Configuring WinSec Controller
You configure WinSec Controller through its web-based Management Console. We strongly recommend using the console for configuration and administration activities. The procedures here assume that you are logged in to the Management Console. For details about accessing the WinSec Controller console, see
Accessing the WinSec Controller Management Console.For best performance, we recommend a latency of no more than 10 milliseconds between the WinSec Controller and the domain controller.
You can clear all fields in a form in the Management Console by clicking Reset.
About system requirements
Before you begin, ensure that your WinSec Controller and all peer appliances meet the minimum hardware and software requirements. See
About peer appliance hardware and software requirements.Configure the WinSec Controller first, and then configure the SteelHeads. Here’s some of the information you’ll need on hand while configuring WinSec Controller:
• IPv4 address, IPv4 subnet mask, and IPv4 gateway for the WinSec Controller primary and (for manual configuration) auxiliary interfaces.
• IPv4 address, IPv4 subnet mask, and optional IPv4 gateway for the primary interface on each SteelHead peer appliance.
• IP addresses and domains for primary and optional backup DNS servers.
• Fully qualified domain name or IP address for optional NTP servers.
• Optionally, valid self-signed certificate on the WinSec Controller for certificate-based authentication. The appliance ships with a default certificate, which you can replace at any time.
• Optionally, a shared secret for IKE based IPsec tunnel.
• Optionally, a password for the secure vault.
• Server domain, username, and password for replication users.
About firewall requirements
If the WinSec Controller is located behind a firewall, you’ll need to configure the firewall to allow traffic through these ports:
Direction | Port | Usage | Protocol |
Incoming | 443 | Secure, web-based Management Console, Secure REST API server, auto-licensing communication | TCP |
Incoming | 22 | SSH access for management and troubleshooting | TCP |
Incoming | 500 | IPsec | UDP |
Outgoing | 53 | DNS | UDP |
Outgoing | 123 | NTP | UDP |
Outgoing | 139 and 445 | Domain controller–SMB | TCP |
Outgoing | 389 | Domain controller–LDAP | TCP/UDP |
Outgoing | 636 | Domain controller–LDAPS | SSL |
Outgoing | 88 | Domain controller–Kerberos | TCP/UDP |
Outgoing | 135 | Domain controller–EPM/RPC | TCP |
Outgoing | 443 | Optional. Secure communication for auto-licensing. The Riverbed license server is hosted at cloudclmf2.riverbed.com | TCP |
Outgoing | <configured SMTP port> | Optional. The port is configurable under SMTP settings; the default is 25. Used for email notifications to administrator. | |
Outgoing | <configured remote syslog port> | Optional. The port is configurable under remote system logging settings; the default is 514. Used for remote, centralized log collection. | UDP/TCP/TLS |
About network interfaces and static routes
WinSec Controller base interfaces are its primary and auxiliary interfaces. Routing tables are necessary when the WinSec Controller and peer SteelHead appliances are located on different subnets. When that is the case, you’ll need to connect the WinSec Controller and SteelHeads by configuring static routes between them on each appliance. If the WinSec Controller and your Active Directory, or domain controller, also are not on the same subnet, you’ll need to configure an additional static route for connectivity.
You can use DHCP on the primary interface if you ensure the IP configuration on the DHCP server is tied to the WinSec Controller’s primary MAC address.
The WinSec Controller and its peer SteelHeads communicate and optimize traffic through their primary interfaces. Connect the primary interface on each appliance to the data plane. We recommend that you manually configure this interface with a static IP address.
The WinSec Controller must connect to the DNS server, the server domain controller, and the user domain controller through the primary interface or static routes.
The Management Console and SSH access use the auxiliary interface. Connect this interface to your management network. The default configuration for this interface uses DHCP. After the WinSec Controller is powered on, it will attempt to fetch a DHCP lease through this interface.
For non-DHCP environments, you can use a restricted CLI to configure interfaces with limited functionalities. See
About WinSec Controller CLI commands.Configuring WinSec Controller base interfaces
1. Choose Configuration > Base Interfaces > Interfaces.
2. Select Enable Primary Interface.
3. Select an option:
– Automatic
– Manual
4. Select Enable Auxiliary Interface.
5. Optionally, enter a new Maximum Transmission Unit (MTU) value for this interface.
6. Select an option:
– Automatic
– Manual
7. Optionally, enter a new MTU value for this interface.
8. Click Submit.
To return to the default values, click Reset.
Configuring static routes
Route configuration uses standard Linux conventions. All routes, including those automatically created during base interface configuration, are displayed in the Main IPv4 Routing Table.
