Product Overview
Product Overview
This chapter provides an overview of common terms, new features, upgrade instructions, technical and environmental specifications, and a description of the status lights for the system. This chapter includes these sections:
•  Prerequisites
•  Overview of the SteelHead
•  New features in version 9.5
•  Upgrading RiOS to 9.5
This section provides information about product dependencies and compatibility.
Hardware and software dependencies
This table summarizes the hardware and software requirements for the SteelHead.
Riverbed component
Hardware and software requirements
19-inch (483 mm) two-post or four-post rack.
SteelHead Management Console
Any computer that supports a Web browser with a color image display.
The Management Console has been tested with all versions of Chrome, Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11.
The SteelCentral Controller for SteelHead has been tested with Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11.
JavaScript and cookies must be enabled in your Web browser.
SCC compatibility
To manage SteelHead 9.5 appliances, you need to use SCC 9.5. Earlier versions of the SCC do not support 9.5 SteelHeads. For details about SCC compatibility across versions, see the SteelCentral Controller for SteelHead Installation Guide.
Virtual Services Platform (VSP) support
VSP is not supported on the Series xx55 hardware platforms. VSP is supported only on the EX Series xx60 hardware platforms. For detailed information about the SteelHead EX systems, see the SteelHead EX Installation and Configuration Guide.
Firewall requirements
Riverbed recommends that you deploy the SteelHead behind your firewall. These firewall settings are required for the SteelHead:
•  Ports 7800 and 7810 must be open.
•  Make sure your firewall doesn’t strip TCP options.
Secure transport requires communication on the management plane, control plane, and data plane. Consider the following port usage:
•  The management plane requires communication between the SteelHead and the SCC on TCP port 9443 and TCP port 22.
•  The control plane between the SteelHead acting as the controller and the SteelHeads acting as group members is over TCP port 9443.
•  Encryption service flows over ESP (IP protocol 50). Or, if the network is public, over UDP port 4500.
Ethernet network compatibility
The SteelHead supports these Ethernet networking standards. A SteelHead with a Gigabit Ethernet card supports jumbo frames on in-path and primary ports.
Ethernet standard
IEEE standard
Ethernet Logical Link Control (LLC)
IEEE 802.2 - 1998
Fast Ethernet 100BASE-TX
IEEE 802.3 - 2008
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.)
IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector)
IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 1000BASE-LX
IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode
IEEE 802.3 - 2008
Gigabit Ethernet over 10GBASE-SR Multimode
IEEE 802.3 - 2008
The SteelHead ports support these connection types and speeds:
Primary (PRI)
10/100/1000BASE-T, autonegotiating
Auxiliary (AUX)
10/100/1000BASE-T, autonegotiating
10/100/1000BASE-T, 1000BASE-SX, 1000BASE-LX, 10GBASE-LR, 10GBASE-SR (depending on configuration)
10/100/1000BASE-T, 1000BASE-SX, 1000BASE-LX, 10GBASE-LR, 10GBASE-SR (depending on configuration)
The SteelHead supports VLAN Tagging (IEEE 802.3 - 2008). It doesn’t support the ISL protocol.
The SteelHead autonegotiates speed and duplex mode for all data rates and supports full duplex mode and flow control (IEEE 802.3 - 2008).
SNMP-Based management compatibility
This product supports a proprietary Riverbed MIB accessible through SNMP. SNMPv1 (RFCs 1155, 1157, 1212, and 1215), SNMPv2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418), and SNMPv3 are supported, although some MIB items might only be accessible through SNMPv2 and SNMPv3.
SNMP support enables the product to be integrated into network management systems such as Hewlett-Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management tools.
Overview of the SteelHead
The causes for slow throughput in WANs are well known: high delay (round-trip time or latency), limited bandwidth, and chatty application protocols. Large enterprises spend a significant portion of their information technology budgets on storage and networks, much of it spent to compensate for slow throughput, by deploying redundant servers and storage, and the required backup equipment. SteelHeads enable you to consolidate and centralize key IT resources to save money, reduce capital expenditures, simplify key business processes, and improve productivity.
