Mobile Controller Best Practices and Other Considerations
This section lists best practices and includes other factors to consider when deploying Mobile Controller. This section includes the following topics:
Deployment ScenariosManagement Best PracticesMigration Mobile Controller HardwareLicensing Best PracticesAntivirus SoftwareSigned SMB SupportSSL Client Authentication SupportSMC and Federal Information Processing Standard (FIPS)Optimization Before User Log InDeployment Scenarios
Consider the following types of deployment scenarios.
Figure 24‑8 shows the same SteelHead for office and mobile employees—use fixed-target rules if the VPN ingress point is different.
Figure 24‑8. Same SteelHead for Mobile Employees and Office Employees
Figure 24‑9 shows one SteelHead for mobile employees and one SteelHead for office employees.
Figure 24‑9. Using One SteelHead for Mobile Employees and One SteelHead for Office Employees
Consider the following when deciding between using a SteelHead or SteelCentral Controller for SteelHead Mobile for a branch office:
SteelCentral Controller for SteelHead Mobile is best for small offices or offices with employees that spend the majority of their time out of the office. SteelHead Mobile has an individual RiOS data store, requiring software on each laptop. A SteelHead has a shared RiOS data store. SteelHeads ensure that a resource is dedicated to acceleration. SteelHeads have features that are not available on SteelCentral Controller for SteelHead Mobile, such as RSP or VSP, prepopulation, and QoS.You can deploy Mobile Controller appliances in the data center for easier accessibility and connectivity.For installations where you expect to have fewer than 100 concurrent mobile users, consider installing Mobile Controller virtual edition using RSP or VSP on the SteelHead in the data center.In RiOS v7.0.1 or later, RSP was replaced with VSP. VSP comes preinstalled in the SteelHead EX. For more information about VSP, see the SteelHead EX Management Console User’s Guide. Your existing RSP packages work on VSP.
If you are deploying the Windows operating system and software by cloning, you might run into an issue in which you create duplicate SIDs (ghosting). For more information, go to
http://supportkb.riverbed.com/support/index?page=content&id=S15558.
Management Best Practices
The best practices to deploy and manage SteelCentral Controller for SteelHead Mobile are as follows:
Understand your mobile user population by geography, client type, and division.Design systems that do not modify the default endpoint settings in the policy on the Mobile Controller.If you decide to modify the default endpoint settings for groups of users, consider using fewer groups with more members, versus more groups with fewer members. For information about endpoint settings and policies, see the SteelCentral Controller for SteelHead Mobile User’s Guide.
Use MSI packages to push SteelCentral Controller for SteelHead Mobile software to clients. MSI packages can also enable rollback or upgrade, ensuring easy maintenance. Mobile Controller does support automatic upgrades to clients. For more information, go to https://supportkb.riverbed.com/support/index?page=content&id=S15231. The initial installation of the client software cannot be pushed out from the Mobile Controller, but you can use Microsoft Windows Group Policy Object (GPO) to automatically push out and install client software for the first time to Windows clients. For more information, see Managing Mobile Clients Using Group Policy Templates at https://supportkb.riverbed.com/support/index?page=content&id=S14393.Riverbed recommends that you back up your Mobile Controller-v using SCC. For more information about backing up and restoring Mobile Controller-v, especially when running on ESXi in VSP on SteelHead EX see https://supportkb.riverbed.com/support/index?page=content&id=S17487.Installation can be done in visible or invisible mode. In visible mode, end users have a Riverbed icon in the system tray that they can click for basic information and settings. In invisible mode, there are no visible icons to show that SteelCentral Controller for SteelHead Mobile is running on the end-user machine.Do not use branch warming if you: always want the client to optimize.are using RiOS earlier than v6.0.Migration Mobile Controller Hardware
Due to hardware refresh or replacement, you might need to migrate the configuration data (assignments, policies, packages, and so on) from your legacy Mobile Controller to a new hardware platform.
To perform a successful migration, use the following steps as guidance. Depending on the versions of software running on the old versus new Mobile Controller, you might not need to perform all the steps.
To migrate Mobile Controller hardware
Backup older Mobile Controller configs to the SCC.
Install new Mobile Controller running same software version (or close to it) on the network, using the new IP address.
Manage the new Mobile Controller in the SCC.
Unplug the old Mobile Controller from the network.
At this time, the SteelHead Mobile clients that already have an active license continue to optimize, but they cannot upload any reports and no policies are pushed out.
Restore old Mobile Controller configuring (including IP address) to new Mobile Controller. SteelHead Mobile client users connect automatically.
Upgrade new Mobile Controller to latest required version of software.
If needed, push out software update to Mobile Clients using preferred method.
You cannot migrate or transfer the endpoint license packs from old Mobile Controller platform to new Mobile Controller platform. Contact your Riverbed account team to obtain new license packs.
You can migrate to new hardware by temporarily creating a cluster of the two Mobile Controllers, allowing the policies and packages from the old Mobile Controller to move to the new Mobile Controller. After the transfer is complete, you can update the policies with the new Mobile Controller address to ensure that SteelHead Mobile clients connect to it. You can next remove the old Mobile Controller from the cluster. The main caveat to this method is that both Mobile Controllers must be running the same version of Mobile Controller software. You cannot use this method if the old Mobile Controller does not support the newer software version.
