Managing SteelFusion Edges

You can start, stop, and restart the optimization service in the Administration > Maintenance: Services page. You can also use this page to reset the optimization service alarm after it has been triggered.

The optimization service is a daemon that executes in the background, performing operations when required.

Many of the optimization service commands are initiated at startup. It is important to restart the optimization service when you have made changes to your configuration.

Restarting the optimization service disrupts existing network connections that are proxied through the SteelHead.

To start, stop, or restart services

1. Choose Administration > Maintenance: Services to display the Services page.

Services page

2. Under Optimization Service click Stop, Start, or Restart.

3. Click Save to save your settings permanently.

To remove data from the RiOS data store, click Clear Data Store. For details, see Clearing the RiOS data store.

To reset the optimization service alarm

1. Choose Administration > Maintenance: Services to display the Services page. The option to reset the optimization service alarm appears only after RiOS triggers the Reset Service alarm.

2. Under Reset Service alarm, click Reset Service alarm.

3. Click Save to save your settings permanently.

Configuring scheduled jobs

You can view completed, pending, inactive jobs, as well as jobs that were not completed because of an error in the Administration > Maintenance: Scheduled Jobs page. You can also delete a job, change its status, or modify its properties.

Jobs are commands that are scheduled to execute at a time you specify.

You can use the Management Console to:

•schedule an appliance reboot or shut down.

•generate multiple TCP trace dumps on a specific date and time.

To schedule all other jobs, you must use the Riverbed CLI.

For details about scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual.

To configure scheduled jobs

1. Choose Administration > Maintenance: Scheduled Jobs to display the Scheduled Jobs page.

Scheduled Jobs page

2. Select Enabled or Disabled from the drop-down list to enable or disable the job.

3. Select the Job ID number to display details about the job.

4. Under Details for Job <#>, complete the configuration as described in this table.

Control	Description
Name	Specify a name for the job.
Comment	Specify a comment.
Interval (seconds)	Specify the number of seconds between job recurrences. Specify 0 to run the job one-time only.
Executes on	Specify the start time and end time using the format yyyy/mm/dd hh:mm:ss.
Enable/Disable Job	Select the check box to enable the job, clear the check box to disable the job.
Apply Changes	Applies the changes to the current configuration.
Cancel/Remove This Job	Cancels and removes the job.
Execute Now	Runs the job.
Remove Selected Jobs	Select the check box next to the name and click Remove Selected Jobs.

5. Click Save to save your settings permanently.

Upgrading or downgrading the software

You can upgrade, downgrade, or revert to a backup version of the SteelFusion Edge software in the Administration > Maintenance: Software Upgrade page.

The top of the page displays the current version number and the backup version.

The SteelFusion version history appears at the bottom of the page. Select a column heading to sort the column in ascending or descending order.

The RiOS software upgrade is separate from the hypervisor upgrade. Upgrading or changing the RiOS version does not affect the ESXi version. For details on upgrading the hypervisor, see Upgrading the hypervisor.

To upgrade your software

1. Download the software image from the Riverbed Support site to a location such as your desktop. Optionally, you can download a delta image directly from the Riverbed Support site to the SteelFusion Edge. The download image includes only the incremental changes. The smaller file size means a faster download and less load on the network. To download a delta image, skip to Step 2.

2. Log in to the Management Console using the Administrator account (admin).

3. Go to the Administration > Maintenance: Software Upgrade page and select the Add Image tab.

4. Select one of these options:

–From URL - Type the URL that points to the software image in the text box. You can use HTTP, HTTPS, FTP, or SCP formats for the URL.

–From Riverbed Support Site - Click this option and select the target release number from the drop-down list.

–From Local File - Browse your file system and select the software image.

5. Specify a name for the image.

If you specify a name that already exists on the appliance, the new image overwrites the existing image.

6. Click Add Image.

When the image transfers to the appliance, the Install Image section is available.

7. Click Install.

The system installs the image in the backup partition and sets the option to load the backup partition version on reboot.

8. Reboot the Edge.

If you upgrade to a new software release, change the password, and then downgrade to the previous release an invalid password message appears.

Downgrading the software

If you want to downgrade to a previous version of the Edge software, you must downgrade to a version of the software that has previously run on your machine.

When you downgrade the software, Edge reverts the ESXi version to the version supported in the installation image. If you upgraded the ESXi using vCenter, the system cannot restore the state and ESXi starts with the initial configuration.

Edge appliances cannot use an encrypted RiOS data store with an earlier RiOS version, unless the release is an update (9.0.x). For example, an encrypted RiOS data store created in 9.0.1 would work with 9.0.3, but not with 9.1.

Before downgrading to an earlier software version, you must select None as the encryption type, clear the RiOS data store, and restart the service in the Optimization > Data Replication: Data Store page. After you clear the RiOS data store, the data is removed from persistent storage and cannot be recovered. If you are using the server-based backups feature, you must delete all backup policies and clear snapshots on the storage array before downgrading. For details, see the SteelFusion Core User Guide.

To switch to the backup version

1. Log in to the Management Console using the Administrator account (admin).

2. Go to the Administration > Maintenance: Software Upgrade page and click Switch to Backup Version.

3. Reboot the appliance or click Cancel Version Switch to cancel.

Rebooting and shutting down

You can reboot or shut down the system in the Administration > Maintenance: Reboot/Shutdown page.

