Product Overview
This chapter provides an overview of the SteelCentral Controller for SteelHead (SCC). The SCC enables you to manage, configure, and monitor Riverbed products. The SCC also acts as an enterprise management and reporting tool for Riverbed products enabling greater control for global network deployments. It includes these sections:
This chapter assumes you have installed and performed the initial configuration of the SCC. For details, see the SteelCentral Controller for SteelHead Installation Guide.
This chapter also assumes that you’re familiar with the various deployment options available to you. For details, see the SteelHead Deployment Guide and the SteelCentral Controller for SteelHead Deployment Guide.
We recommend that you don’t use the Riverbed CLI to configure the SCC.
Hardware and software dependencies
This section provides information about product dependencies and compatibility. It includes these topics:
Hardware and software requirements
SCC component | Hardware and software requirements |
SCC appliance | 19-inch (483-mm) two-post or four-post rack. Model 1000 can be installed on a desktop. |
SCC Management Console | The SCC has been tested with Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11. When you upgrade to 9.0 or later clear the browser cache and cookies to ensure the user interface displays correctly. JavaScript and cookies must be enabled in your web browser. |
SCC compatibility
As a result of updating the version of Secure Shell (SSH), older releases of SCC can’t connect to newer software on managed appliances. If you plan to upgrade your appliances, upgrade the SCC first to avoid disconnections. For details, go to Knowledge Base article
S27759.
SteelHead CX
SCC supports configuration and monitoring for SteelHead CX 8.6 and later.
In general, each SCC version can manage the features found in the similarly numbered RiOS version. For optimum compatibility, we recommend aligning the SCC and SteelHead versions.
The SCC can manage features where they occur in a previous RiOS version. For example, with SCC 9.9 managing SteelHead 9.8 systems, the SCC can manage the 9.8 features on the SteelHeads only.
In general there is no forward compatibility for SteelHeads; the SCC must be equal to or higher than the SteelHead RiOS version. That is, SCC 9.9 can support SteelHead RiOS 8.6 or later up to 9.9 only.
To view how many SteelHeads an SCC can manage, go to Knowledge Base article
S14106.
SteelHead EX
SCC supports configuration and monitoring for SteelHead EX 3.5.3 and later.
This table shows the supported and recommend SCC versions for SteelHead EX releases.
EX version | SteelHead RiOS version | Recommended SCC version |
5.5.1 | 9.7.1 | 9.7.1 |
5.5 | 9.7.0a | 9.7.1 |
5.1.1 | 9.6.1 | 9.7 |
5.0 | 9.5.0a | 9.5.1 |
4.6 | 9.2.1 | 9.2.2 |
4.5 | 9.2.1 | 9.2 |
4.3 | 9.1.2 | 9.1.0e |
4.2 | 9.1.1a | 9.1.0d |
4.1 | 9.1 | 9.1 |
3.6 | 9.0 | 9.0 |
3.5.3 | 8.6 | 8.6.0 |
SteelHead Interceptor
SCC supports configuration and monitoring for SteelHead Interceptor 4.0 and later.
Pushing configurations to appliances is limited to Xbridge, system settings, security settings, in-path, and load-balancing rules for clusters.
SteelHead Mobile
SCC supports monitoring only for SteelHead Mobile 4.0 and later.
SteelFusion Core
SCC supports monitoring only for SteelFusion Core 4.0 and later.
SteelFusion Edge
SCC supports monitoring and partial configuration for SteelFusion Edge 4.0 and later. SCC lets you configure and monitor SteelHead (RiOS) features except web proxy. You can’t configure ESXi from the SCC.
Legacy policy push restrictions
These restrictions only apply to policies configured with software versions prior to SCC 9.0.x.
