Overview of SteelHead Mobile 5.5
This chapter provides an overview of SteelHead Mobile 5.5. It includes these sections:
When using this guide, if you’re not familiar with the installation, configuration, and management of networks with deployed SteelHeads, consult the documents listed below at this site:
• SteelHead Installation and Configuration Guide
• SteelHead Management Console User’s Guide
• SteelHead Deployment Guide
Before you begin the installation and configuration process for the Mobile Controller, you must select a network deployment. For specific Mobile Controller deployment options, see the SteelHead Deployment Guide.
Overview of the Mobile Controller solution
The Mobile Controller solution enables you to optimize application protocols such as HTTP and MAPI and to reduce bandwidth for other protocols, providing LAN-like performance to remote users who are accessing your computer network using any type of remote access (dial-up, broadband, wireless, and so forth). Managed by a Mobile Controller, remote users employ client software to exchange optimized data with a SteelHead. The controller can be either a Mobile Controller appliance or a Mobile Controller-v.
The Mobile Controller solution enables you to optimize traffic for these types of users:
• Mobile users - Mobile users are employees who connect to the WAN from various locations and also connect to the LAN locally.
• Home users - Home users are employees who use computers that connect to the corporate network.
• Small branch office users - Small branch office users are located at offices with fewer than ten employees that connect to the WAN but don’t require a standard SteelHead.
Definition of terms
The following terms are used to describe features, attributes, and processes in the Mobile Controller.
Term | Definition |
Endpoint | An endpoint is a client computing device, such as a personal computer. |
Client install package | A client install package installs SteelHead Mobile software onto each of your endpoints. A package created on a Mobile Controller contains complete endpoint settings, including the fully qualified domain name (FQDN) of the Mobile Controller and a certificate that secures communication between the client and the controller. Note: The default package that ships with the Mobile Controller contains the default (initial) policy, with complete endpoint settings. The default package is designed to be suitable for most network environments. Typically, you install and deploy SteelHead Mobile clients without modifying the default policy. Consider deploying the SteelHead Mobile client software to your endpoints using the policy defaults and modifying them only as necessary. For detailed information about the default policy settings, see the SteelCentral Controller for SteelHead Mobile User’s Guide. |
Policy | A policy specifies computer-specific software settings for acceleration (such as protocol and SSL settings) and endpoints (such as data store size and Mobile Controller to connect to). A policy is required for optimization to occur. |
Assignment | An assignment occurs when a policy is matched to a group ID. |
Group ID | A group ID (GID) governs which policies and packages the Mobile Controller provides to endpoints. The GID enables you to assign policies to groups of endpoints. When you create the package, you can assign a GID to it. The GID is associated with the endpoint upon installation. The Mobile Controller subsequently uses the GID to identify the endpoint and provide assigned policies and updates. Group ID was called Deployment ID in Mobile Controller 2.x and earlier. |
Demilitarized Zone | A demilitarized zone (DMZ) is a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically, the DMZ contains devices accessible to Internet traffic, such as web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers. |
Mobile Controller components
A Mobile Controller deployment consists of these components:
• Mobile Controller - The Mobile Controller acts as a gateway for remote users and is installed at a data center or at the server side of the WAN, where it is accessible to users. The Mobile Controller features a web-based GUI, the Management Console, that you use to centrally manage endpoints. You can also use the Management Console for endpoint software upgrades, licensing, reporting, and monitoring. Each Mobile Controller appliance and Mobile Controller-v for ESXi supports up to 4000 concurrent users. Each Mobile Controller-v for Riverbed Services Platform (RSP) and Mobile Controller-v for Virtual Services Platform (VSP) supports up to 100 concurrent users.
• SteelHead Mobile Client - The SteelHead Mobile client enables endpoint PCs and Macs to optimize data when connected to a Mobile Controller. You distribute SteelHead Mobile software to endpoints using packages. You create packages using the Management Console, and you deploy them to your endpoints using the deployment tool of your choice. You can use a commercial deployment tool (for example, Microsoft SMS, Active Directory, or Altiris) to deploy packages, or you can email the link to your remote users. For detailed information about deployment options for packages, see the SteelCentral Controller for SteelHead Mobile User’s Guide.