Rebooting the Edge disrupts existing network connections that are currently proxied through it. When you reboot the Edge, RiOS tells the hypervisor to shut down as well. After the hypervisor shuts down gracefully, RiOS reboots and the hypervisor reboots. Rebooting can take a few minutes.

When you shut down the system, connections are broken and optimization ceases. When you shut down the Edge, RiOS tells the hypervisor to shut down as well. After the hypervisor shuts down gracefully, RiOS shuts down. Shutting down the appliance can take a few minutes.

To restart the system after shutting down, you must manually enable the SteelFusion Edge. The hypervisor will restart as well.

To reboot or shut down the system

1. Choose Administration > Maintenance: Reboot/Shutdown to display the Reboot/Shutdown page.

Reboot/Shutdown page

2. To clear the RiOS data store of data, select the Clear Data Store check box. Clearing the data store degrades performance until the system repopulates the data.

3. Click Reboot. After you click Reboot, you are logged out of the system and both RiOS and the hypervisor reboot.

4. Click Shut Down to shut down the system. After you click Shut Down, the system is powered down. To restart the system, you must manually power on the appliance.

A warning that you have unsaved changes indicates that the hypervisor is not in a safe state to shut down. For example, it could be creating a disk, pushing a configuration, initializing, or in lockdown mode. If you receive this warning, click Cancel and wait for the hypervisor to return to a state in which it is safe to shut down or ignore the warning to continue.

To schedule a reboot

1. Choose Administration > Maintenance: Reboot/Shutdown to display the Reboot/Shutdown page.

2. Select Schedule for Later and enter the date and time you would like the reboot to occur.

The reboot executes at the scheduled time.

Managing licenses and model upgrades

This section describes how to install, update, and remove a license. It also describes how to use flexible licensing to manage model configurations and upgrades. It includes these topics:

•Licensing overview

•Installing a license

•Upgrading an appliance model

•Removing a license

You perform all license management and SteelFusion Edge model upgrades in the Administration > Maintenance: Licenses page.

Licenses can be permanent or temporary. Permanent licenses do not display an expiration date in their Status column on the Licenses page; temporary licenses display an expiration date in their Status column. For example, evaluation licenses typically expire in 60 days and display a date within that range.

The system warns you two weeks before a license expires with the Expiring License alarm. After a license expires, the system warns with an Expired License alarm. You can add a license to extend the functionality of an expiring licenses. If multiple licenses exist for a feature, the system uses the license with the latest expiration date.

Licensing overview

These Riverbed licenses are mandatory for virtualization in the appliance:

•VSPBASE - The VSP base license to manage virtualization and VSP operations.

•VSPESXI - The license to install the embedded ESXi software.

After installing and connecting the Edge appliance, the Riverbed Licensing Portal is automatically contacted to retrieve and install the required license keys onto the Edge appliance. If either of the licenses have expired or are about to expire, an alarm is triggered in the Management Console Alarms page.

The Edge appliance ships with an embedded VMware ESXi vSphere Hypervisor license. This license is the free bare-metal hypervisor that virtualizes servers so you can consolidate your applications on less hardware. This license enables basic hypervisor functions without support for more advanced vSphere features such as vCenter, vMotion, high availability, and so on. If you need additional features beyond what the embedded vSphere Hypervisor license provides, you will need to purchase a license upgrade through your VMware reseller.

The Edge includes a license for BlockStream by default. The SCPS and FIPS licenses are optional add-ons.

For details on licensing requirements for virtualization, see the SteelFusion Edge Installation and Configuration Guide.

For details on upgrade possibilities by appliance model, see the SteelFusion Edge Hardware and Maintenance Guide.

Installing a license

This section describes how to request and fetch a license manually from the Riverbed license portal or install a license manually after receiving it from Riverbed Support or Sales.

RiOS simplifies license management by providing an automated way to fetch and activate licenses for Riverbed products. You do not have to manually activate individual appliances and install the licenses.

Fetching a license is restricted for read-only users such as monitor and role-based management (RBM) users with read-only access for General Settings (permissions are granted on the Administration > Security: User Permissions page).

To install a license on a new Edge

•Connect a new Edge to the network.

The Edge automatically contacts the Riverbed license portal and downloads the licenses. The Licensing page displays a success message or the Alarm Status page reports an actionable error message.

To replace expired licenses

•Purchase new downloadable licenses to replace the expired license.

At the time of the next scheduled automatic license fetch, the SteelFusion Edge automatically contacts the Riverbed license portal and downloads the new licenses. The Licensing page displays a success message or the alarm Status page reports an actionable error message.

To fetch a license on demand

1. Choose Administration > Maintenance: Licenses to display the Licenses page.

2. Click Fetch Updates Now.

The Licensing page displays a success message or the alarm Status page reports an actionable error message.

To install a license

1. Choose Administration > Maintenance: Licenses to display the Licenses page.

Licenses page

The Licenses page includes a table of licenses with a column showing the date and time the license was installed and the approximate relative time it was installed. The next column shows whether the installation was done manually or automatically.

Below the license table, next to the Fetch Updates Now button, a note displays the date and time of the last update. Normal update results appear in black and any errors appear in red.

2. Complete the configuration as described in this table.

Control	Description
Add a New License	Displays the controls to add a new license.
Licenses Text Box	Copy and paste the license key provided by Riverbed Support or Sales into the text box. Separate multiple license keys with a space, Tab, or Enter.
Add	Adds the license.
Fetch Updates Now	Contacts the Riverbed license portal and downloads all applicable licenses for the SteelHead.

