advertise is selected for a service (for example, SFDC), the appliance will:

    • Ping active SaaS subnets to determine RTT/metric

      • Add subnet sharing entries locally for subnets within RTT threshold

      • Advertise subnets and their metric (within threshold) via subnet sharing to client-side appliances

    • Upon seeing an SFDC flow, generate a substitute certificate for an SFDC SSL domain (one substitute certificate per domain)

    • Auto-generate dynamic NAT rules for SFDC (but not for unchecked services)

  • When Optimize is selected for a service (for example, SFDC), the appliance will:

    • Ping active SFDC subnets to determine the RTT (metric)

    • Does not advertise metric via subnet sharing (unless Advertise is also selected)

    • Receives subnet sharing metric (RTT) from associated appliances

    • Compares its own RTT (local metric) with advertised metric

      • If its own RTT is lower, then the packet is sent pass-through (direct to the SaaS server).

      • If an advertised RTT it lower, then the packet is tunnelized.

    • Generate a substitute certificate for an SFDC SSL domain (one sub cert per domain)

    • No NAT rules created

  • When Optimize is not selected for a service (for example, SFDC), the appliance:

    • Receives subnet sharing advertisements for SFDC but does not use them

    • Does no RTT calc pinging

    • Does not participate in SSL

    • Creates no NAT rules

    • Sends all SFDC traffic as pass-through

The RTT Calculation Interval specifies how frequently Orchestrator recalculates the Round Trip Time for the enabled Cloud applications.

The RTT Ping Interface specifies which interface to use to ping the enabled SaaS subnets for Round Trip Times. The default interface is wan0.


  • Initially, you might want to set a higher RTT Threshold value so that you can see a broader scope of reachable data centers/servers for any given SaaS application/service.

  • If the Monitoring page shows no results at 50 ms, you might want to reposition your SaaS gateway (advertising appliance) closer to the service.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America