1. Choose Configuration > Base Interfaces > Main IPv4 Routing Table.
2. Click Add a New Route.
3. Enter the routing information for the peer appliance. Gateway information is optional; the default value for this option is 0.0.0.0.
4. Click Submit.
5. Repeat these steps for each peer appliance.
To remove a route, select it and click Remove selected.
About unified interface mode
Unified interface mode is useful in environments where many peer SteelHeads and Domain Controllers are spread across several subnets. Normally, connecting these appliances would require the manual configuration of many static routes. When this feature is enabled, all traffic (management and data) flows through the primary interface. The primary interface becomes the default interface, and the auxiliary interface is disabled. With all traffic flowing through the primary interface, you do not need to configure static routes on WinSec Controller for each peering SteelHead subnet.
Ensure that you fully configure the primary interface before enabling this feature. Otherwise, you could lose access to the appliance. Before disabling the feature, you might want to ensure that the auxiliary interface is fully configured.
This feature can be configured in the web interface or through the CLI, and it can be configured prior to bootstrapping the appliance.
Enabling unified interface mode
1. Choose Configuration > Base Interfaces > Interfaces.
2. Ensure that the primary interface is configured and has external connectivity.
3. Enable the feature, and then confirm your choice at the prompt.
All user-configured routes are deleted
About WinSec Controller CLI commands
You can configure some interface functionalities, such as enabling and disabling unified interface mode, through the WinSec Controller CLI.
These are the supported CLI commands:
• configure interface—Statically configures an interface.
• show interfaces—Displays aux (Mgmt) and primary (Data) interface configuration.
• show routes—Displays the routing table.
• enable saml—Enables Security Assertion Markup Language (SAML) authentication and facilitates SSO integration.
• no enable saml—Disables SAML authentication.
• enable unified interface mode—Mgmt and Data traffic will flow via the primary interface.
• no enable unified interface mode—Mgmt traffic will flow via the aux interface, and Data traffic will flow via the primary interface.
• reset interface config—Factory resets all the interface’s configuration.
• factory reset—Factory resets the entire appliance configuration. The appliance will reboot after the command is run.
• help—Lists all available commands.
For more details about using CLI commands, see the Riverbed Command-Line Interface Reference Manual.
About host settings and NTP servers
WinSec Controller host settings include these items:
• Name—The hostname of the WinSec Controller.
• Primary DNS server—The IP address of the primary DNS server.
• Secondary DNS server—The IP address of the secondary, backup DNS server.
• Tertiary DNS server—The IP address of the tertiary, backup DNS server.
• DNS domain list—A comma-separated list of domains where the DNS servers reside.
We strongly recommend that you also add a Network Time Protocol (NTP) server. Your domain controller can also serve as your NTP server.
Server key replication can fail when the WinSec Controller and domain controller clocks are not synchronized within at least five minutes.
NTP server settings include these items:
• FQDN or IP address—The fully qualified domain name (FQDN) or IP address of the NTP server.
• Status—The status of the NTP server on the WinSec Controller: enabled or disabled.
Configuring WinSec Controller host settings
1. Choose Configuration > Host Settings > Host section.
2. Enter a name for the host.
3. Enter the IP address for the primary DNS server.
4. Optionally, enter IP addresses for secondary and tertiary DNS servers.
5. Enter the domains where your DNS servers reside.
6. Click Submit.
Adding, enabling, and removing NTP servers
1. Choose Configuration > Host Settings > NTP Servers section.
2. Click Add a new NTP server.
3. Enter the fully qualified domain name or IP address for the NTP server.
4. Select Enabled from the Status menu.
5. Click Submit.
To remove a server, select it from the list, and then click Remove selected.
About secure peering
WinSec Controller communicates with peer appliances through an IPsec secure tunnel. You can choose one of these two methods for authentication: shared secret or self-signed certificate. Remember to verify the certificate if you choose the self-signed certificate method.
Ensure that the WinSec Controller base interfaces are configured before you configure secure peering.
To establish a peering relationship, you’ll need to configure peering on the WinSec Controller and on the server-side SteelHead. For details, see
Configuring WinSec Controller Peers.About perfect forward secrecy
Perfect forward secrecy (PFS) is a feature of key agreement protocols that protects session keys from being compromised even if long-term secrets used in the session key exchange are compromised. PFS protects past sessions against future compromises of keys or passwords. When this feature is enabled, the WinSec Controller will renegotiate keys at specified intervals. If one key is compromised, subsequent keys are secure because they’re not derived from previous keys.