3. Click Save to save your settings permanently.

Upgrading an appliance model

This section describes how to upgrade an appliance model.

To upgrade an appliance model

1. Install the upgrade license.

For details, see Installing a license.

2. Stop the optimization service.

For details, see Starting and stopping the optimization service.

3. Choose Administration > Maintenance: Licenses to display the Licenses page.

4. Select the model specification you want to activate.

If a model specification requires an appliance reboot after activation, the message activation reboots appliance appears.

5. Click Apply.

6. Click Restart Services to restart the optimization service.

For details, see Starting and stopping the optimization service.

When the upgrade is complete, the appliance is transformed into the new model. The model number appears on the appliance banner in the upper-right corner of the page. The appliance retains its original serial number.

For more details, see the Upgrade and Maintenance Guide.

Removing a license

We recommend that you keep old licenses in case you want to downgrade to an earlier software version; however, in some situations you might want to remove a license.

To remove a license

1. Choose Administration > Maintenance: Licenses to display the Licenses page.

2. Select the license you want to delete.

3. Click Remove Selected.

4. Click Save to save your settings permanently.

Viewing permissions

You can display your system permissions and add or change your login password in the My Account page.

To display system permissions

1. Choose Administration > System Settings: My Account to display the My Account page.

My Account page

2. Under Password, complete the configuration as described in this table.

Control	Description
Change Password	Allows you to add or change your login password.
New Password/Confirm New Password	Specify a password in the text box. Retype the password in the Confirm New Password text box.
Old Password	(Appears when password policy is enabled and the Minimum Character Difference Between Passwords value is greater than 0). Non-administrators must specify the old password. Administrators are never required to enter an old password when changing an account password.

3. Click Apply to apply your changes to the running configuration.

The permissions list displays the roles and permissions assigned to your username.

For details about setting user permissions, see Managing user permissions.

The My Account page includes a way to clear user preferences if any user settings result in an unsafe state and the Management Console cannot display the page.

User preferences are set for individual users and do not affect the appliance configuration.

To restore the user preferences for the current user

1. Choose My Account to display the My Account page.

2. Under User Preferences, click Restore Defaults.

Managing configuration files

You can save, activate, import, and revert configurations in the Administration > System Settings: Configurations page.

Each SteelFusion Edge has an active, running configuration and a written, saved configuration.

When you Apply your settings in the Management Console, the values are applied to the active running configuration, but the values are not written to disk and saved permanently.

When you Save your configuration settings, the values are written to disk and saved permanently. They take effect after you restart the optimization service.

Each time you save your configuration settings, they are written to the current running configuration, and a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is backed up to myconfig.bak and myconfig is overwritten with the current configuration settings.

The Configuration Manager is a utility that saves configurations as backups or active configuration backups.

The Configuration Manager also includes an Import Configuration utility to support these common use cases:

•Replacing a SteelFusion Edge appliance - If you are replacing one SteelFusion Edge for another, you can import all of the network information (although not the licenses) and disconnect the old SteelFusion Edge before you switch configurations on the new SteelFusion Edge.

•Configuration template for a large deployment - You can avoid entering the complete SteelFusion Edge configuration for every appliance in a large deployment by setting up a template SteelFusion Edge and importing template settings to the configuration list.

Some configuration settings require that you restart the optimization service for the settings to take effect. For details about restarting the optimization service, see Starting and stopping the optimization service.

To manage configurations

1. Choose Administration > System Settings: Configurations to display the Configurations page.

Configurations page

2. Under Current Configuration: <filename>, complete the configuration as described in this table.

Control	Description
Current Configuration: <configuration-name>	View Running Config - Displays the running configuration settings in a new browser window.
	Save - Saves settings that have been applied to the running configuration.
	Revert - Reverts your settings to the running configuration.
Save Current Configuration	Specify a new filename to save settings that have been applied to the running configuration as a new file, and then click Save.

3. To import a configuration from another appliance, complete the configuration as described in this table.

Control	Description
Import a New Configuration	Displays the controls to import a configuration from another appliance.
IP/Hostname	Specify the IP address or hostname of the SteelHead from which you want to import the configuration.
Remote Admin Password	Specify the administrator password for the remote SteelHead.
Remote Config Name	Specify the name of the configuration you want to import from the remote SteelHead.
New Config Name	Specify a new, local configuration name.
Import Shared Data Only	Takes a subset of the configuration settings from the imported configuration and combines them with the current configuration to create a new configuration. Import shared data is enabled by default.
Add	When the Import Shared Data Only check box is selected, activates the imported configuration and makes it the current configuration. This is the default. When the Import Shared Data Only check box is not selected, adds the imported configuration to the Configuration list. It doesn’t become the active configuration until you select it from the list and click Activate.
Remove Selected	Select the check box next to the name and click Remove Selected.
Change Active Configuration	Select the configuration to activate from the drop-down list.

4. Click Activate.

5. Restart the optimization service. For details, see Starting and stopping the optimization service.

Select the configuration name to display the configuration settings in a new browser window.

Configuring general security settings

You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Administration > Security: General Settings page.

Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods are attempted.

To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add this attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = “monitor”
}
where you replace monitor with admin for write access.

