Managing Appliance Operations
You can perform these appliance operations for specified appliances or appliance groups in the Appliances page: Appliance Operations.
Appliance Operation | Task |
Push Polices | |
Replace (Generate) Peering Certificates | |
License Update | |
Start/Stop Services | |
Shutdown | |
Set Password | |
Unlock the Secure Vault | |
Change Secure Vault Password | |
Send CLI Commands | |
SteelCentral NetShark | |
Disable the SSL Server Certificate Export | |
Remove SteelFusion Configuration | |
Join/Leave Windows Domain | |
Pushing Policies to Selected Appliances or Appliance Groups
You can push SCC configurations (in the form of policies) to selected appliances or appliance groups.
Any changes made to policies on the SCC do not take effect on remote appliances until the new configurations are pushed to the appliances.
When you push SCC configurations (in the form of policies) to selected appliances or appliance groups, appliance page configurations are also pushed.
For details about appliance page configurations, see
Managing Appliance Pages.
Any scheduled operations on appliance groups execute according to the time on the SCC, not the time on the remote appliance. For example, if the SCC clock is set to Pacific Daylight Time (PDT) but the remote appliance clock is set to Central European Summer Time (CEST), then an operation scheduled for midnight on the SCC (PDT) is executed at 9:00 AM on the remote appliance (CEST). This operation applies only to SteelHeads and Interceptors.
For detailed information about pushing global policies, see
Performing Global Policy Pushes.
To push a configuration to an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select the appliances or appliance groups to which you want to push settings in the appliances table.
4. Select Push Policies from the operation drop-down list.
5. Complete the configuration as described in this table.
Control | Description |
Include Path Selection, QoS, and Applications (RiOS 9.0 and later); Web Proxy and Application Stats Collection (RiOS 9.1 and later) | Specify to include path selection rules, QoS profiles, applications, web proxy settings, and application statistics in the policy push. Applicable to RiOS 9.0.x or later. |
Restart Optimization Service If Required | Specify to automatically restart the RiOS service on the appliances after the push. |
Restart QoS Service If Required | Specify to automatically restart the QoS service, if required. • For legacy outbound QoS (Advanced) policy changes: The QoS service must first be disabled if the policy push changes queue type of an existing QoS class. If the QoS service is not disabled the policy push fails. • For legacy outbound QoS (Basic) and outbound QoS (Advanced): Disables the QoS service on all appliances that you push to. This option temporarily disrupts QoS enforcement. |
Schedule Deferred Push | Specify to schedule the action for a later time and date. If this option is not selected, the action occurs the next time the appliance connects. • Date and Time - Specify the date and time in this format: YYYY/MM/DD HH:MM:SS This operation applies only to SteelHeads and Interceptors. |
Push | Pushes your configuration changes to the selected appliances and groups. |
Replacing (Generating) Peering Certificates
You can replace the peering certificates used to secure the inner channel between the SteelHeads by generating new private keys and self-signed public certificates.
If possible, the certificates are signed by the certificate authority, otherwise they are self-signed.
A policy push must be initiated to all SteelHeads for the new certificates to be used in peering. If the policy push excludes any affected SteelHeads, SSL optimization to the SteelHeads does not work properly.
If CA is enabled, all newly generated certificates are automatically be signed. The existing certificates must be replaced to be signed.
To replace (generate) peering certificates
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Replace (Generate) Peering Certificates from the operation drop-down list.
4. Under Self-Signed Certificate, complete the configuration as described in this table.
Control | Description |
Common Name | Specify the common name of a certificate. • Appliance Hostname - Select if the common name is the hostname or IP address. • Custom Name - Select to specify a common name other than the hostname or IP address. To facilitate configuration, you can use wildcards in the name: for example, *.example.com. If you have three origin servers using different certificates, such as webmail.example.com, internal.example.com, and marketingweb.example.com, on the server-side SteelHeads, all three server configurations can use the same certificate name *.example.com. |
Organization Name | Specify the organization name (for example, the company). |
Organization Unit Name | Specify the organization unit name (for example, the section or department). |
Locality | Specify the city. |
State | Specify the state. |
Country | Specify the country (2-letter code only). |
Email Address | Specify the email address of the contact person. |
Validity Period | Specify how many days the certificate is valid. |
5. Click Replace to replace the peering certificates.
Updating Licenses
The SCC fetches and pushes licenses to selected appliances or groups. You can also fetch a license from the Riverbed License portal and store it locally. This option ignores the selected appliances and applies the license to all appliances specified in the license file.
To update a license
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to expand the page.
3. Select License Update from the operation drop-down list.
4. Under License Update Method, complete the configuration as described in this table.
Control | Description |
Update License using Riverbed Licensing Portal | Select the option to update the license using the Riverbed Licensing Portal. |
From Local File | Click this option and specify the path, or click Browse to navigate to the local file directory. |
Update | Updates the current license. |
Starting and Stopping Appliances
You can start and stop the system service on selected appliances and appliance groups.
For detailed information about user permissions, see
User Permissions.
To start or stop an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to expand the page.