When shared secret mode is enabled, any further configuration changes to the secure peering general settings will require that you reenter the secret.
Configuring secure peering general settings
1. Choose Configuration > Secure Peering (IPsec).
2. Optionally, enable Perfect Forward Secrecy.
3. Select an IKE encryption policy.
4. Select an IKE authentication policy.
5. Select an ESP encryption policy.
6. Select an ESP authentication policy.
7. Enter a duration in minutes between key renegotiations.
8. Select an authentication mode: Shared Secret or Certificate.
The default is Shared Secret. When you change the authentication mode from Shared Secret to Certificate using the drop-down list, a Validate Certificate button appears. Click Validate Certificate to perform GET calls to validate for the presence of a local self-signed certificate as part of WinSec Controller secure peering through an IPsec tunnel using the primary interface with SteelHead as a peer.
Adding appliances to the peer list
1. Choose Configuration > Secure Peering (IPsec).
2. Click the Add peer button and provide information about which peer to add.
3. Click Submit.
Removing appliances from the peer list
1. Choose Configuration > Secure Peering (IPsec).
2. Select an appliance.
3. Click Remove selected peers.
Locking and unlocking the WinSec Controller secure vault
The WinSec Controller secure vault encrypts and stores SSL certificates and replication user data.
1. Choose Configuration > Secure Vault.
2. Perform one of these actions:
– Enter a password to override the default password of the secure vault. After changing the password, the administrator will have to unlock the secure vault after every reboot or upgrade of the appliance. Until the secure vault is unlocked, the appliance will not be able to perform key replication.
– Reset the custom secure vault password to the default. Provide the current password, and leave the New Password and Confirm New Password fields blank.
3. Click Submit.
About replication users
You’ll need to supply the server domain of the replication server, and you can choose whether to specify domain information for the Kerberos replication user domain. WinSec Controller requires one Kerberos Replication Account per domain to support cross domain authentication. If you do not specify user domain information, the system will assume that the user domain and server domain are the same.
Regarding user domain settings, the Short User Domain Name setting refers to the NetBIOS name, which typically is the same as the first part of the user domain name. However, sometimes administrators change the NetBIOS name. In this case, you’ll need to set the Short User Domain Name setting to the NetBIOS name. You can find the NetBIOS name by running the nbtstat -n command on the domain controller.
When specifying domain names, you can use the wildcard character (*) to include all child domains.
After you configure replication users, you can test key and account replication to ensure your configurations are correct.
Configuring replication users
1. Choose Configuration > Replication Users.
2. Secure LDAP (LDAPS), LDAPS support is always enabled. If you need to validate the server certificate, enable server certificate verification.
3. Optionally, enable LDAP if secure LDAP is not available.
4. Add a user.
5. Enter the replication user server domain.
6. Optionally, enter the replication user domain.
7. Optionally, enter the short name for the replication user domain if it is different from the NetBIOS domain name.
8. Enter the replication user’s username.
9. Enter the replication user’s password.
10. Select the encryption type. This is the encryption type that WinSec Controller uses while communicating with the Domain Controller during key replication.
The arcfour-hmac-md5 encryption type might not work after Microsoft begins to enforce security using AES as the default encryption type. Microsoft begins enforcement on April 11, 2023.
11. Optionally, enter a comma-separated list of domain controller names for the replication user.
12. Save and submit your changes.
Granting replication user privileges on the DC
1. In Windows, open Active Directory Users and Computers and choose Start > Administrative Tools > Active Directory Users and Computers.
2. Select the domain name, right-click, and select Delegate Control.
3. Add one or more users to whom you want to delegate control.
4. Create a custom task to delegate.
5. Select this folder, existing objects in this folder, and creation of new objects in this folder.
6. Select General > Replicate Directory Changes.
7. Select Replicate Directory Changes All.
Click Finish if the correct groups and users appear with the permissions Replicating Directory Changes and Replicate Directory Changes All.
Viewing WinSec Controller replication statistics
You can view detailed statistics on replication activities on the Statistics > Replication page. You can filter reports by response code, domain, source, response time, time, and SPN. Filters are additive.
You can search for key terms. The contents of the table, except the contents of the Time column, are searchable. Key terms must be alphanumeric and can include these special characters: underscore (_), hyphen (-), period (.), and forward slash (/). Regex and phrases are not allowed. Search is case sensitive.
If the contents of the table become too large, you can remove statistics older than the date you specify.
About WinSec Controller key and password replication tests
Run the Replication test to determine if WinSec Controller can replicate keys from the Active Directory server or a domain controller.