For details about setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide.

To set general security settings

1. Choose Administration > Security: General Settings to display the General Settings page.

General Security Settings page

Control	Description
Authentication Methods	Specifies the authentication method. Select an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted.
For RADIUS/TACACS+, fallback only when servers are unavailable	Select this check box to prevent local login if the RADIUS or TACACS+ server denies access, but allow local login if the RADIUS or TACACS+ server is not available.
Authorization Policy	Appears only for some Authentication Methods. Optionally, select one of these policies from the drop-down list: •Remote First - Checks the remote server first for an authentication policy, and only checks locally if the remote server doesn’t have one set. This is the default behavior. •Remote Only - Only checks the remote server. •Local Only - Only checks the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored.

2. Click Save to save your settings permanently.

Managing user permissions

You can change the administrator, monitor, or Shark user passwords and define users in the Administration > Security: User Permissions page.

Understanding account types

The system uses these accounts based on what actions the user can take:

•Admin - The system administrator user has full privileges. For example, as an administrator you may set and modify configuration settings, add and delete users, restart the optimization service, reboot the SteelHead, and create and view performance and system reports. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.

•Monitor - Monitor users may view reports, view user logs, and change their password. A monitor user cannot make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system.

•Shark - A Shark user may use the Embedded SteelCentral NetShark function for detailed packet analysis through Packet Analyzer.

You can also create users, assign passwords to the user, and assign varying configuration roles to the user.

An administrator role configures a system administrator role. Read-only permission is not allowed for this role. This role allows permission for all other RBM roles, including creating, editing and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.

A user role determines whether the user has permission to:

•Read-only - With read-only privileges you can view current configuration settings but you cannot change them.

•Read/Write - With read and write privileges you can view settings and make configuration changes for a feature.

•Deny - With deny privileges you cannot view settings or save configuration changes for a feature.

As an example, you might have user Jane who can make configuration changes to QoS and SSL, whereas user John can only view these configuration settings; and finally, user Joe cannot view, change, or save the settings for these features.

Available menu items reflect the privileges of the user. For example, any menu items that a user does not have permission to use are unavailable. When a user selects an unavailable link, the User Permissions page appears.

Combining permissions by feature

RiOS 9.0 requires additional user permissions for path selection and QoS. For example, to change a QoS rule, a user needs read/write permission for the Network Settings role in addition to read/write permission for QoS.

This table summarizes the user permission requirements for RiOS 9.0.

Management Console page	To configure this feature or change this section	Required read permission	Required read/write permission
Networking > Topology: Sites & Networks	Networks	Network Settings Read-Only	Network Settings Read/Write
	Sites	Network Settings Read-Only QoS Read-Only Path Selection Read-Only	Network Settings Read/Write QoS Read/Write Path Selection Read/Write
Networking > App Definitions: Applications	Applications	Network Settings Read-Only	Network Settings Read/Write
Networking > Network Services: Quality of Service	Enable QoS	Network Settings Read-Only	Network Settings Read/Write
	Manage QoS Per Interface	Network Settings Read-Only	Network Settings Read/Write
	QoS Profile	QoS Read-Only	QoS Read/Write
	QoS Remote Site Info	Network Settings Read-Only QoS Read-Only	—
Networking > Network Services: QoS Profile Details	Profile Name	QoS Read-Only	QoS Read/Write
	QoS Classes	QoS Read-Only	QoS Read/Write
	QoS Rules	QoS Read-Only	Network Settings Read/Write QoS Read/Write
Path Selection	Enable Path Selection	Network Settings Read-Only	Network Settings Read/Write
	Path Selection Rules	Network Settings Read-Only Path Selection Read-Only	Network Settings Read/Write Path Selection Read/Write
	Uplink Status	Network Settings Read-Only Path Selection Read-Only Reports Read/Write	—
Outbound QoS Report		QoS Read-Only	QoS Read/Write
Inbound QoS Report		QoS Read-Only	QoS Read/Write
Host Labels		Network Settings Read-Only or QoS Read-Only	Network Settings Read/Write or QoS Read/Write
Port Labels		Network Settings Read-Only or QoS Read-Only	Network Settings Read/Write or QoS Read/Write

To configure user permissions

1. Choose Administration > Security: User Permissions to display the User Permissions page.

User Permissions page

2. Under Accounts, complete the configuration as described in this table.

Control	Description
admin/monitor	Click the right arrow to change the password or to create a default user account.
	Change Password - Enables password protection. Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password. When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled. Password - Specify a password in the text box. Password Confirm - Retype the new administrator password. Enable Account - Select to enable or clear to disable the administrator or monitor account. When enabled, you may make the account the default user for Radius and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.

