Installing On-Premise SCM
Complete the tasks in this chapter to install On-Premise SCM. After installation is complete, use SCM to manage your SD-WAN gateways, Wi-Fi access points, and Ethernet switches with the same functionality as the web-based SCM. For details, see the SteelConnect Manager User Guide and the SteelConnect SD-WAN Deployment Guide.
Before you begin
Here’s what you need to install On-Premise SCM.
Riverbed-provided links and files
•Link to the On-Premise SCM Open Virtualization Appliance (OVA) image - Use the link to download and install the OVA image.
•Riverbed-supplied license token - Use the token to license SteelConnect.
Virtual machine
•VMware ESXi virtualization (hypervisor) software - Use this software to import the On-Premise SCM open virtual appliance (OVA) file. Make sure this software is downloaded, installed, and ready to use.
On-Premise SCM has been qualified with vSphere 6.x.
Security certificates
•SSL certificates and keys (in PEM format) - Required for the fully qualified domain name (FQDN) you are using for SCM (for example, scm.example.com).
Use your certificate authority to generate the certificate and key, or create them by following the procedures in
Generating a certificate and key. When you create the certificate, make sure to match the FQDN of the SCM in the DNS with the common name in the certificate.
Network access and device requirements
•Internet connectivity - On-Premise SCM uses the internet to communicate with the web-based ZTP services.
•DHCP - to provide DNS, gateway, and IP address information to SCM and the SteelConnect appliance, DHCP is required when you install SCM and any time you reboot SCM.
•DNS server - A server to which you can add A-record and SRV record entries and that is accessible to SCM and all SteelConnect appliances is required. See
DNS setup for details.
Provisioning the On-Premise SCM image
To provision the On-Premise SCM image, you import the On-Premise SCM virtual appliance (OVA) file, which starts the On-Premises SCM Launcher (SCM Launcher). You then add the required values to provision and start SCM for the first time.
To import the OVA file
VMware ESXi virtualization (hypervisor) software is required.
If this installation is for demonstration purposes only, you can use Oracle VirtualBox or VMware Fusion; however, functionality of the On-Premise SCM can’t be guaranteed.
1. Open VMware ESXi.
2. Right-click Host in the VMware Host Client inventory and select Create/Register VM.
The New Virtual Machine opens.
3. In the Select creation type page, select Deploy a virtual machine from an OVF or OVA file and click Next.
4. In the Select OVF and VMDK files page, enter a name for the virtual machine.
5. Click the blue pane, select Riverbed-supplied OVA file, click Open, and then click Next.
Select OVF and VMDK files page
6. In the Select storage page, select a datastore from the list of available datastores and click Next.
Select storage page
7. In the Deployment options page, select these options:
•In the Network mappings field, specify a port group associated with a connected network interface card (NIC).
Make sure that the port group has access to all the inbound and outbound ports that are required for On-Premise SCM to function. See
Ports required for operation for details.
•In the Disk provisioning field, select either Thin or Thick.
Deployment options page shows that Thin is selected; however, selecting Thick can give better performance and reduce datastore over-subscription issues.
•Click Next.
Deployment options page
8. In the Ready to complete page, review your options and click Finish.
The On-Premise SCM instance is created on the virtual machine.
Ready to complete page
9. Select the Console tab in the virtual machine and make a note of the displayed IP address. You use this address to log in to the SCM Launcher. The address is blurred out in
Console tab and IP address in the VM.
If the IP address is in the 172.17.0.1/16 range, you need to reconfigure your DHCP server to provide addresses outside this range and then restart the VM to receive another IP address. See
Virtual machine limitations.
Console tab and IP address in the VM
To provision SCM for the first time
1. Using a browser, log in to the SCM Launcher at http://<
scm-ip-address>:3899, using the IP address that you noted in
Step 9 of the previous procedure.
2. In the Token value field, enter the Riverbed-supplied token value.
3. Click Upload Certificate and then navigate to and upload your certificate file. If you generated this file, it is named gui-cert.pem. This filename must end with -cert.pem.
4. Click
Upload Key and then navigate to and upload the file that contains the certificate keys for the certificate file you uploaded in
Step 3. If you generated this file, it is named gui-key.pem. The filename of the certificate key must end with -key.pem. The certificate key must not require a password.
5. Enter these values in the Provision SteelConnect Manager page:
•In the Fully Qualified Domain name field, enter the FQDN for SCM.
•In the Timezone field, enter the time zone for SCM.
6. Optional: To set a static IP address for SCM and the DNS server, complete these steps. If you are using DHCP to receive the IP address, these steps are not required.
•In the IP Address field, select the Static tab.
