Citrix Developer Network
The place for unfiltered straight talk on Citrix products. Blogs, code downloads, best practices, APIs, and more can all be found here.
Citrix Ready
Share ideas and integration techniques with Citrix Products and our Alliance Partners.
Blogs
Learn the latest from the Citrix employees who are
building application delivery infrastructure technologies.
Blogosphere
The Citrix Blogosphere is a window into the thousands of conversations
taking place about Citrix and Application Delivery.
This video TIP will demonstrate how to disable SMB signing within a CIFS environment. The Citrix WanScaler optimizes the Microsoft CIFS protocol, this protocol which was designed for a LAN environment has a very high overhead and is bandwidth intensive. CIFS deployed over a WAN environment may provide unpredictable performance and user experience.
SMB signing digitally signs the CIFS protocol between two Micosoft servers. When SMB signing is enabled then the WanScaler cannot inspect the signed CIFS traffic. One must note, that even with SMB enabled the WanScaler will acccelerate layer 4 TCP traffic and some performance improvement will be seen. If an administrator wishes to experience the high gains of actually optimizing CIFS you must disable SMB.
Won't this have an effect on the security of the internal network. If "SMB signing" is disabled, won't anyone with a network sniffer be able to see the files downloaded in cleartext ?
you can even see the traffic when signing is enabled.signing does not mean encryption it is just message integrity which means MIM cannot change the content of the SMB packet.
Why does the article say "When SMB signing is enabled then the WanScaler cannot inspect the signed CIFS traffic.". Surely, if there is no encryption, then WanScaler should be able to inspect the signed CIFS traffic.
For an signed SMB connection the client and the server need to sign every packet so that the receiver is convinced it came from the right source/machine. Since we don't have the same keys to generate the signature, we won't be able to sign as the client or the server for the read ahead requests that we generate. If we can't do that we can not do Read Ahead and hence no acceleration on the signed packet. This is a very good exercise for really digging into the protocol, signatures and acceleration. Any other topics that you wish to see me blog about?
The article should be adjusted to say you are disabling SMB signing. It reads as if you are disabling SM, which is mis-leading.
"One must note, that even with SMB signing enabled the WanScaler will acccelerate layer 4 TCP traffic and some performance improvement will be seen. If an administrator wishes to experience the high gains of actually optimizing CIFS you must disable SMB signing.
Posted by Anonymous
at 
Won't this have an effect on the security of the internal network. If "SMB signing" is disabled, won't anyone with a network sniffer be able to see the files downloaded in cleartext ?