3. Under Accounts, complete the configuration as described in this table.

Control	Description
Add a New Account	Click to display the controls for creating a new account.
Account Name	Specify a name for the account.
Password	Specify a password in the text box, and then retype the password for confirmation.
Enable Account	Select this check box to enable the new account.
Administrator	Configures a system administrator role. This role allows permission for all other RBM roles, including creating, editing, and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself. Read-only permission is not allowed for this role.
User	Configures a role that determines whether the user: •has permission to view current configuration settings but not change them (Read-Only). •has permission to view settings and make configuration changes for a feature (Read/Write). •is prevented from viewing or saving settings or configuration changes for a feature (Deny).
General Settings	Configures per-source IP connection limit and the maximum connection pooling size.
Network Settings	Configures these features: •Topology definitions •Site and network definitions •Application definitions •Host interface settings •Network interface settings •DNS cache settings •Hardware assist rules •Host labels •Port labels You must include this role for users configuring path selection or enforcing QoS policies in addition to the QoS and Path Selection roles.
QoS	Enforces QoS policies. You must also include the Network Settings role.
Path Selection	Configures path selection. You must also include the Network Settings role.
Optimization Service	Configures alarms, performance features, SkipWare, HS-TCP, and TCP optimization.
In-Path Rules	Configures TCP traffic for optimization and how to optimize traffic by setting in-path rules. This role includes WAN visibility to preserve TCP/IP address or port information. For details about WAN visibility, see the SteelHead Deployment Guide.
CIFS Optimization	Configures CIFS optimization settings (including SMB signing) and overlapping open optimization.
HTTP Optimization	Configures enhanced HTTP optimization settings: URL learning, Parse and Prefetch, Object Prefetch Table, keepalive, insert cookie, file extensions to prefetch, and the ability to set up HTTP optimization for a specific server subnet.
Oracle Forms Optimization	Optimizes Oracle E-business application content and forms applications.
MAPI Optimization	Optimizes MAPI and sets Exchange and NSPI ports.
NFS Optimization	Configures NFS optimization.
Notes Optimization	Configures Lotus Notes optimization.
Citrix Optimization	Configures Citrix optimization.
SSL Optimization	Configures SSL support and the secure inner channel.
Replication Optimization	Configures the SRDF/A, FCIP, and SnapMirror storage optimization modules.
Storage Service	Configures branch storage services on SteelFusion Edge appliances (the branch storage services are only available on a SteelHead EX or SteelFusion Edge).
Security Settings	Configures security settings, including RADIUS and TACACS authentication settings and the secure vault password.
Basic Diagnostics	Customizes system diagnostic logs, including system and user log settings, but doesn’t include TCP dumps.
TCP Dumps	Customizes TCP dump settings.
Reports	Sets system report parameters.
Domain Authentication	Allows joining a Windows domain and configuring Windows domain authentication.
Citrix Acceleration	Configures Citrix optimization.
Add	Adds your settings to the system.
Remove Selected Accounts	Select the check box next to the name and click Remove Selected.

4. Click Save to save your settings permanently.

RiOS ignores the RBM user roles for SteelHead SaaS features. RiOS allows RBM users with DENY permissions in all roles access to SteelHead SaaS Management Console pages and GUI commands.

Managing password policy

You can change the password policy and strength in the Administration > Security: Password Policy page.

Selecting a password policy

You can choose one of these password policy templates, depending on your security requirements:

•Strong - Sets the password policy to more stringent enforcement settings. Selecting this template automatically prepopulates the password policy with stricter settings commonly required by higher security standards such as for the Department of Defense.

•Basic - Reverts the password policy to its predefined settings so you can customize your policy.

To set a password policy

1. Choose Administration > Security: Password Policy to display the Password Policy page.

Password Policy page

2. Select the Enable Account Control check box to set a password policy. Enabling account control makes password use mandatory.

Passwords for all users expire as soon as account control is enabled. Account control forces all users to create new passwords that follow the password requirements defined in the password policy. All new passwords are then controlled by the password policy.

The passwords also expire after the number of days specified by the administrator in the Password Policy page. As a consequence of this change, when users try to log in to the Management Console and their password has expired, the Expired Password page asks them to change their password. After they change their password, the system automatically logs them in to the Management Console.

RiOS does not allow empty passwords when account control is enabled.

3. Optionally, select either the Basic or Strong template. When you select the basic template, the system prepopulates the page with the secure settings. Also, the system prompts a user logging in to the SteelHead after 60 days to change their password. By default, RiOS locks out a user logging in to the SteelHead after 300 days without a password change. After the system locks them out, an administrator must unlock the user account. For more details on unlocking user accounts, see Unlocking an account.

4. Under Password Management, complete the configuration as described in this table.

Control	Description
Login Attempts Before Lockout	Specify the maximum number of unsuccessful login attempts before temporarily blocking user access to the SteelHead. The user is prevented from further login attempts when the number is exceeded. The default for the strong security template is 3. The lockout expires after the amount of time specified in Timeout for User Login After Lockout elapses.
Timeout for User Login After Lockout	Specify the amount of time, in seconds, that must elapse before a user can attempt to log in after an account lockout due to unsuccessful login attempts. The default for the strong security template is 300.
Days Before Password Expires	Specify the number of days the current password remains in effect. The default for the strong security template is 60. To set the password expiration to 24 hours, specify 0. To set the password expiration to 48 hours, specify 1. Leave blank to turn off password expiration.
Days to Warn User of an Expiring Password	Specify the number of days the user is warned before the password expires. The default for the strong security template is 7.
Days to Keep Account Active After Password Expires	Specify the number of days the account remains active after the password expires. The default for the strong security template is 305. When the time elapses, RiOS locks the account permanently, preventing any further logins.
Days Between Password Changes	Specify the minimum number of days before which passwords can’t be changed.
Minimum Interval for Password Reuse	Specify the number of password changes allowed before a password can be reused. The default for the strong security template is 5.