With the SteelHead, you can solve a range of problems affecting WANs and application performance, including:
•  Insufficient WAN bandwidth
•  Inefficient transport protocols in high-latency environments
•  Inefficient application protocols in high-latency environments
The Riverbed Optimization System (RiOS) intercepts client-server connections without interfering with normal client-server interactions, file semantics, or protocols. All client requests are passed through to the server normally, while relevant traffic is optimized to improve performance.
RiOS uses these optimization techniques:
•  Data streamlining - SteelHeads and SteelHead Mobile can reduce WAN bandwidth utilization by 65% to 98% for TCP-based applications using data streamlining. In addition to traditional techniques like data compression, RiOS also uses a Riverbed proprietary algorithm called scalable data referencing (SDR). SDR breaks up TCP data streams into unique data chunks that are stored in the hard disk (RiOS data store) of the device running RiOS (a SteelHead or SteelHead Mobile host system). Each data chunk is assigned a unique integer label (reference) before it’s sent to a peer RiOS device across the WAN. When the same byte sequence is seen again in future transmissions from clients or servers, the reference is sent across the WAN instead of the raw data chunk. The peer RiOS device (a SteelHead or SteelHead Mobile host system) uses this reference to find the original data chunk on its RiOS data store, and reconstruct the original TCP data stream.
•  Transport streamlining - SteelHeads use a generic latency optimization technique called transport streamlining. Transport streamlining uses a set of standards and proprietary techniques to optimize TCP traffic between SteelHeads. These techniques:
–  ensure that efficient retransmission methods, such as TCP selective acknowledgements, are used.
–  negotiate optimal TCP window sizes to minimize the impact of latency on throughput.
–  maximize throughput across a wide range of WAN links.
•  Application streamlining - In addition to data and transport streamlining optimizations, RiOS supports a rich set of application protocols that includes but is not limited to Microsoft Exchange, CIFS, SMB, SharePoint, HTTP/HTTPS, Lotus Notes, FCIP, SRDF, and SnapMirror.
•  Path selection for hybrid networking - These solutions maximize multiple WAN services based on business needs, service quality, and costs. Path selection redirects specific traffic or applications through one of three alternate paths determined by destination availability in cascading order. The path selection technology deterministically redirects select traffic and application flows through alternate networks based on service metrics, such as path availability, application priority, and policies you create.
–  Traffic classification - The SteelHead application flow engine, which covers more than 1,300 individual applications and processes, uses information to understand where data is coming from, which application sent it, and what function that application is trying to accomplish. The application flow engine utilizes a variety of techniques, often in combination, such as port-based classification, application signature matching, protocol dissection, behavioral classification, and others. Path selection classifies traffic using the full assortment of packet rules including IP addresses, 5-tuple, differentiated services code point (DSCP), TCP, user datagram protocol (UDP) port numbers, and so on. In this way, operators can instruct SteelHead solutions to precisely associate applications to networks based on their nature, performance requirements, and business criticality.
–  Packet forwarding - After the SteelHead has selected the right path, the next step is for it to steer traffic to the newly selected path. This operation is transparent to the client, server, and any networking devices such as routers or switches. RiOS forwards packets either directly using distinct SteelHead physical interfaces, or indirectly using (MAC) address rewriting. When these forwarding methods aren’t possible; for example, with virtual in-path deployments or where the SteelHead solution is not in the same Layer-2 domain, RiOS uses DSCP marking with upstream policy-based routing.
–  Availability monitoring - The SteelHead monitors end-to-end path availability and quality. You define the endpoint IP address for every path, and the SteelHead sends an Internet control message protocol (ICMP) ping every two seconds. To validate availability, each path can have a different remote host.
–  Failover management - If three consecutive pings are missed, the system considers the path to be unavailable, and selects the backup path. Every application has a default and a prioritized set of backup paths. Should the default path be unavailable, the higher-priority backup is instantly used (and then the lower one if needed). Operators can block certain types of applications when the primary path becomes unavailable, with a goal of reserving the remaining available bandwidth for more critical applications. As soon as the default path becomes available, traffic is routed back to it.