• SteelHead - SteelHeads deployed throughout the network optimize data generated and accessed by end users. The Mobile Controller allows SteelHead Mobile clients to exchange optimized data with the SteelHead. For details on the SteelHead, see the SteelHead Deployment Guide and the SteelHead Management Console User’s Guide.
When you start the SteelHead Mobile client, it accesses the specified Mobile Controller to obtain a license and a policy. After the endpoint retrieves a license and a policy from the Mobile Controller, traffic can be optimized between the SteelHead Mobile client and the server-side SteelHead. The SteelHead Mobile client performs data optimization using the same mechanisms as a client-side SteelHead. The endpoint maintains a connection with the Mobile Controller to download new policies from the Mobile Controller. This connection also enables the Mobile Controller to monitor your endpoints and to upload logs from them.
Figure: Typical Mobile Controller deployment shows a typical Mobile Controller deployment. The Mobile Controller is located at the main data center. SteelHead Mobile clients communicate with the Mobile Controller for management and reporting purposes. SteelHead Mobile clients are optimized by SteelHeads at the data center.
Figure: Typical Mobile Controller deployment
Software and configuration requirements
This section provides information about product dependencies and compatibility.
Mobile Controller
This table summarizes the software and configuration requirements for deploying the Mobile Controller.
Component | Software and configuration requirements |
Mobile Controller Console | A Mobile Controller console is any computer (including Microsoft Surface Pro tablets) that supports a web browser with a color image display. The Mobile Controller console has been tested with Mozilla Firefox 24 ESR and Microsoft Internet Explorer 8 and 9. JavaScript and cookies must be enabled in your web browser. If you want to encrypt your communication, you must have an SSL-capable browser. No particular operating system is required. |
Mobile Controller-v for RSP
This table summarizes the hardware, software, and configuration requirements for deploying the Mobile Controller-v for Riverbed Services Platform (RSP).
Component | Hardware and software requirements |
Memory and processor | 3 GB of RAM, 1 processor |
Hard disk | At least 20 GB |
Networks and serial ports | 2 networks, 1 serial port |
Licenses | A total of 100 concurrent user licenses and 200 users that are connected but not optimized. (Only 100 can be optimized at a time.) |
For detailed information, see
Installing Mobile Controller-v for RSP and the
Riverbed Services Platform Installation Guide.
Mobile Controller-v for VSP
This table summarizes the hardware, software, and configuration requirements for deploying the Mobile Controller-v for Virtual Services Platform (VSP).
Component | Hardware and software requirements |
Memory and processor | 3 GB of RAM, 1 processor |
Hard disk | At least 20 GB |
Networks and serial ports | 2 networks, 1 serial port |
Licenses | A total of 100 concurrent user licenses and 200 users that are connected but not optimized. (Only 100 can be optimized at a time.) |
For detailed information, see
Installing Mobile Controller-v for VSP and the
SteelHead EX Management Console User’s Guide.
Mobile Controller-v for ESXi
Mobile Controller-v for ESXi is supported on VMware ESXi 5.0, 5.1, 5.5, and 6.0. Install and configure Mobile Controller-v for ESXi using VMware VI or the VMware vSphere Client.
Virtual machine snapshots are not supported by Mobile Controller-v for ESXi.
For detailed information about Mobile Controller-v for ESXi, see
Installing Mobile Controller-v for ESXi. Mobile Controller-v for Hyper-v
Mobile Controller-v for Hyper-v is supported on Hyper-v version 6.3.9600.16404.
For detailed information, see
Installing Mobile Controller-v for Hyper-V and the
SteelHead EX Management Console User’s Guide.
Mobile Controller-v for Azure
Mobile Controller-v for Azure is supported on Azure
. Mobile Controller-v can be installed and run in Azure. For detailed information, see
Installing Mobile Controller-v for Azure. Firewall requirements
This section lists the required firewall settings for Mobile Controller deployments.
Port requirements:
• Ports 80 and 443 must be open for the server-side firewall management connection to the Mobile Controller. Port 22 must be open for access to the command-line interface (CLI).
• Either port 80 or port 443 and port 7870 must be open for the connection to the SteelHead Mobile clients.