5. Under Password Characteristics, complete the configuration as described in this table.

Control	Description
Minimum Password Length	Specify the minimum password length. The default for the strong security template is 14 alphanumeric characters.
Minimum Uppercase Characters	Specify the minimum number of uppercase characters required in a password. The default for the strong security template is 1.
Minimum Lowercase Characters	Specify the minimum number of lowercase characters required in a password. The default for the strong security template is 1.
Minimum Numerical Characters	Specify the minimum number of numerical characters required in a password. The default for the strong security template is 1.
Minimum Special Characters	Specify the minimum number of special characters required in a password. The default for the strong security template is 1.
Minimum Character Differences Between Passwords	Specify the minimum number of characters that must be changed between the old and new password. The default for the strong security template is 4.
Maximum Consecutively Repeating Characters	Specify the maximum number of times a character can occur consecutively.
Prevent Dictionary Words	Select to prevent the use of any word that is found in a dictionary as a password. By default, this control is enabled.

6. Click Save to save your settings permanently.

Unlocking an account

RiOS temporarily locks out an account after a user exceeds the configured number of login attempts. Account lockout information appears in the Administration > Security: User Permissions page.

When an account is locked out, the lockout ends after:

•The configured lockout time elapses.

—or—

•The administrator unlocks the account. RiOS never locks out administrator accounts.

To unlock an account

1. Log in as an administrator (admin).

2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.

When users log in to their account successfully, RiOS resets the login failure count.

Resetting an expired password

RiOS temporarily locks out an account when its password expires. Passwords expire for one of these reasons:

•An administrator enables account control.

•The expiration time for a password elapses.

•An administrator disables a user account and then enables it.

•An administrator uses a CLI command to encrypt a password.

After a user password expires, users must update their password within the number of days specified in Days to Keep Account Active After Password Expires. The default value is 305. After the time elapses, RiOS locks the account permanently, preventing any further logins.

To reset the password and unlock the account

1. Log in as an administrator (admin).

2. Choose Administration > Security: User Permissions page and click Clear Login Failure Details.

3. Type and confirm the new password and click Change Password.

The password reset feature is separate from the account lockout feature.

Setting RADIUS servers

You set up RADIUS server authentication in the Administration > Security: RADIUS page.

RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional.

Enabling this feature is optional.

For details about setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide.

To set RADIUS server authentication

1. Choose Administration > Security: RADIUS to display the RADIUS page.

RADIUS page

2. Under Default RADIUS Settings, complete the configuration as described in this table.

Control	Description
Set a Global Default Key	Enables a global server key for the RADIUS server.
Global Key	Specify the global server key.
Confirm Global Key	Confirm the global server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. The default value is 1.

3. Click Apply to apply your changes to the running configuration.

4. To add a new RADIUS server, complete the configuration as described in this table.

Control	Description
Add a RADIUS Server	Displays the controls for defining a new RADIUS server.
Hostname or IP Address	Specify the hostname or server IP address. RiOS doesn’t support IPv6 server IP addresses.
Authentication Port	Specify the port for the server.
Authentication Type	Select one of these authentication types: •PAP - Password Authentication Protocol (PAP), which validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP. •CHAP - Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP. CHAP validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server. •MS-CHAPv2 - The Microsoft version of the Challenge-Handshake Authentication Protocol. MS-CHAPv2 is a more secure authentication protocol than PAP or CHAP.
Override the Global Default Key	Overrides the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default value is 1.
Enabled	Enables the new server.
Add	Adds the RADIUS server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

5. If you add a new server to your network and you do not specify these fields at that time, RiOS applies the global settings.

6. Click Save to save your settings permanently.

To modify RADIUS server settings, click the server IP address in the list of Radius Servers. Use the Status drop-down list to enable or disable a server in the list.

Related topic

•Configuring general security settings

Configuring a management ACL

You can secure access to an Edge using an internal management access control list (ACL) in the Security: Management ACL page.

Edges are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:

•restrict access to certain interfaces or protocols of an Edge.

•restrict inbound IP access to an Edge, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).

•specify which hosts or groups of hosts can access and manage an Edge by IP address, simplifying the integration of SteelFusion Edges into your network.

The management ACL provides these safeguards to prevent accidental disconnection from the SteelFusion Edge, the SCC, and the embedded Shark feature:

•It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.

•It always allows the default ports 7800, 7801, 7810, 7820, and 7850.

•It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

•It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

•It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

To set up a management ACL

1. Choose Administration > Security: Management ACL to display the Management ACL page.

Management ACL page

2. Under Management ACL Settings, complete the configuration as described in this table.

Control	Description
Enable Management ACL	Secures access to a SteelHead using a management ACL.

3. Click Apply to apply your changes to the running configuration.

4. Click Save to save your settings permanently.

If you add, delete, edit, or move a rule that could disconnect connections to the SteelFusion Edge, a warning message appears. Click Confirm to override the warning and allow the rule definition. Use caution when overriding a disconnect warning.

ACL management rules

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a SteelFusion Edge, the destination specifies the SteelFusion Edge itself, and the source specifies a remote host.

The ACL rules list contains default rules that allow you to use the management ACL with branch service RiOS features, such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes default rules that allow access to the SCC and the embedded Shark feature. If you delete a default ACL rule and need to restore it, see Restoring default access rules.