•  Management streamlining - Management streamlining refers to the methods that Riverbed has developed to simplify the deployment and management of RiOS devices. These methods include:
–  Autodiscovery process, which enables SteelHeads and SteelHead Mobile to automatically find remote SteelHeads, and to then optimize traffic using them. Enhanced autodiscovery automatically discovers the last SteelHead in the network path of the TCP connection. Autodiscovery relieves you from having to manually configure large amounts of network information. The autodiscovery process enables administrators to control and secure connections, specify which traffic is to be optimized, and specify peers for optimization.
–  SteelCentral Controller for SteelHead (SCC), which automatically configures and monitors remote SteelHeads. It also gives you a single view of the overall benefit and health of the SteelHead network. SteelCentral Controller for SteelHead’s central management console dramatically improves the management and usability of control capabilities. The SCC features an intuitive interface and management plane based on high-level abstractions such as applications, sites, uplinks, or networks that match the way you view your IT environment. With SCC, you can implement new, more efficient configuration and change management workflows that make hybrid-networking capabilities truly usable at scale.
–  SteelCentral Controller for SteelHead Mobile (SCCM), which tracks the individual health and performance of each deployed software client, and manages enterprise client licensing. The SCCM enables you to see who is connected, view their data reduction statistics, and perform support operations such as resetting connections, pulling logs, and automatically generating traces for troubleshooting. You can perform all of these management tasks without end user input.
For detailed information about how the SteelHead works and deployment design principles, see the SteelHead Deployment Guide.
Configuring optimization
You configure optimization of traffic using the Management Console or the Riverbed CLI. You configure the type of traffic a SteelHead optimizes and specify the type of action it performs using:
•  In-Path rules - In-path rules determine the action a SteelHead takes when a connection is initiated, usually by a client. In-path rules are used only when a connection is initiated. Because connections are usually initiated by clients, in-path rules are configured for the initiating, or client-side SteelHead. You configure one of these types of in-path rule actions:
–  Auto discover - Use the autodiscovery process to determine if a remote SteelHead is able to optimize the connection attempting to be created by this SYN packet.
–  Fixed-target - Skip the autodiscovery process and use a specified remote SteelHead as an optimization peer. Fixed-target rules require the input of at least one remote target SteelHead; an optional backup SteelHead might also be specified.
–  Fixed-target (packet mode optimization) - Skip the autodiscovery process and use a specified remote SteelHead as an optimization peer to perform bandwidth optimization on TCPv4, TCPv6, UDPv4, or UDPv6 connections. Packet-mode optimization rules support both physical in-path and master/backup SteelHead configurations. For details, see the SteelHead Management Console User’s Guide.
–  Pass-through - Allow the SYN packet to pass through the SteelHead. No optimization is performed on the TCP connection initiated by this SYN packet.
–  Discard - Drop the SYN packet silently.
–  Deny - Drop the SYN packet and send a message back to its source.
•  Peering rules - Peering rules determine how a SteelHead reacts when it sees a probe query. Peering rules are an ordered list of fields a SteelHead uses to match with incoming SYN packet fields. For example, source or destination subnet, IP address, VLAN, or TCP port, as well as the IP address of the probing SteelHead. This is especially useful in complex networks. These types of peering rule are available:
–  Auto - If the receiving SteelHead is not using enhanced autodiscovery, this has the same effect as the Accept peering rule action. If enhanced autodiscovery is enabled, the SteelHead only becomes the optimization peer if it’s the last SteelHead in the path to the server.
–  Accept - The receiving SteelHead responds to the probing SteelHead and becomes the remote-side SteelHead (that is, the peer SteelHead) for the optimized connection.
–  Passthrough - The receiving SteelHead doesn’t respond to the probing SteelHead, and allows the SYN+ probe packet to continue through the network.
For detailed information about in-path and peering rules and how to configure them, see the SteelHead Management Console User’s Guide.
Fail-to-wire (bypass) mode
All SteelHead models and in-path network interface cards support a fail-to-wire mode. In the event of a failure or loss of power, the SteelHead goes into bypass mode and the traffic passes through uninterrupted.
Many in-path network interface cards (NICs) also support a fail-to-block mode in which case if there’s a failure or loss of power, the SteelHead LAN and WAN interfaces power down and stop bridging traffic. The default failure mode is fail-to-wire mode.
