Before you begin the installation and configuration process for the Mobile Controller, you must select a network deployment. This section describes the Mobile Controller deployment options. This section includes the following topics:

The Mobile Controller ships with default policies. You can install and deploy the Mobile Controller without modifying the default policies, or you can modify them to suite your environment.

If your network environment requires the deployment of multiple Microsoft Installer (MSI) packages, create the packages you need before you deploy the default package.

To install the Mobile Controller using the default Initial policy provided, deploy the MSI package named Default. The default MSI package installs the default policies.

For the basic steps for how to install and configure the Mobile Controller and how to deploy the default MSI package to the SteelHead Mobile in your network, see the SteelCentral Controller for SteelHead Mobile User’s Guide.

When you deploy Mobile Controller components in environments with VPNs, make sure that you do not optimize the VPN tunnel. If the VPN tunnel uses TCP for transport, add a pass-through rule to the policy for the VPN port number connected to by the client. Depending on your deployment scenario, this rule might be the first rule in the list.

VPNs that use IPSec as the transport protocol do not need a pass-through rule.

You can configure the Mobile Controller with a VPN as follows:

Figure 24‑1 shows a deployment in which both the mobile employee and the branch office use the same in-path SteelHead.

Figure 24‑2 shows an in-path deployment in which the mobile employee and the branch office use the same SteelHead, but for the branch office SteelHead is in-path; for the mobile employees, it is out-of-path.

For more information about policies and pass-through rules, see the SteelCentral Controller for SteelHead Mobile User’s Guide.

External firewalls, such as home firewall router appliances commonly found with broadband Internet connections, do not require special settings for SteelHead Mobile when operating with VPN software on the client computer. The VPN software can have special requirements for external firewalls.

If you are using a firewall that does not allow outgoing connections, you must allow rbtdebug.exe, rbtmon.exe, rbtsport.exe, rbtlogger.exe, and shmobile.exe.

If you must access the Mobile Controller without the use of a VPN, both the client-side and server-side network firewalls must have some or all of ports 22, 80, 443, 7800, 7810, and 7870 open, as follows:

If you are using a VPN originating on the client machine, you do not need to open any of these ports mentioned previously.

In a branch office and remote access user deployment scenario, there are the following types of users:

If SteelHead Mobiles are connecting to a branch office that already has a SteelHead, you can enable enhanced auto-discovery on all SteelHeads. This allows the SteelHead Mobile to bypass the local SteelHead and optimize with the remote SteelHead at the data center.

If you configure the branch warming feature in SteelCentral Controller for SteelHead Mobile v3.0 or later, the SteelHead Mobile automatically detects the local SteelHead when it is in the branch office (using location awareness). The SteelHead Mobile does not consume a license when it is at the branch office. The SteelHead Mobile continues to optimize with the remote SteelHead, and also warms the SteelHead Mobile RiOS data store, the local SteelHead, and the remote SteelHead.

For information about location awareness and branch warming, see Location Awareness. For information about enhanced auto-discovery, see Peering Rules and the SteelHead Management Console User’s Guide.