SCC feature | SteelHead CX software | SteelHead EX software |
Legacy Outbound QoS (Basic) | 8.6. x only supported 9.0 and later not supported | 3.5.3 only supported 3.6.x and later not supported |
Legacy Outbound QoS (Advanced) | 8.6.x only supported 9.0 and later not supported | 3.5.3 only supported 3.6.x and later not supported |
Legacy Outbound QoS Interfaces | 9.0 and later not supported | 3.6.x and later not supported |
Legacy Inbound QoS | 9.0 and later not supported | 3.6.x and later not supported |
Legacy Inbound QoS Interfaces | 9.0 or later not supported | 3.6.x or later not supported |
Legacy Path Selection | 8.6.x only supported 9.0 or later not supported | 3.5.3 only supported 3.6.x or later not supported |
Firewall requirements
These ports must be open for the SCC to function properly:
• TCP port 9443 and 443 for HTTPS communication. SCC 9.0.0 and later use port 443 for the REST API SSL key exchange between SCC and SteelHeads. After the certificate exchange is successful, an OCC channel is established between the SteelHead and the SCC on port 9443; thereafter SCC uses port 9443 to communicate with the SteelHeads.
• TCP port 22 for CLI communication.
• If the network is public, UDP port 4500 for encryption services.
Because optimization between SteelHeads typically takes place over a secure WAN, it isn’t necessary to configure company firewalls to support SteelHead-specific ports.
If your SteelHead is behind a firewall, you can configure an SSL authorized port using the CLI to connect and manage these SteelHeads. For detailed information, see
Connecting SteelHeads when the SCC is behind a firewall.Upgrading the SCC
You can upgrade the SCC only to the next major version. Don’t skip intermediate major versions. Multiversion upgrades and downgrades can result in database incompatibilities, potentially leading to data corruption.
Image signature verification
Riverbed software images are now digitally signed, ensuring the integrity and authenticity of the image. Verifying an image is performed by comparing a public key, or image signing certificate, with the image signature. The public key for Riverbed images can be found at
https://support.riverbed.com.
Image verification is enabled by default. We strongly recommend that it remain enabled at all times. Disable this feature only when absolutely necessary.
For instructions on how to enable or disable this feature, see
Upgrading your software.For instructions on how to view the status of image signatures, see
Uploading local software images.For instructions on how to upload signed certificates and view certificate details, see
Upgrading your software.For instructions on how to enable or disable this feature on managed appliances, see
Enabling and disabling image signature verification.Upgrade considerations
If you’re running SCC 8.6 or earlier, you must perform a multistep upgrade. For example:
5.5.4c > (6.0.1 or 6.1.x) > 6.5.x > (7.0.x or 8.0.x) > 8.5.x > 8.6.x > (9.0.x or 9.1.x or 9.2.x) > (9.5.x or 9.6.x or 9.7.x or 9.8.x) > 9.9.x
You can upgrade from SCC 8.6 > 9.9, but a multistep upgrade ensures that automigration of statistics occurs correctly. Contact Riverbed Support at
https://support.riverbed.com for detailed information about upgrade paths.
Upon upgrading, clear your browser cache and cookies to ensure that the SCC Management Console displays correctly. Also upon upgrading, make sure none of the processes have exited due to an error. All new and existing processes should run as expected. Some processes are dependent on other processes so they might take time to run at start up.
With SCC 9.0 or later, policy push configurations with the SteelHeads running RiOS 8.0 or later (that is, SteelHead CXs running 8.0+ and SteelHead EXs running 3.6 or later) aren’t supported. Earlier version appliances are still connected and the SCC still manages health and alarms for these appliances. The SCC 9.0 or later doesn’t support policy pushes for SteelHead EX 2.0 and earlier and SteelHead CXs 8.0 and earlier.
Consider these guidelines before upgrading SCC:
• The SCC must be upgraded to RiOS 8.6 before it can be upgraded to 9.0 or later.
• Upgrading from RiOS 8.6.x or earlier to 9.0 or later doesn’t automatically migrate previous QoS rules to a new configuration. Version 9.0 and later provides a QoS migration wizard to assist you in migrating your QoS rules.
• You can’t migrate previous path selection rules from SCC 8.6.x or earlier to 9.0 or later.
• If you mix RiOS software versions in your network, the releases might not fully support certain features (for example, QoS) and you can’t take full advantage of the 9.0 and later features that aren’t part of the prior software versions.
• When upgrading large deployments (that is, more than1000 appliances) be aware that the initial upgrade may take several hours.