3. Select Start/Stop Services from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
Service Action | Select Start, Stop, or Restart from the drop-down list. |
Clean Data Store | Specify this option to clear the RiOS data store. This option only applies to SteelHeads. |
Schedule Deferred Service Action | Specify to schedule the action for a later time and date. If this option is not selected, the action occurs the next time the appliance connects. • Date and Time - Specify the date and time in this format: YYYY/MM/DD HH:MM:SS This option only applies to SteelHeads and Interceptors. |
Apply | Click Apply to apply your changes to the selected appliances or appliance groups. |
The results of this operation can be viewed in the Operation History page. For detailed information about operation history, see
Managing Appliance Operation History.
Shutting Down Appliances
Shut down the system on selected appliances and appliance groups. You can also clean the data store and schedule a shutdown.
To shut down an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to expand the page.
3. Select Shutdown from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
Clean Data Store | Specify to clean the RiOS data store. |
Schedule Deferred Shutdown | Specify to schedule the action for a later time and date. If this option is not selected, the action occurs the next time the appliance connects. • Date and Time - Specify the date and time in this format: YYYY/MM/DD HH:MM:SS |
Shutdown | Select the check box next to the name of the appliance and appliance groups you want to shut down and click Shutdown. |
The results of this operation can be viewed in the Operation History page. For detailed information about operation history, see
Managing Appliance Operation History.
Setting the Password for Appliances
You can set the password for administrator and monitor users on selected appliances and groups.
The SCC sets the password used to connect with the remote appliance. The SCC automatically updates the password that is used by the SCC to connect with the remote appliance.
To set the password for an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click the Appliance Operations tab to expand the page.
3. Select Set Password from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
User | Type admin or monitor in the text box. |
Password | Specify the password. |
Confirm Password | Confirm the password. |
Set Password | Sets the specified password. |
The results of this operation can be viewed in the Operation History page. For detailed information about operation history, see
Managing Appliance Operation History.
Unlocking the Secure Vault
You can unlock the Secure Vault on selected appliances and appliance groups.
The SCC unlocks the secure vault on the selected appliances or groups if the correct password has been specified. If successful, this operation also automatically updates the stored copy of the secure vault password for each selected appliance.
When the secure vault on an appliance or an appliance group is locked, you cannot push some configuration settings.
This operation applies only to SteelHeads.
To unlock the secure vault on an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Unlock Secure Vault from the operation drop-down list.
4. Specify the password and click Unlock Vault to unlock the secure vault on the selected appliances or appliance groups.
The results of this operation can be viewed in the Operation History page. For detailed information about operation history, see
Managing Appliance Operation History.
Changing the Secure Vault Password
You can change the password for the Secure Vault on selected appliances and appliance groups.
The SCC must know the current secure vault password, that is set on the SSL configuration page of each appliance. This operation automatically updates the stored copy of each password on the selected appliance.
This operation applies only to SteelHeads, SteelHead EXs, and Mobile Controllers.
To change the secure vault password on an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Change Secure Vault Password from the operation drop-down list.
4. Specify the current password, or leave the text box blank if the factory default password is.
5. Specify the new vault password, or leave the text box blank to reset to the factory default password.
6. Confirm the new secure vault password.
7. Click Change Password to change the secure vault password.
The results of this operation can be viewed in the Operation History page. For detailed information about operation history, see
Managing Appliance Operation History.
Sending CLI Commands
You can send a set of CLI commands to the selected appliances and groups.
To send CLI commands to an appliance or an appliance group
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Send CLI Commands from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
Text field | Paste or type the set of CLI commands in the provided text field. Each command must be on a separate line. This feature provides the flexibility to configure your appliances using CLI commands. For example, using the CLI commands in policies: • enables you to configure new appliance features. • enables you to override specific configuration items at a subpage granularity without maintaining multiple copies of otherwise identical policies. Sending CLI commands has these restrictions: – The SCC cannot parse the CLI commands itself and perform a check to verify if they are compatible with the rest of the configuration, therefore, a failure is harder to diagnose. – The CLI commands from all assigned policies are sent with every push. Given this, you must check each policy that is assigned to each parent group and individually check its details to review exactly what was pushed. |
Schedule Deferred Command Execution | Specify to schedule the action for a later time and date. If this option is not selected, the action occurs the next time the appliance connects. • Date and Time - Specify the date and time in this format: YYYY/MM/DD HH:MM:SS |
Send | Executes the commands on the appliance. |
Starting or Stopping SteelCentral NetShark Service
You can start or stop the SteelCentral NetShark service; it can take up to 5 minutes to take effect.
This operation applies only to SteelHeads and can take up to 5 minutes to take effect.
To start or stop the SteelCentral Shark service
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select SteelCentral NetShark from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
Service Action | Select Start or Stop from the drop-down list. |
Apply | Applies your settings to the running configuration. |
Disabling SSL Server Certificate Export
You can disable the SSL server certificate export feature. For security reasons, once a certificate export has been disabled, it cannot be reenabled.
This operation applies only to SteelHeads.