To add an ACL management rule

1. Under Management ACL Settings, complete the configuration as described in this table.

Control	Description
Add a New Rule	Displays the controls for adding a new rule.
Action	Select one of these rule types from the drop-down list: •Allow - Allows a matching packet access to the SteelHead. This is the default action. •Deny - Denies access to any matching packets.
Service	Optionally, select Specify Protocol, or HTTP, HTTPS, SOAP, SNMP, SSH, Telnet. When specified, the Destination Port is dimmed.
Protocol	(Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed.
Source Network	Optionally, specify the source subnet of the inbound packet: for example, 1.2.3.0/24.
Destination Port	Optionally, specify the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.
Interface	Optionally, select an interface name from the drop-down list. Select All to specify all interfaces.
Description	Optionally, describe the rule to facilitate administration.
Rule Number	Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it’s applied, and no further rules are consulted. Note: The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, can’t be removed and is always listed last.
Log Packets	Tracks denied packets in the log. By default, packet logging is enabled.
Add	Adds the rule to the list. The Management Console redisplays the Rules table and applies your modifications to the running configuration, which is stored in memory.
Remove Selected	Select the check box next to the name and click Remove Selected.
Move Selected	Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position.

2. Click Save to save your settings permanently.

Usage notes

•When you change the default port of services such as SSH, HTTP, HTTPS, on either the client-side appliance or server-side appliance and create a management ACL rule denying that service, the rule will not work as expected. The appliance on the other end (either server or client) of an in-path deployment does not know that the default service port has changed, and consequently optimizes the packets to that service port. To work around this problem, add a pass-through rule to the client-side SteelFusion Edge for the management interfaces. The pass-through rule prevents the traffic from coming from the local host when optimized.

•A management ACL rule that denies access from port 20 on the server-side appliance in an out-of-path deployment prevents data transfer using active FTP. In this deployment, the FTP server and client cannot establish a data connection because the FTP server initiates the SYN packet and the management rule on the server-side appliance blocks the SYN packet. To work around this problem:

•use passive FTP instead of active FTP. With passive FTP, the FTP client initiates both connections to the server. For details about active and passive FTP, see QoS classification for the FTP data channel.

—or—

•add a rule to either allow source port 20 on the server-side appliance or allow the IP address of the FTP server.

Restoring default access rules

This section describes how to restore the default ACL rule.

To restore the default ACL management rule for DNS caching

1. Under Management ACL Settings, add a DNS Caching ACL rule with these properties.

Property	Value
Type	Allow
Protocol	UDP
Destination Port	53
Rule Number	1
Description	DNS Caching

2. Click Add.

Configuring web settings

You can modify Management Console web user interface and certificate settings in the Administration > Security: Web Settings page.

To modify web settings

1. Choose Administration > Security: Web Settings to display the Web Settings page.

Web Settings page

2. Under Web Settings, complete the configuration as described in this table.

Control	Description
Default Web Login ID	Specify the username that appears in the authentication page. The default value is admin.
Web Inactivity Timeout	Specify the number of idle minutes before time-out. The default value is 15. A value of 0 disables time-out.
Allow Session Timeouts When Viewing Auto-Refreshing Pages	By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear the Allow box to disable the session time-out, remain logged-in indefinitely, and automatically refresh the report pages. Note: Disabling this feature poses a security risk.

3. Click Apply to apply your changes to the running configuration.

4. Click Save to save your settings permanently.

Managing web SSL certificates

RiOS provides these security features to manage SSL certificates used by the Edge Management Console through HTTPS:

•Generate the certificate and key pairs on the Edge. This method overwrites the existing certificate and key pair regardless of whether the previous certificate and key pair was self-signed or user added. The new self-signed certificate lasts for one year (365 days).

•Create certificate signing requests from the certificate and key pairs.

•Replace a signed certificate with one created by an administrator or generated by a third-party certificate authority.

To modify web certificates

1. Choose Administration > Security: Web Settings to display the Web Settings page.

2. Under Web Certificate, select the Details tab.

The Edge identity certificate details appear, as described in this table.

Control	Description
Issued To/Issued By	Common Name - Specifies the common name of the certificate authority.
	Email - Specifies the email address of the certificate administrator.
	Organization - Specifies the organization name (for example, the company).
	Locality - Specifies the city.
	State - Specifies the state.
	Country - Specifies the country.
	Serial Number - Specifies the serial number (Issued To, only).
Validity	Issued On - Specifies the date the certificate was issued.
Validity	Expires On - Specifies the date the certificate expires.
Fingerprint	Specifies the SSL fingerprint.
Key	Type - Specifies the key type.
Key	Size - Specifies the size in bytes.

3. To replace an existing certificate, under Web Certificate, select the Replace tab and complete the configuration as described in this table.

Control	Description
Import Certificate and Private Key	Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. Or, you can use the text box to copy and paste a PEM file. The private key is required regardless of whether you are adding or updating the certificate.
Certificate	Upload - Browse to the local file in PKCS-12, PEM, or DER formats. Paste it here (PEM) - Copy and then paste the contents of a PEM file.
Private Key	Select the private key origin. •The Private Key is in a separate file (see below) - You can either upload it or copy and paste it. •This file includes the Certificate and Private Key •The Private Key for this Certificate was created with a CSR generated on this appliance.
Separate Private Key	Upload (PEM or DER formats) - Browse to the local file in PEM or DER formats. Paste it here (PEM only) - Paste the contents of a PEM file. Decryption Password - Specify the decryption password, if necessary. Passwords are required for PKCS-12 files, optional for PEM files, and never needed for DER files.