Testing key replication
1. Choose Configuration > Replication Users > Troubleshooting > Replication.
2. Enter the server domain.
3. Optionally, enter the short user domain name.
4. Enter the FQDN or IPv4 address of the replication server.
5. Optionally, enable Collect TCP dump.
6. Optionally, enable Debug Level Logging.
7. Click Submit.
About remote logging
You can configure the system to send logs to remote log servers. You can configure multiple destination servers, and you can enable or disable each one separately. Available transport modes are UDP, TCP, and TLS.
For TLS mode, first add certificates in Administration > Certificate Management. Add the trusted CA certificate in the Certificate Authority section, and then add a client certificate signed by the trusted CA to the Remote Logging section. Then those certificates will appear for selection while configuring remote log forwarding.
After you add the certificates, they are available as options when configuring remote logging in TLS mode.
Before configuring remote logging, you need to add remote servers to the WinSec Controller.
Adding remote destination log servers
1. Choose Configuration > Logging.
2. Click Add a New Server.
3. Complete the form, and then click Submit.
Enabling remote logging
1. Choose Configuration > Logging.
2. Click Enabled.
About WinSec Controller certificates
You can add and remove any of these types of certificates in the Certificate Management page:
• Self-signed (For these certificates, generating a new one replaces the previous one.)
• Certificate authority
• Remote logging
• Web UI
• SMTP
Adding a trusted Web UI certificate is particularly useful as it obviates the need to add exceptions for the Management Console in your browser’s settings. See
Accessing the WinSec Controller Management Console. After you add a Web UI certificate, the system logs you out and restarts the Management Console service.
For Web UI and SMTP certificates, adding a new certificate overwrites the previous certificate—only one certificate at a time is supported.
For self-signed certificates, you can view the certificate details and generate new certificates.
Certificates are not needed if you use the shared secret mode for secure-peering authentication.
Generating a self-signed certificate
1. Choose Administration > Certificate Management.
2. Select Self-Signed from the Certificate Type menu.
3. Choose the Generate tab.
4. In the Self-Signed Certificate section, enter the required information.
5. Select an option from the Digest menu.
6. In the Private Key section, select an option from the Cipher bits menu.
7. Click Submit.
Viewing certificate details
1. Choose Administration > Certificate Management.
2. Select Self-Signed from the Certificate Type menu.
3. Choose the Details tab.
Adding other types of certificates
1. Choose Administration > Certificate Management.
2. Select a type of certificate other than self-signed.
3. Click Add New Certificate.
4. Complete the form, and then click Submit. You can copy and paste the contents of the certificate into the form, or browse to the certificate file.
To remove a certificate, select the certificate, and then click Remove Selected.
Configuring password policy
You can enable and disable the account control feature in the Password Policy page. The account control feature enables you to specify the number of login attempts a user can try before being locked out. You can also specify in seconds the duration of the lockout period.
1. Choose Administration > Password Policy.
2. Enable the feature.
3. Optionally, specify how many login attempts a user can try before they are locked out.
4. Specify in seconds the lockout duration.
5. Click Submit.
About email notifications
Email notifications are used for resetting a user’s password if they have forgotten it. By default, the WinSec Controller will use the domain name in the user’s email address to form the FQDN of the email server. If your organization uses a custom hostname or port (the default is port 25) for your email server, you can configure the WinSec Controller to use your custom settings.
If your email server is configured to use SSL, you can add your own SMTP certificate to the WinSec Controller and enable the SSL option. When the SSL option is not enabled, or when it is enabled and you do not add your own SMTP certificate, the WinSec Controller uses a self-signed certificate. For details about certificates, see
About WinSec Controller certificates.Enabling email notifications
1. Choose Administration > Email.
2. Enter server information.
3. Enter port information.
4. Optionally, enable SSL.
5. Click Submit.
About SAML
You set up Security Assertion Markup Language (SAML) in the Administration > SAML page.
WebUI access defaults to “local auth.” Enabling SAML disables “local auth” on WebUI access.
Security Assertion Markup Language (SAML) 2.0 is an XML standard that acts as an authentication interface between the WinSec Controller and an identity provider (IdP). You can use the IdP to provide additional requirements for authentication, such as a multifactor authentication based on a common access card (CAC) or personal identity verification (PIV).
When the WinSec Controller receives a login request, it determines if SAML is enabled. If SAML is enabled, user authentication through AAA is disabled and the WinSec Controller redirects the authentication request to the IdP. The IdP authenticates the user and redirects the user to the WinSec Controller, which allows access.