For information on another approach to migrate from one Mobile Controller hardware to a new Mobile Controller hardware, go to
https://supportkb.riverbed.com/support/index?page=content&id=S24136.
Licensing Best Practices
The best practices for end-user licensing are as follows:
When considering licenses, do not count mobile employees who are behind the SteelHead and are using branch warming. On the basis that not all mobile users are connected and active at the same time, estimate a 3:1 ratio of licensed versus connected users. SteelHead Mobile is issued a license by the Mobile Controller only after SteelHead Mobile initiates its first optimized connection request.For configurations in which you deploy multiple Mobile Controllers for high availability, use software v4.0 or later to allow pooling of end-user licenses from all the Mobile Controllers. Pooling of end-user licenses is an efficient use of the licenses if there is an unplanned Mobile Controller outage.Antivirus Software
You can configure certain antivirus tools installed on a Windows or Mac platform to scan files that have recently changed. Configure the antivirus scanner to ignore the SteelHead Mobile RiOS data store.
Because SteelHead Mobile is constantly updating its RiOS data store when the user is sending and receiving data with optimized connections, the SteelHead Mobile RiOS data store is scanned frequently. This might lead to end-user performance problems. Because the SteelHead Mobile RiOS data store does not contain files of any type (just unique data segments), there is no need to scan it for viruses.
Signed SMB Support
You do not have to configure the SteelHead Mobile policy to support signed SMB connections. For traffic to optimize correctly:
SteelHead Mobile must run v3.1 or later.you must configure the server-side SteelHead to optimize signed SMB traffic (joined to a Windows domain, Transparent or Delegation mode enabled, and so on).If configured correctly, the Current Connections report on the server-side SteelHead shows CIFS-SIGNED.
With Mobile Controller v4.6 and later, Signed SMB connections are supported for SMB1, SMB2, and SMB3 dialects. Previous versions of Mobile Controller supported only SMB1 and SMB2.
While the SteelHead Mobile software is supported with Windows 8.1 operating systems, it is possible that the Windows client connects to a Windows 2012 or 2012-R2 file server using SMB3.02. This latest version of the SMB dialect is only fully supported in SteelHead Mobile v4.7 and later. If you are using an earlier version of the client, you can provide data reduction, but no Layer-7 latency optimization is possible. To ensure the correct behavior for SteelHead Mobile clients with version prior to v4.7, you must modify the policy for SteelHead Mobile to ensure the correct dialect is used.
Enter the following commands on the Mobile Controller substituting <ID> for the relevant policy ID used by SteelHead Mobile:
no policy id <ID> smb2 neg-whitelist enable
no policy id <ID> smb2 basic-dialect
write memory
This setting does not affect the optimization of the other SMB dialects that continue to receive full latency and data optimization benefits. You do not need this setting if the SteelHead Mobile client is v4.7 or later.
For more information about signed SMB support, see the SteelHead Deployment Guide - Protocols.
SSL Client Authentication Support
Mobile Controller v4.6 and later includes support for SSL client authentication. This feature enables SteelHead Mobile to optimize traffic when the client PC is using a Common Access Card (CAC). Mobile Controller v4.6 and later supports only client PCs running Windows 7 and using TLS v1.0.
To enable support for client authentication, you need to configure both the Mobile Controller and the server-side SteelHead.
Follow these steps on the Mobile Controller:
Enable SSL optimization.
Enable Client Certificate support.
Import the server-side SteelHead peering certificate.
Perform Steps 1 and 2 within the Mobile Controller policy assigned to the relevant client(s). Perform Step 3 on the Mobile Controller Management Console on the Configure > SSL > Peering page.
For information about configuring the server-side SteelHead and general information on CAC and client certificate support, see the SteelHead Deployment Guide - Protocols.
SMC and Federal Information Processing Standard (FIPS)
With Mobile Controller v4.6 and later, there is an option to deploy the Mobile Controller in a FIPS-compliant mode. The FIPS mode is only applicable to the Mobile Controller itself and does not apply to SteelHead Mobile that it might be responsible for.
Before enabling FIPS mode, the Mobile Controller must have a FIPS license installed.
Mobile Controllers that are part of an HA cluster can be FIPS enabled. Riverbed strongly recommends that you have all members of the cluster FIPS enabled rather than have a mixture of FIPS and non-FIPS Mobile Controllers.
You can enable FIPS mode only through the CLI of the Mobile Controller. For more information about the configuration of FIPS, see the FIPS Administrator’s Guide.
Optimization Before User Log In
As part of a SteelHead Mobile installation, several processes run in the background, including rbtsport. Windows or MacOS starts rbtsport when the host operating system starts up. Therefore, even before a user has logged in, the optimization service is already running. This means that the SteelHead Mobile can optimize a user login process. It can also provide optimization for other system processes that are occurring automatically in the background, such as backups.