•In the IP Address field, enter the IP address of the DNS server, default gateway, the IP address to use for SCM, and the subnet mask.
7. In the Set Login information fields, enter a username and password for the SCM Launcher.
Make a note of this information; it can’t be retrieved and is required to log in to the SCM Launcher.
8. Click Provision.
It can take up to 45 minutes to provision the SCM.
After you provision SCM for the first time, the SCM Launcher changes appearance. To view or edit any of this information after provisioning, choose Settings in the left navigation pane.
Logging in to the SCM Launcher and SCM
1. Using a browser, log in to the On-Premises SCM Launcher at http://<scm-ip-address>:3899. This is the same IP address you used in the previous procedure.
For username and password, use the credentials you created in the Provision SteelConnect Manager page.
SCM Launcher login page
2. Click Visit your SteelConnect Manager on the top right of the SCM Launcher page to go to SCM.
The default username is admin and the default password is pppp.
Visit SteelConnect Manager
If SCM does not start, see
SCM does not start for troubleshooting tips.
Upgrading SCM
When you start the SCM Launcher for the first time, it connects to the ZTP services using SSL (x509) certificates and the latest image is retrieved. Verify that you have the latest image by performing the steps in this procedure.
Use this procedure if you are running an existing On-Premise SCM; this procedure upgrades your SCM version to 2.11.4.
Schedule a maintenance window for this upgrade; the Launcher and the SCM versions are both updated during this procedure, which can take up to 8 hours.
We strongly recommend that you upgrade the firmware on any gateways immediately after upgrading SCM because the SCM upgrade will have a service impact on the existing VPN tunnels between gateways. For more information about upgrading gateway firmware, see
Step 3 of the upgrade procedure.
To upgrade On-Premise SCM
1. Perform these steps to back up the system:
•Take a snapshot of your VM using the ESXi snapshot utility. Refer to the VMware ESXi documentation for details.
2. From the SCM Launcher, click Visit your SteelConnect Manager on the top right of the page to check the software version. The default username for SCM is admin and the default password is pppp.
The version is shown in the What’s New area.
Version number on SCM page
3. Make sure that the SCM upgrades its gateway firmware immediately after the SCM upgrade by choosing Realm, then selecting the Maintenance tab, and making sure that Apply firmware upgrades immediately is set to On.
Setting firmware updates to On
4. Return to the SCM Launcher page and click Upgrade.
If the version on the SCM matches the version listed in the Upgrade page, no update is required.
5. Click the Update button to upgrade SCM and the SCM Launcher to the latest version.
Upgrading the SCM software
These screens display during the upgrade.
Upgrade beginning
Upgrade complete
6. Log in to the SCM Launcher and SCM and check the Launcher and SCM versions.
The SCM Launcher version should be 0.1.15 and the SCM version should be 2.11.4.
7. Make sure that the SCM upgrades its firmware immediately by choosing Realm, then selecting the Maintenance tab, and making sure that Apply firmware upgrades immediately is set to On.
Setting firmware updates to On
If the upgrade failed, see
System does not update to troubleshoot update issues.
DNS setup
Make these DNS changes to allow your network to run On-Premise SCM:
Adding or modifying the A-record and SRV records for static DNS
This section describes how to add or modify a DNS address record (A-record) and service records (SRV records). An A-record maps a domain name to the IP address of the computer that hosts the domain. An SRV record is a DNS resource record that is used to identify computers that host specific services.
If you do not have access to DNS records, ask your network administrator to configure these settings. Configuration depends on the type of server software that is used (for example, BIND or Microsoft DNS).
Add a DNS A-record
The A‑record uses the IP address of the VM where the On-Premise SCM is hosted and the FQDN uses the SCM name.
To add a DNS A-record
1. From the Server Manager console of the Windows server, choose Tools > DNS to display the DNS Manager window.
2. Right-click the domain name and select New Domain.
DNS configuration - add new domain
3. In the Type the new DNS domain name field, enter scm.
DNS configuration - new DNS domain name
The new DNS domain with the name scm is created.
4. Right-click the scm domain and select New Host (A or AAAA).
DNS configuration - add new host
5. In the New Host window, leave the Name field empty for the new host to use the parent domain name.
DNS configuration - new host settings
6. Enter the IP address of the SCM.
7. Click Add Host and click OK to confirm the A-record creation.
Add SRV records
Add SRV records under the A-record (also known as subdomain).
To add SRV records
1. Right-click the scm domain and select Other New Records.
DNS configuration - add SRV record
The Resource Record Type window appears.
2. Under Select a resource record type, select Service Location (SRV) from the list of resource record types and click Create Record.