Consider making SSL server certificates and private keys nonexportable with your particular security goals in mind. Before doing so, you must have a thorough understanding of its impact. Use caution and consider these best practices before making SSL configurations nonexportable:
• After disabling export on a new SteelHead running 7.0.1, you cannot reenable it unless you clear the secure vault and perform a factory reset on the SteelHead. (Performing a factory reset results in losing your configuration settings.)
• After upgrading a SteelHead to RiOS 7.0.1 and disabling export, you cannot export any preexisting or newly added server certificates and private keys to another SteelHead.
• After disabling export, any newly added server certificates and keys are marked as nonexportable.
• After disabling export and then downgrading a SteelHead to a previous RiOS version, you cannot export any of the existing server certificates and private keys. You can export any newly added server certificates and private keys.
• Disabling export prevents you from copying the secure vault content.
To disable SSL server certificate export
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Disable SSL Server Certificate Export from the operation drop-down list.
4. Click Disable Export.
Removing SteelFusion Core
You can disconnect the SteelFusion Edge from a SteelFusion Core or a high availability peer appliance, and delete the existing SteelFusion Edge configuration.
For detailed information, see the SteelHead Management Console User’s Guide for SteelHead EX.
This operation applies only to SteelHead EXs.
To remove SteelFusion Core
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Remove SteelFusion Configuration from the operations drop-down list.
4. Click Remove.
Joining or Leaving a Windows Domain
You can join or leave a Windows domain; this action can take up to 5 minutes to take effect.
For detailed information about Windows domains, see the SteelHead Management Console User’s Guide for SteelHead CX.
To join or leave a Windows domain
1. Choose Manage > Topology: Appliances to display the Appliances page.
2. Click Appliance Operations to display the Appliance Operations page.
3. Select Join/Leave a Windows Domain from the operation drop-down list.
4. Complete the configuration as described in this table.
Control | Description |
Domain action | Joins or leaves the domain. If you are in domain mode and have joined a domain, you cannot change to local work-group mode until you leave the domain. |
Active Directory Domain Name/Realm | Specify the domain in which to make the SteelHead a member. Typically, this is your company domain name. RiOS supports Windows 2000 or later domains. RiOS does not support nondomain accounts other than administrator accounts. If you create Local mode shares on a nonadministrator account, your security permissions for the share are not preserved on the origin-file server. |
Join Account Type | Specifies which account type the server-side SteelHead uses to join the domain controller. You can optimize the traffic to and from hosted Exchange servers. You must configure the server-side SteelHead in the Active Directory integrated mode for Windows 2003 or Windows 2008. This allows the SteelHead to use authentication on the Exchange servers that provide Microsoft Exchange online services. The domain that the server-side SteelHead joins must be either the same as the client user or any domain that trusts the domain of the client user. Be aware that when you integrate the server-side SteelHead in the Active Directory, it does not provide any Windows domain controller functionality to any other machines in the domain and does not advertise itself as a domain controller or register any SRV records (service records). In addition, the SteelHead does not perform any replication nor hold any Active Directory objects. The server-side SteelHead has just enough privileges so that it can have a legitimate conversation with the domain controller and then use transparent mode for NTLM authentication. The Active Directory integration provides a way to optimize NTLM authentication from Windows 7/2008 R2 and newer clients when using transparent mode. This scenario is only successful for servers and clients that can make use of NTLM authentication. The server-side SteelHead joins a domain with DC privileges and then uses NTLM pass-through authentication to perform the authentication. Using transparent mode simplifies the configuration. Select one of these options from the drop‑down list: • Workstation - Joins the server-side SteelHead to the domain with workstation privilege. You can join the domain to this account type using any ordinary user account that has the permission to join a machine to the domain. This is the default setting. • Backup Domain Controller (BDC) - Configures the BDC. The BDC maintains a read-only copy of a user accounts database and verifies logins from users. When changes are made to the master accounts database on the PDC, the PDC pushes the updates down to the BDC • Read-Only Domain Controller (RODC) - Configures a domain controller that hosts the read-only partitions of the Active Directory database and responds to security authentication requests. RODC is designed to be used in branch offices that cannot support their own domain controllers, and can be used in a Windows Server 2008 environment or higher. |
Domain Login | Specify the login name, which must have domain join privileges. Domain administrator credentials are not strictly required, except when you join the domain as an Active Directory integration. RiOS deletes domain administrator credentials after the join. |
Password | Specify the password. This control is case sensitive. |
Domain Controller Name(s) | Specify the hosts that provide user login service in the domain, separated by commas. (Typically, with Windows 2000 Active Directory Service domains, given a domain name, the system automatically retrieves the DC name.) Specifying domain controller names is required if you are joining the domain in Active Directory integrated mode 2008 and higher, and the network contains domain controllers running Windows 2003 or older operating system versions. Riverbed recommends specifying the domain controller names in environments where there is varying latency between the SteelHead and the domain controllers. |
Short Domain Name | Optionally, specify the short domain (NetBIOS) name if it does not match the first portion of the Active Directory domain name. The short domain name is case sensitive. |
Apply | Applies your changes to the running configuration. |