Recommended upgrade paths
To find allowed upgrades between software versions and recommended upgrade paths, see Riverbed Support at
https://support.riverbed.com. The tool includes the recommended intermediate software versions.
• The SCC must be upgraded to 8.6 before it can be upgraded to 9.1 or later.
• The SCC must be upgraded to 8.5 before it can be upgraded to 8.6.
• The SCC must be upgraded to 8.0 before it can be upgraded to 8.5.
If you’re running a version of the SCC prior to 8.0, contact Riverbed Support regarding acceptable upgrade paths.
Upgrading the SCC software version
Perform this task to upgrade your software. These instructions assume you’re familiar with the SCC, the CLI, and the SCC Management Console.
To upgrade SCC software
1. Download the software image from Riverbed Support to your desktop.
2. Log in to the SCC using the administrator account (admin).
3. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.
4. Under Install Upgrade, choose one of these options:
– From URL - Type the URL that points to the software image that you want to upgrade to. Use one of these formats:
http://host/path/to/file
https://host/path/to/file
ftp://user:password@host/path/to/file
scp://user:password@host/path/to/file
– From Riverbed Support Site - Before you begin, make sure you have created a support account at
https://support.riverbed.com. Select the target release number from the drop-down list to download a delta image directly to the appliance from the Riverbed Support site. The downloaded image includes only the incremental changes. You don’t need to download the entire image. The system downloads and installs the new image immediately after you click
Install. To download and install the image later, schedule another date or time before you click
Install.
– From Local File - Browse to your file system and select the software image.
– Schedule Upgrade for Later - Type the date and time using this format:
yyyy/mm/dd hh:mm:ss
5. Click Install to upgrade your SCC software.
The software image can be quite large; uploading the image to the system can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes and is downloaded directly to the appliance.
As the upgrade progresses, status messages appear.
After the installation is complete, you’re reminded to reboot the system to switch to the new version of the software.
6. Choose Administration > Maintenance: Reboot/Shutdown and click Reboot.
The appliance can take a few minutes to reboot. This behavior is normal because the software is configuring the recovery flash device. Don’t press Ctrl+C, unplug, or otherwise shut down the system during this first boot. There’s no indication displayed during the system boot that the recovery flash device is being configured. After the reboot, the Dashboard, Software Upgrade, and Help pages in the Management Console display the RiOS version upgrade.
Migration procedures
For detailed information about SCC migration best practices, see
SCC Best Practices. SteelHead autoregistration
SteelHeads must be registered with the SCC so that you can monitor and manage them with the SCC.
SteelHeads are designed to send a registration request periodically to the SCC—either to an IP address or hostname you specify when you run the SteelHead configuration wizard, or to a default SCC hostname. For autoregistration with the default hostname to work, you must configure your DNS server to map to the hostname riverbedcmc and the IP address of the SCC either as a CNAME or as an A record.
During autoregistration, the SteelHeads don’t send passwords to the SCC. Unless the password value has been modified in the Manage Appliances page, the SCC assumes that the default password is password. For details, see
Adding appliances.After a SteelHead is registered, you can set autoconfiguration to automatically push the current configuration when the SteelHead connects.
SCC scaling best practices
The SCC can manage up to 2500 appliances on models 1000, 8151, and 8152. The SCC-VE (virtual models 8151 and 8152) configuration must be equivalent, or better, to the model 1000 to support 2500 appliances.
Adhere to these guidelines for deployments with 1500 or more appliances:
• Legacy policy pushes must be limited to 200 appliance at a time. This process may take several minutes for a larger set of appliances.
• Hybrid network policy pushes are limited to 500 appliances at a time. This process may take several minutes for a larger set of appliances.
• If a legacy and hybrid networking policy push must be performed together, then the push is limited to 200 appliances at a time. This process may take several minutes for a larger set of appliances.
• When upgrading large deployments, the initial upgrade may take several hours.
• If your deployment contains more than 1000 appliances, backups will take more than three hours.