If there’s a serious problem with the SteelHead or it’s not powered on, it goes into bypass mode to prevent a single point of failure. If the SteelHead is in bypass mode, you are notified in these ways:
•  The Intercept/Bypass status light on the bypass card is triggered. For detailed information about bypass card status lights, see the appendices that follow.
•  The Dashboard of the Management Console displays the Critical health icon next to the appliance name.
•  SNMP traps are sent (if you have set this option).
•  The event is logged to system logs (syslog).
•  Email notifications are sent (if you have set this option).
When the fault is corrected, new connections receive optimization; however, connections made during the fault aren’t optimized. To force all connections to be optimized, enable the kickoff feature. Generally, connections are short-lived and kickoff is not necessary. For detailed information about enabling the kickoff feature, see the SteelHead Management Console User’s Guide and the SteelHead Deployment Guide.
When the SteelHead is in bypass mode the traffic passes through uninterrupted. Traffic that was optimized might be interrupted, depending on the behavior of the application-layer protocols. When connections are restored, they succeed, although without optimization.
In an out-of-path deployment, if the server-side SteelHead fails, the first connection from the client fails. After detecting that the SteelHead is not functioning, a ping channel is setup from the client-side SteelHead to the server-side SteelHead. Subsequent connections are passed through unoptimized. When the ping succeeds, processing is restored and subsequent connections are intercepted and optimized.
For detailed information about the ping command, see the Riverbed Command-Line Interface Reference Manual.
Fail-to-block (disconnect) mode
In fail-to-block mode, if the SteelHead has an internal software failure or power loss, the SteelHead LAN and WAN interfaces power down and stop bridging traffic.
When fail-to-block is enabled, a failed SteelHead blocks traffic along its path, forcing traffic to be rerouted onto other paths (where the remaining SteelHeads are deployed). This is only useful if the network has a routing or switching infrastructure that can automatically divert traffic off of the link once the failed SteelHead blocks it.
Note: You can use this with connection-forwarding, the allow-failure CLI command, and an additional SteelHead on another path to the WAN to achieve redundancy. For more information, see the Riverbed Command-Line Interface Reference Manual.
You set fail-to-block mode in the SteelHead CLI. For detailed information, see the SteelHead Deployment Guide.
New features in version 9.5
These new features are available in RiOS 9.5.
SteelConnect compatibility
SteelHead CX appliances running RiOS 9.5 are compatible with SteelConnect gateways running SteelConnect Manager (SCM) 2.3, integrating the SteelHead WAN optimization capabilities with the SteelConnect software-defined WAN (SD-WAN) capabilities. The combined products provide a smooth transition from WAN optimization to hybrid networking to SD-WAN.
Enter the steelhead steel-connect compatibility command on the SteelHead to enable compatibility with the SteelConnect gateway. For more information, see the Riverbed Command-Line Interface Reference Manual. In addition, the SteelConnect gateway must be on the WAN side of the SteelHead.
The appliances discover each other and connect automatically using a TCP control channel. For more compatibility details, and for more information about SteelConnect and the SteelConnect Manager, see the SteelConnect Manager User Guide.
FIPS optimization support
The following non-compliant cryptography features can be optimized while SteelHead appliances are operating in Federal Information Processing Standard (FIPS) mode:
•  MAPI encryption
•  SMB2/SMB3 signing
•  SMB3 encryption
Noncompliant traffic flows generate configuration log messages, but optimization is allowed.
IPv6 compatibility
The following IPv6 additions are added for release 9.5:
•  Enhanced autodiscovery is supported for SteelHeads in networks that run IPv6 (IPv6 single-stack), in addition to IPv4. SteelHeads running RiOS version 8.5 to 9.2 require either IPv4 for the TCP inner connections between the peer SteelHeads or fixed-target rules.
•  The management in-path (MIP) interface can use IPv6 addresses.
QoS change
QoS workflow and UI changes - The Networking > Network Services: Quality of Service page is redesigned for usability when viewing and configuring QoS settings for Local and Default sites. See the SteelHead Management Console User’s Guide for more information.