• For out-of-path deployments, port 7810 must be open.
• For in-path deployments, port 7800 must be open.
If you’re using application control, you must allow these processes:
• For Windows - rbtdebug.exe, rbtmon.exe, rbtsport.exe, and shmobile.exe
• For Mac OS X - rbtsport, rbtmond, rbtuseragentd, and rbtdebug
Antivirus compatibility
SteelHead Mobile 5.5 has been tested with these antivirus software with no impact on performance:
For Windows systems
• McAfee Internet Security Suite 2010
• Microsoft Windows Firewall (allow rbtsport)
• Symantec Endpoint Protection 11.0
For Mac systems
• IP Firewall (IPFW)
• Mac OS X Application Firewall
• McAfee Internet Security
• Symantec for Mac
Earlier releases
• CA Anti-Virus 2009
• CA eTrust Anti-Virus r8.x
• Cisco Security Agent 5.2
• McAfee VirusScan 10.0
• McAfee VirusScan Professional 9.0
• McAfee VirusScan Plus 2009
• McAfee Internet Security Suite 2009
• McAfee Internet Security Suite 2007
• McAfee Internet Security Suite 2006
• McAfee Internet Security Suite 2005
• McAfee Internet Security Suite 2004
• Norton AntiVirus 2010 with Antispyware
• Norton AntiVirus 2009
• Norton AntiVirus 2008
• Norton Internet Security 2010
• Symantec AntiVirus Corporate Edition 10.2
• Symantec AntiVirus Corporate Edition 10.1
• Symantec Internet Security Suite 2009
• Symantec Internet Security Suite 2008
• Symantec Endpoint Protection 11.0
• Trend Micro PC-Cillin 2009 Internet Security (including firewall)
• Trend Micro PC-Cillin 2008 Internet Security (including firewall)
• ZoneAlarm Internet Security Suite 3U
VPN requirements
When deploying the SteelHead Mobile software, make sure that the VPN tunnel is not optimized. If the VPN tunnel uses TCP for transport, when you configure a policy, you must add a pass-through rule for the VPN port number connected to the client. Depending on your deployment scenario, this rule might be the first rule in the list. If the port uses UDP, no rule is required.
For details about configuring policies, see the SteelCentral Controller for SteelHead Mobile User’s Guide.
VPN software products that use IPSec as the transport protocol don’t need a pass-through rule because IPSec is its own non-TCP/IP protocol and, by default, the SteelHeads don’t optimize it.
Note: The Cisco ASA 5500 Series (used only on the Windows platform) requires additional configuration to be compatible with the Mobile Controller. You can either configure an in-path, fixed-target rule for the Mobile Controller policy, or you can make configuration changes on the Cisco ASA. For details about configuring in-path, fixed-target rules for acceleration policies, see the
SteelCentral Controller for SteelHead Mobile User’s Guide. For details about configuring the Cisco ASA, consult the Riverbed Knowledge Base article located at the following URL:
https://supportkb.riverbed.com/support/index?page=content&legacyid=501700000008i6G Supported VPNs for Windows
• Array Networks
• AT&T NetClient
• Checkpoint Remote Access Client
• Cisco SSL VPN AnyConnect
• Cisco VPN Client
• Citrix Access Gateway
Note: Citrix Access Gateway Standard Edition 4.5 requires additional configuration to be compatible with the Mobile Controller. You must add a subnet for each of the following components: the data center, the server being accessed, the SteelHead, and the Mobile Controller. The server-side SteelHead must be configured as an out‑of‑path deployment.
• Citrix Netscaler VPN Client
Note: Citrix Netscaler VPN Client is supported in fixed-target deployments only. Citrix Netscaler VPN Client is not supported in auto-discovery deployments.
• Dell SonicWall Aventail
• F5 Firepass
• Fortinet VPN
• Juniper Network Connect
• Junos Pulse
• Microsoft PPTP
• Microsoft L2TP IPSEC VPN and SSL VPNNetilla SSL VPN
• NetMotion Mobility Client
• Nortel
• Palo Alto Networks (GlobalProtect)
• Riverbed SteelConnect VPN Agent
• WatchGuard
Supported VPNs for Mac
• Apple VPN in PPTP mode
• Cisco SSL VPN AnyConnect
• Juniper Network Connect
• Junos Pulse
• OpenVPN; Open VPN (Tunnelblick)
• Palo Alto VPN (GlobalProtect)
Smart card access software
The SteelHead Mobile client has been tested with the Active Client 6.2 (Windows 7 only) access software.