DNS configuration - select SRV record type
3. Configure the SRV record with the settings described in this table.
Field | Setting |
Service | _cc |
Protocol | _tcp |
Priority | 10 |
Weight | 10 |
Port number | 3900 |
Host offering this service | scm.<your-domain>.com Note: Specifies the A-record. For example, scm.example.com. |
DNS configuration - SRV record settings shows an SRV record in Windows Server, using the SCM FQDN of scm.example.com. Note the use of _cc and _tcp for service and protocol.
DNS configuration - SRV record settings
4. Click OK and click Done to save the configuration settings.
Verifying DNS setup
You can run these commands using the CLI to verify that the DNS service is configured properly:
•Run the nslookup <domain-name> command to verify that the domain name and IP address are mapped correctly:
C:\Users\Administrator> nslookup scm.example.com.
Server: UnKnown
Address: ::1
Name: scm.example.com
Address: 10.1.1.1
•Run the nslookup -q=srv _cc._tcp.<domain-name> command to view and verify the SRV record details:
C:\Users\Administrator>nslookup -q=srv _cc._tcp.scm.example.com.
Server: UnKnown
Address: ::1
_cc._tcp.scm.example.com SRV service location:
priority = 10
weight = 10
port = 3900
svr hostname = scm.example.com
scm.example.com internet address = 10.1.1.1
Alternatively, you can run the dig srv _cc._tcp.<domain-name> command to verify the SRV records.
Configuring DNS to ensure SCM and SteelConnect appliance connectivity
On-Premise SCM deployments require additional configuration to make sure that SteelConnect appliances use the DNS server with the modified A-record and SRV record. This configuration ensures that the SCM domain name can be resolved for all SteelConnect appliances, and it prevents the SteelConnect appliance from using public Google DNS servers if the default DHCP-assigned DNS server fails. See
Registering an appliance for more information about appliance registration.
There are two methods to configure DNS. Choose one that is best for the network:
To change the DNS settings for all DNS queries
1. Log in to SCM and choose Network Design > Sites.
2. Select a site from the list.
3. Select the DNS tab.
4. After Site DNS Server, specify the IPv4 or IPv6 DNS server primary IP address and click Submit.
To resolve DNS labels using specific internal servers
1. Choose Network Design > Sites.
2. Select a site from the list.
3. Select the DNS tab and click New DNS route.
DNS tab
4. In the Domain field, specify the domain name of the SCM.
For example, if your SCM FQDN is scm.example.com, add scm.example.com to the list of domains.
New DNS route
5. Specify the IPv4 or IPv6 address of the target server to use to route the domain.
Separate multiple IP addresses with a space.
6. Verify the DNS configuration.
Registering an appliance
After SCM is running in your enterprise network, register appliances to it. These sections describe how SteelConnect registers appliances and the steps you perform to register them.
On-Premise SCM supports these appliances:
•Access Points
–SDI-AP3
–SDI-AP5
–SDI-AP5R
•Gateways
–SDI-130
–SDI-330
–SDI-1030
–SDI-2030
–SDI-5030
•SteelHead-SD
–570-SD
–770-SD
–3070-SD
•Switches
–SDI-S12
–SDI-S24
–SDI-S48
•Virtual Gateways
–SDI-VGW
Appliance registration overview
For a SteelConnect hardware (nonvirtual) appliance, you enter the serial number of the appliance, which facilitates the pairing of the SCM and appliance.
SteelConnect appliances find their assigned SCM using the registration process shown in
SCM registration process.
SCM registration process
These steps describe the hardware registration process. The numbers correspond to the callouts shown in the figure.
| The SteelConnect appliance boots and gets an IP address from DHCP or another network service. The DNS must have a record of the URL used for the ZTP services or the gateway can’t perform the next steps. Most enterprise DNS servers can resolve external hostnames. To configure DNS for On-Premise SCM, see DNS setup. |
| The appliance contacts the server used for ZTP services, which replies with the SRV record of the assigned SCM. |
| The appliance sends its serial number and DNS information to the ZTP services located in the cloud. Once received, the ZTP services confirm the received information with the information found in its database. |
| The appliance queries a DNS server to resolve the SRV record, which results in the appliance receiving a domain address and port from the assigned SCM. |
| The gateway registers itself to its assigned On-Premise SCM and downloads its configuration. |
Registering an appliance
Complete this procedure to register a hardware appliance.
To register a hardware SteelConnect appliance
1. Choose Organization.
2. Choose Appliances.
3. Click Add appliances > Register Hardware Appliance.
4. Enter the serial number of the appliance.
5. Select the site and click Submit.
Adding a hardware (nonvirtual) gateway
SCM will inform ZTP of the pairing.