Web proxy enhancement
Proxy chaining - The web proxy feature is integrated with the enterprise proxy service. It supports either a hierarchical proxy setup or automatic proxy configuration. The feature is configured using the SteelCentral Controller for SteelHead.
Reporting updates
SaaS User Identity Report - A field “User-identity” is added to the Current Connections report, showing the single sign-on (SSO) user ID for users who request files from Office365 using MS Azure and the Web Application Open Platform Interface Protocol (WOPI) client and server. You can filter and search in these reports by User-identity. See the SteelHead Management Console User’s Guide for more information.
Data Reduction Visibility per SaaS application - The following reports show the optimization rates for SaaS apps such as Office 365,, or Box:
•  Reports > Networking: Traffic Summary
•  Reports > Optimization: Bandwidth Optimization
•  Reports > Optimization: Optimized Throughput
•  RADIUS MS-CHAPv2 Support - An extra check box is added to the Administration > Security: RADIUS page to add MS-CHAPv2 support to the existing PAP and CHAPv1 choices, and the mschapv2 keyword is added to the radius-server host command.
•  DFS Optimization - Support to optimize Distributed File System (DFS) shares over SMB2/3 is added.
•  SMB2 case-insensitive - The SteelHead appliance treats native SMB2 files, directories, and shares as case sensitive by default. To make them case insensitive, enter the protocol smb2 caseless enable command. This feature is supported for the ASCII character set only. For more information, see the Riverbed Knowledge Base article at
SCEP over HTTPS - HTTPS as well as HTTP is supported for the URL of the Simple Certificate Enrollment Protocol (SCEP) responder in the Optimization > SSL: Secure Peering (SSL) page.
New Platforms
SteelHead (in the cloud) 7070 - A SteelHead-c model is added, with the same performance specifications as the SteelHead CX 7070.
•  Filer qualification - Support for SMBv1-3.02 on the VNX is added.
•  SharePoint 2016 qualification - SteelHead appliances are now fully interoperable with SharePoint 2016 and SharePoint Online.
•  Exchange Server qualifications - SteelHead appliances are now fully interoperable with Exchange Server 2013 CU14 and Exchange Server 2016 CU3.
Azure ARM compatibility
Azure ARM deployment support - Lets you choose the Azure Resource Manager (ARM) option when instantiating a SteelHead (in the cloud).
SNMP MIB update
SNMP MIB for Portal Disconnection - An SNMP trap is added that notifies you when either the SteelHead (in the cloud) or SteelHead SaaS cannot contact the Riverbed Cloud Portal.
End of software support for SteelHead CX 555 and CX 755
Do not use RiOS 9.5 with the following products, because the End of Support for Feature Releases date has been reached:
•  SteelHead CX 555
•  SteelHead CX 755
Instead, use RiOS versions 9.2 and earlier.
Upgrading RiOS to 9.5
RiOS 9.5 is backward compatible with previous RiOS versions. However, to obtain the full benefits of the new features in RiOS 9.5, you must upgrade the client-side and server-side SteelHeads on any given WAN link. After you have upgraded all appliances, all the benefits of the 9.5 features and enhancements are available.
User permissions
Upgrading from RiOS 8.6 to 9.0 and later requires additional user permissions for path selection and QoS. For example, a user with QoS read/write permission in a previous version will no longer have permission to configure a QoS rule. In 9.0 and later, a user needs read/write permission for Network Settings in addition to read/write permission for QoS.
This table summarizes the changes to the user permission requirements for RiOS 9.0 and later.