Safety guidelines
Follow the safety precautions outlined in the Safety and Compliance Guide when installing and setting up your equipment.
Caution: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow safety guidelines and installation instructions carefully.
Many countries require the safety information to be presented in their national languages. If this requirement applies to your country, consult the Safety and Compliance Guide. The guide contains the safety information in your national language. Before you install, operate, or service the Riverbed products, you must be familiar with the safety information. Refer to the guide if you don’t clearly understand the safety information provided in the documentation.
New features in SteelHead Mobile 5.5
SteelHead Mobile 5.5 includes the following functionality:
• Host label support for SteelHead Mobile - Host labels are names given to sets of hostnames and subnets used to streamline your network configuration. This release lets you create host labels using the Host Labels menu on the Networking page or the CLI.
• MAPI/HTTP optimization support for Windows - MAPI over HTTP is a transport mechanism used to connect Outlook and Exchange. This feature enables MAPI-over-HTTP optimization for Windows clients. You enable this feature by clicking the Enable MAPI over HTTP optimization check box on the Policies page (in the MAPI protocol section) or the CLI.
• Mobile Controller-v for ESXi 6.0 compatibility - Mobile Controller-v is now compatible with ESXi version 6.0.0, 3620759 (update 2).
• Mobile Controller-v compatibility for Hyper-V - With this release, the Mobile Controller-v can be used with the Microsoft Hyper-V hypervisor (version 6.3.9600.16404). For installation instructions, see
Installing Mobile Controller-v for Hyper-V. • SteelHead Mobile qualification with Windows SteelConnect VPN Agent - The Windows SteelConnect VPN Agent has been qualified for use on SteelHead Mobile.
• SteelHead Mobile support for macOS Sierra
Each software release includes release notes. The release notes identify new features in the software as well as known and fixed problems. To obtain the most current version of the release notes, go to the Software and Documentation section of the Riverbed Support site at
https://support.riverbed.com. Examine the release notes before you begin the installation and configuration process.
Upgrading to SteelHead Mobile 5.5
This section describes how to upgrade your Mobile Controller appliance to SteelHead Mobile 5.5. These instructions assume that you’re familiar with the Riverbed CLI and Management Console.
To upgrade your software
1. Log in to the Management Console using the administrator account (admin).
2. Choose Configure > Maintenance > Software Upgrade page and select one of these options:
– From URL - Type the URL that points to the software image. Use one of these formats:
http://host/path/to/file
https://host/path/to/file
ftp://user:password@host/path/to/file
scp://user:password@host/path/to/file
– From Riverbed Support Site - Select the target release number from the drop-down list to download a delta image directly to the appliance from the Riverbed Support site. The downloaded image includes only the incremental changes. You don’t need to download the entire image. The system downloads and installs the new image immediately after you click Install. To download and install the image later, schedule another date or time before you click Install.
– From Local File - Browse your file system and select the software image.
– Schedule Upgrade for Later - Select this check box to schedule an upgrade for a later time. Type the date and time in the Date and Time text boxes using these formats:
yyyy/mm/dd and hh:mm:ss.
3. Click Install to immediately upload and install the software upgrade on your system, unless you schedule it for later.
The software image can be quite large; uploading the image to the system can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes and is downloaded directly to the appliance.
As the upgrade progresses, status messages appear. After the installation is complete, you’re reminded to reboot the system to switch to the new version of the software.
4. Choose Configure > Maintenance > Reboot/Shut Down and click Reboot.
The appliance can take a few minutes to reboot. This behavior is normal because the software is configuring the recovery flash device. Don’t press Ctrl+C, unplug, or otherwise shut down the system during this first boot. There is no indication displayed during the system boot that the recovery flash device is being configured.
After the reboot, the Home page, the Software Upgrade page, and the Support page of the Management Console display the version upgrade.