After the appliance is powered on, it contacts ZTP, which pairs SCM with the appliance.
Registering a SteelConnect virtual gateway
An internet connection is required to register a virtual gateway. After you download the image and bring up the virtual machine, the virtual gateway contacts the ZTP services using the internet connection to pair SCM with the virtual gateway.
To register a SteelConnect virtual gateway
1. Choose Organization.
2. Choose Appliances.
3. Click Add appliances > Create Virtual Gateway.
4. Select the site and click Submit.
5. Select the OVA image associated with the virtual appliance.
Adding a virtual gateway
6. Optionally, override the default DNS for the virtual gateway by navigating to Network > Sites > DNS and entering the IP address for the DNS server that is used to connect to the ZTP services.
This information is saved in the OVA file and is used for the gateway to connect to ZTP, as well as to pair the gateway with SCM.
Migrating from SCM to On-Premise SCM
If you have an existing SCM setup, you can migrate an organization to On-Premise SCM. Use the guidelines and procedures in the following sections to migrate from SCM to On-Premise SCM.
What to know before migrating from SCM to On-Premise SCM
•On-Premise SCM must have a connection to the internet to function. See
Appliance registration overview for an overview of the registration process for On-Premise SCM.
•High availability is managed by the customer using the capabilities in ESX; Riverbed does not manage HA for On-Premise SCM.
•Service-level agreements (SLAs) are managed by the customer.
To migrate from SCM to On-Premise SCM
1. Refer to the instructions in the email you received to download the On-Premise SCM software.
3. Make sure that the On-Premise SCM and the non-On-Premise SCM versions are at version 2.11.4.
To export and download data for an organization from SCM
1. Log in to your current SCM and click Realm to enter Realm Admin mode.
2. Choose Organizations in the left navigation pane.
3. Click the name of an organization in the Organizations area.
4. Select the Import/Export tab.
5. Click (Re-) Generate export package to generate an export package.
Exporting an organization file
6. Make a note of the download location.
7. Perform this procedure for each organization in your realm.
To import data for an organization to On-Premise SCM
1. Log in to On-Premise SCM and click Realm to enter Realm Admin mode.
2. Choose Organizations in the left navigation pane.
3. Click New > Import.
Importing a new organization
5. After the organization is imported, select the name of the organization and select the Import/Export tab.
6. Click Migrate Organization to this controller.
7. Perform this procedure for each organization in your realm.
Backing up and restoring an On-Premise SCM
We recommend taking advantage of VMware features when you deploy On-Premise SCM. VM features include fault tolerance, high availability, Distributed Resource Scheduler (DRS), and the ability to back up without interference with the VM that is running. Perform backups on a regular schedule as with all other production applications.
In addition to VMware backups, you can download and back up the current configuration for backup purposes.
There is no need to back up the gateways, access points, or switches. Configurations of the devices are stored in SCM and pushed to the devices when connected to the network, along with any firmware.
To back up an On-Premise SCM
1. Log in to the SCM Launcher and click Backup or Restore.
Backup or Restore
2. Click Backup SCM Now.
The file is saved to the configured download location of your browser.
3. Click OK when the backup is complete.
To restore an On-Premise SCM from a previous image
1. Log in to SCM.
2. Click Backup or Restore.
3. Select Restore from Saved File.
4. Select the file from which to restore.
5. Reboot the system.
If you set static values for the SCM or DNS server, specify those values after the backup.
Generating a certificate and key
All communication between the appliances and ZTP, as well as all interoperating services inside of ZTP, are authenticated through SSL (x509) certificate validation, which can either be generated by the certificate authority being used by the enterprise or by using this procedure.
To generate the SSL certificate and key without using a certificate service
1. Open a command-line interface (CLI) window with a machine that is running the OpenSSL toolkit.
2. Using OpenSSL, run these commands to create the key and certificate request:
openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
openssl rsa -passin pass:xxxx -in server.pass.key -out server.key
openssl req -new -key server.key -out server.csr
A series of questions are asked when you run this script. When asked for the Common Name, use the FQDN of the SCM.
3. Download the server.csr file.
4. Send the server.csr file to your Certificate Authority to be signed or run these commands using OpenSSL to sign it:
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
openssl x509 -inform PEM -in server.crt > gui-cert.pem
openssl rsa -in server.key -text > gui-key.pem
5. If you generated the certificate (gui-cert.pem) and key (gui-key.pem) files with OpenSSL, save those files.
What’s next
For more information about using SCM, see the SteelConnect Manager User Guide. For more information about deploying SteelConnect, see the SteelConnect SD-WAN Deployment Guide.