Management console page
To configure this feature or change this section
Required read permission
Required read/write permission
Networking > Topology: Sites & Networks
Network Settings Read-Only
Network Settings Read/Write
Network Settings Read-Only
QoS Read-Only
Path Selection Read-Only
Network Settings Read/Write
QoS Read/Write
Path Selection Read/Write
Networking > App Definitions: Applications
Network Settings Read-Only
Network Settings Read/Write
Networking > Network Services: Quality of Service
Enable QoS
QoS Read-Only
QoS Read/Write
Manage QoS Per Interface
Network Settings Read-Only
Network Settings Read/Write
QoS Profile
QoS Read-Only
QoS Read/Write
QoS Remote Site Info
Network Settings Read-Only
QoS Read-Only
Networking > Network Services: QoS Profile Details
Profile Name
QoS Read-Only
QoS Read/Write
QoS Classes
QoS Read-Only
QoS Read/Write
QoS Rules
QoS Read-Only
Network Settings Read/Write
QoS Read/Write
Path Selection
Enable Path Selection
Network Settings Read-Only
Network Settings Read/Write
Path Selection Rules
Network Settings Read-Only
Path Selection Read-Only
Network Settings Read/Write
Path Selection Read/Write
Uplink Status
Network Settings Read-Only
Path Selection Read-Only
Reports Read/Write
Outbound QoS Report
QoS Read-Only
QoS Read/Write
Inbound QoS Report
QoS Read-Only
QoS Read/Write
Host Labels
Network Settings Read-Only
Path Selection Read-Only
Network Settings Read/Write
QoS Read/Write
Port Labels
Network Settings Read-Only
QoS Read-Only
Network Settings Read/Write
QoS Read/Write
Upgrade considerations
Consider the following before upgrading RiOS:
•  You can’t upgrade Series x50 or xx50 hardware to RiOS version 9.5.
•  If you mix RiOS software versions in your network, the releases might support different optimization features and you can’t take full advantage of the features that aren’t part of the older software versions.
•  If you have deployed Path Selection or QoS in a RiOS 9.x deployment, we recommend that you temporarily disable the Path Selection and QoS features after upgrading to 9.5 and prior to rebooting the appliance. For more information, see the Riverbed Knowledge Base article at
Recommended upgrade paths
To find allowed upgrades between RiOS versions and recommended upgrade paths, use the Software Upgrade tool on the Riverbed Support site at The tool includes all of the recommended intermediate RiOS versions.
Upgrading the RiOS software version
Follow these steps to upgrade your RiOS software. These instructions assume you are familiar with the SteelHead, the CLI, and the Management Console.
To upgrade the RiOS software version
1. Download the software image from the Riverbed Support site to a location such as your desktop. Optionally, in RiOS version 9.5, you can download a delta image directly from the Riverbed Support site to the SteelHead. The downloaded image includes only the incremental changes. The smaller file size means a faster download and less load on the network. To download a delta image, skip to step 2.
2. Log in to the Management Console using the Administrator account (admin).
3. Choose Administration > Maintenance: Software Upgrade page and choose one of these options:
–  From URL - Type the URL that points to the software image. Use one of these formats:
–  From Riverbed Support Site - Select the target release number from the drop-down list to download a delta image directly to the appliance from the Riverbed Support site. The downloaded image includes only the incremental changes. You don’t need to download the entire image. The system downloads and installs the new image immediately after you click Install. To download and install the image later, schedule another date or time before you click Install.
–  From Local File - Browse your file system and select the software image.
–  Schedule Upgrade for Later. - Select this check box to schedule an upgrade for a later time. Type the date and time in the Date and Time text boxes using these formats:
4. Click Install to immediately upload and install the software upgrade on your system, unless you schedule it for later.
The software image can be quite large; uploading the image to the system can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes and is downloaded directly to the appliance.
As the upgrade progresses, status messages appear.
After the installation is complete, you are reminded to reboot the system to switch to the new version of the software.
5. Choose Administration > Maintenance: Reboot/Shutdown and click Reboot.
The appliance can take a few minutes to reboot. This is normal behavior as the software is configuring the recovery flash device. Don’t press Ctrl-C, unplug, or otherwise shut down the system during this first boot. There’s no indication displayed during the system boot that the recovery flash device is being configured.
After the reboot, the Dashboard, Software Upgrade, and Help pages of the Management Console display the RiOS version upgrade.
Downgrading the RiOS software version
If you are downgrading to a previous version of the RiOS software, you must downgrade to a version of the software that has previously run on your system.
Note: When downgrading from an image that supports four 10 GigE cards to an older image that doesn’t, the message Updating BIOS. Do not interrupt or reboot till the command completes appears. This message indicates that the appropriate BIOS for your software image is being installed.