To enable IdP authentication, you configure the WinSec Controller and the IdP with XML metadata that provides detailed appliance identification. The metadata also establishes a trust relationship between the WinSec Controller and the IdP.
Administrators must add users to the IdP server to provide them login access, and those users need to correspond to the WinSec Controller users. You can have one-to-one mapping of users between IdP and the WinSec Controller, or you can have multiple users on IdP map to single account on the WinSec Controller, such as the admin account. (You have to create individual user accounts on the WinSec Controller for one-to-one mapping as the user accounts determine the access permissions.)
If a user who has not been set up in the IdP tries to log in to the WinSec Controller, the login fails on the IdP login page. If the user has been set up but their user mapping has not been defined in the IdP, the login succeeds but the WinSec Controller displays an error page.
SAML authentications are only available in the Management Console web interface; they are not available through the CLI. Users can log in to a SAML-enabled WinSec Controller through the CLI, but they are authenticated using the local, RADIUS, or TACACS+ authentication methods.
If you cannot log in using SAML (for example, if the IdP server is unavailable), you can log in through the CLI and disable SAML using the no enable saml command. Once SAML is disabled, you revert to the previously configured authentication method for the web interface. For command details, see the Riverbed Command-Line Interface Reference Manual.
You must be logged in as the administrator to enable or disable SAML.
Enabling SAML
1. Choose Administration > SAML.
2. Download WinSec Controller SAML metadata.
3. Configure WinSec Controller on IdP before proceeding with SAML configuration.
4. Under SAML Configuration, enter Identity Provider Metadata. Click Browse to get content of a file, or copy and paste the content.
5. Select the Sign Authentication Request check box to have WinSec sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by WinSec allows the identity provider to verify that all login requests originate from a trusted service provider.
6. Select the Requires Signed Assertions check box if the IdP signs the assertion response. Some SAML configurations require signed assertions to improve security.
7. Select the Requires Encrypted Assertions check box if the SAML identity provider encrypts the assertion section of the SAML responses. Even though all SAML traffic to and from the WinSec Controller is already encrypted by the use of HTTPS, this option adds another layer of encryption.
8. In the Username Attribute field, enter the name of the IdP variable that carries the username. The Username attribute is mandatory and must be sent by your identity provider in the SAML response to align the login with a configured WinSec Controller account.
9. In the Member of Attribute field, enter the name of the IdP variable that carries the role of the user. The role must match with a local WinSec Controller user. This setting is mandatory.
10. Click Submit.
11. Under Enable SAML, click Enabled. Once SAML is enabled, only users with IdP credentials can log in to the WinSec Controller graphical user interface.
About roles
You can create roles for specific types of users and activities. For example, you might create a role for a small group of network admins, empowering that role to change network-related settings but limiting access to security settings like certificate management.
For custom roles, you can set permissions to read only, read and write (edit), or deny. These items are read-only for all roles and users: dashboard, help, and pending actions. Users assigned the admin role can change the password policy and licenses, and you can provision edit permission for those settings to a custom role, but we recommend limiting edit access to admin users.
Four default roles, which cannot be modified, provide convenient starting points:
• admin—This role has the most expansive capabilities, with edit permission for nearly every setting except password policy and licenses.
• monitor—This role can be provisioned to users who need only to monitor the system or generate system dump (sysdump) files. The only editable setting for users with this role is the User Specific > About setting.
• network—This role provides edit permission to network-related and maintenance-related settings. These settings are restricted to read-only: replication users, secure peering (IPsec), replication statistics, password policy, licenses. We recommend assigning this role to users that administer SteelHeads and other network administrators.
• replication—This role provides edit permission to most settings except base interfaces, password policy, and licenses settings, which are read-only for this role. We recommend assigning this role to users who also administer Windows systems and who need to configure replication users, the secure vault, and diagnostics and statistics settings.
Creating and removing custom roles
1. Choose Administration > Roles & Users.
2. In the Roles section, click Add a New Role.
3. Enter a name for the role. Alphanumeric (A-Z, a-z, 0-9), hyphen (-), and underscore (_) characters are allowed.
4. Select permissions.
5. Click Submit.
To edit or remove a custom role, you need to select it. Click the row to edit that role, enter updated values, and click Submit. Click Remove selected row to delete it.
Managing users
You can add and remove users. You can also change a user’s role, email, full name, description, and password.
1. Choose Administration > Roles & Users.
2. In the Users section, click Add a New User.
3. Enter a username for the account, the full name of the user, an email address for the user, and a description of the account.
4. Select a role.
5. Click Submit.
To remove a user account, select the account and click Remove selected row.