4. To generate a CSR, under Web Certificate, select the Generate CSR tab and complete the configuration as described in this table.

Control	Description
Common Name	Specify the common name (hostname).
Organization Name	Specify the organization name (for example, the company).
Organization Unit Name	Specify the organization unit name (for example, the section or department).
Locality	Specify the city.
State	Specify the state. Do not abbreviate.
Country	Specify the country (two-letter code only).
Email Address	Specify the email address of the contact person.
Generate CSR	Generates the Certificate Signing Request.

5. Click Apply to apply your changes to the running configuration.

6. Click Save to save your settings permanently.

7. Click Add.

Enabling REST API access

You enable access to the Riverbed REST API in the Administration > Security: REST API Access page.

Representational State Transfer (REST) is a framework for API design. REST builds a simple API on top of the HTTP. It is based on generic facilities of the standard HTTP protocol, including the six basic HTTP methods (GET, POST, PUT, DELETE, HEAD, INFO) and the full range of HTTP return codes. You can discover REST APIs by navigating links embedded in the resources provided by the REST API, which follow common encoding and formatting practices.

You can invoke the REST API to enable communication from one Riverbed appliance to another through REST API calls, for example:

•A SteelCentral NetProfiler communicating with a SteelCentral NetShark.

•A SteelCentral NetProfiler retrieving a QoS configuration from a SteelFusion Edge.

For all uses you must preconfigure an access code to authenticate communication between parties and to authorize access to protected resources.

For details, see https://support.riverbed.com/apis.

The REST API calls are based on the trusted application flow, a scenario where you download and install an application on some host, such as your own laptop. You trust both the application and the security of the host onto which the application is installed.

For example, suppose you install a Python script on a Linux box that queries QoS policies on an appliance and prints a summary as text output. You install the script under your home directory and configure the script with credentials to access the appliance. Once set up, you can simply log in to the Linux box and run the script. Because you already preconfigured credentials with the SteelFusion Edge, you can run the script without any user interaction after logging in. This trusted application flow enables you to schedule execution through cron or chain it with other scripts that process the text data and combine it with other functionality.

This basic authentication sequence shown in REST API access authentication sequence assumes you have already downloaded the Python script and installed it on a Linux box.

REST API access authentication sequence

To enable REST API access

1. Choose Administration > Security: REST API Access to display the REST API Access page.

REST API Access page

2. Under REST API Access Settings, select the Enable REST API Access check box.

3. Click Apply to apply your changes to the running configuration.

4. Click Save to save your settings permanently.

Before an appliance can access the REST API, you must preconfigure an access code for the system to use to authenticate access.

To preconfigure the access code

1. Choose Administration > Security: REST API Access to display the REST API Access page.

2. Click Add Access Code.

3. Under Access Codes, type a description such as the hostname or IP address of the appliance you are using.

4. To create a code, select Generate New Access Code.

To use an existing code, select Import Existing Access Code.

5. Click Add.

The access code description appears in the access code table along with the name of the user who created it.

6. Click the access code description to display the access code.

7. Copy the access code from the text field into a text editor such as Notepad.

To use the access code in your external script

•Copy the access code copied from the Management Console REST API Access page into the configuration file of your external script. The script uses the access code to make a call to the appliance or system to request an access token. The appliance/system validates the access code and returns an access token for use by the script. Generally the access token is kept by the script for a session only (defined within your script), but note that the script can make many requests using the same access token. These access tokens have some lifetime—usually around an hour—in which they are valid. When they expire, the access code must fetch a new access token. The script uses the access token to make REST API calls with the appliance or system.

Control	Description
IdP Metadata	Paste the IdP metadata you copied or received from the IdP website.
Security Settings Note: These setting should match the IdP settings.	Sign Authentication Request - Select this option to have SteelHead sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by SteelHead allows the identity provider to verify that all login requests originate from a trusted service provider.
	Requires Signed Assertions - Select if the IdP signs the assertion response. Some SAML configurations require signed assertions to improve security.
	Requires Encrypted Assertions - Select this option if the SAML identity provider encrypts the assertion section of the SAML responses. Even though all SAML traffic to and from SteelHead is already encrypted by the use of HTTPS, this option adds another layer of encryption.
Attribute	Username Attribute - Enter the name of the IdP variable that carries the username. The Username attribute is mandatory and must be sent by your identity provider in the SAML response to align the login with a configured SteelHead account.
Attribute	Member of Attribute - Enter the name of the IdP variable that carries the role of the user. The role must match with a local SteelHead user. This setting is mandatory.

Control	Description
Current Password	Specify the current password. If you are changing the default password that ships with the product, leave the text box blank.
New Password	Specify a new password for the secure vault.
New Password Confirm	Confirm the new password for the secure vault.
Change Password	Changes the password for the secure vault.

Control	Description
Add a TACACS+ Server	Displays the controls for defining a new TACACS+ server.
Hostname or IP Address	Specify the hostname or server IP address.
Authentication Port	Specify the port for the server. The default value is 49.
Authentication Type	Select either PAP or ASCII as the authentication type. The default value is PAP.
Override the Global Default Key	Specify this option to override the global server key for the server.
Server Key	Specify the override server key.
Confirm Server Key	Confirm the override server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
Enabled	Enables the new server.
Add	Adds the TACACS+ server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.