HTTPS communication channel
Traditionally, appliances communicated with the SCC via an SSH channel. In SCC 9.0, an HTTPS (on TCP port 9443) communication channel was added. This channel is used to push and pull the new hybrid networking features supported in the SCC (for example, path selection, QoS, and secure transport).
For managed appliances (SteelHead 9.0, SteelHead EX 3.6, SteelFusion 4.0, and later) both the SSH and the HTTPS channels must be in a connected state. If either one of these channels is down, then a push from the SCC to the appliance will fail. For instance if the HTTPS connection is down, pushing the hybrid network configuration from the SCC to appliances will fail.
For detailed information about troubleshooting, see
HTTPS communication channel. Connecting SteelHeads when the SCC is behind a firewall
SCC 9.2 and later provides you with the ability to configure an SSL authentication port for SteelHeads when the SCC is behind a firewall with restricted access to ports 443 and 80. This feature enables SteelHeads to communicate with SCC. You configure the SSL authentication port using the SCC CLI.
This diagram shows a SH-1 connected to the SCC that’s listening on port 443 without a firewall. The SH-2 is connected to the SCC through a firewall that has restricted access to ports 443 and 80. On the SCC for SH-2, you can configure an SSL authentication port (for example, 7443) using a CLI command enabling you to communicate with SH-2.
Figure: SCC with custom authorized port 7443
You can configure one additional authentication port in addition to the existing port 443.
The SSL authentication port feature is only available via the CLI; it isn’t available in the SCC Management Console.
For detailed information about connecting and using the Riverbed CLI, see the Riverbed Command-Line Interface Reference Manual.
To enable communication to SteelHeads with restricted access
1. On the SCC, connect to the CLI in configuration mode. For detailed information about connecting and using the Riverbed CLI, see the Riverbed Command-Line Interface Reference Manual.
2. To configure SSL authentication port access, at the system prompt enter:
amnesiac (config) # ocs authport port <port-number>
where <port-number> is the authentication port number on which you want to establish communication with the SCC.
3. On the SteelHead, connect to the CLI in configuration mode and enter this command at the system prompt:
ocd connection cmc csr_auth auth_port <port-number>
where <port-number> is the authorized port number on which you want to establish communication with the SCC. Make sure this is the same port you configured on the SCC.
Troubleshooting
On the SCC:
• The port number should have an appropriate entry when you run the netstat command. On the SCC, via the shell, at the system prompt enter:
netstat -an |grep <port-number>
• The port number should be listed in the Apache /etc/httpd/http.conf file:
Listen <port-number>
If the port number doesn’t appear, restart the HTTP service on the SCC:
pm process httpd restart
On the SteelHead:
• Enter the show ocd connections command. It should list the port number as Auth Port and Status “Connected.”
• To ensure registration is successful, enter these commands:
amnesiac # show scc
amnesiac # show cmc
Connecting to the SCC Management Console
To connect to the Management Console, you must know the host, domain, and administrator password that you assigned in the configuration wizard.
Note: Cookies and JavaScript must be enabled in your web browser.
Note: Before you begin, clear your browser cache and cookies to ensure the user interface displays correctly.
To connect to the SCC Management Console
1. Enter the URL for the SCC in the location box of your browser:
<protocol>://<host>.<domain>
<protocol> is http or https. The secure HTTPS uses the SSL protocol to ensure a secure environment. When you connect using HTTPS, you’re prompted to inspect and verify the SSL certificate. This is a self-signed certificate used to provide encrypted web connections to the SCC.
<host> is the IP address or hostname you assigned the SCC during initial configuration. If your DNS server maps the IP address to a name, you can specify the DNS name.
<domain> is the full domain name for the SCC.
The SCC Sign In page appears.
2. In the text box, specify the user login: admin, monitor, a login from a RADIUS or a TACACS+ database, or a previously configured role-based management (RBM) account.
The default login is admin. Users with administrator privileges can configure and administer the SCC. Users with monitor privileges can view SCC reports but they can’t configure the system.
3. In the Password text box, specify the password you assigned in the configuration wizard of the SCC.
The SCC is shipped with password as the default password.
4. Click Log In to log in to display the dashboard.