You can manage remote appliances and configure appliance groups under Manage > Topology: Appliances. Appliance groups and policies facilitate centralized configuration, management, and reporting of your Riverbed appliances. For example, at the group level you can apply policies, push configurations, set passwords, and so forth. Appliance groups can be based on location, similarity of features, or whatever criteria you choose. All groups and appliances are contained in the root default Global group. The SCC supports up to 1500 appliance groups. If you have over 1500 managed appliances, you might experience delays in legacy and hybrid networking pushes and during the initial upgrade of the software.

Appliance policies are a set of configuration settings for an appliance or an appliance group. All policy configurations from the Global group are inherited by all child groups and individual appliances. You can apply a policy to an appliance group and push configuration changes to members of a group with a single action. To modify configurations, you can apply different policies at the group or appliance level. For greater flexibility, you can configure policies to inherit some feature-set values from the parent group but override others. For detailed information about adding and configuring policies, see About Policies.

SCC uses the concepts of sites, networks, and uplinks to create deployment topologies of Riverbed appliances. Sites, networks, and uplinks are required for path selection, simplified QoS, and secure transport features. See About Sites, Networks, Uplinks, and Regions and About migrating appliances to sites.

The Appliances page displays all appliances and appliance groups managed by the SCC. The data from managed appliances is cached by the SCC every five minutes. Alarms poll the cached data every five minutes; therefore, the data can lag a few minutes between the event happening on the managed appliance and the SCC triggering an alarm. This information is displayed for each listed item:

The Interceptor and the SteelHead Mobile have limited functionality in the Appliance/Group table.

Appliances must be registered with the SCC before you can monitor and manage them with the SCC. SteelHeads are designed to send a registration request periodically to the SCC so that they’re automatically registered. It can take up to an hour for all registered SteelHeads to appear in the Appliances page. An unregistered SteelHead appears on the Appliances page with the error “NO ADDRESS SPECIFIED.” You can manually add the SteelHead in the Appliances page.

If you have SteelHeads that are behind a firewall you can run a CLI command that creates an SSL authorized port.

To view how many SteelHeads an SCC can manage, go to Knowledge Base article S14106.

You can add remote appliances under Manage > Topology: Appliances.

To remove an appliance, select the check box next to the appliance name that you want to remove and click Remove Selected. The SCC redisplays the table and applies your changes to the running configuration, which is stored in memory.

To move an appliance or a group, select the check box next to the appliance name or group name that you want to move, and then click Move Selected and move the appliance or group up or down. Click Cancel Move to return the appliance to the original position in the list. When you move a group, all appliances and subgroups within that group move.

If you’re planning on using the hybrid networking features of path selection, simplified QoS, or secure transport, you must migrate your appliances to sites, networks, and uplinks. See About Sites, Networks, Uplinks, and Regions.

The SCC provides these migration tools:

You can migrate in bulk under Manage > Topology: Appliances.

You can create a new site in under Manage > Topology: Appliances.

All groups are based on a nested hierarchy. You can add policies to groups. Global group policies are overridden by policies lower in the hierarchy.

You should carefully design your appliance hierarchy so that you can identify what policies are needed on the appliances in each group. Carefully designing the group hierarchy will ensure that you implement the best solution for your network.

You can configure appliances under Manage > Topology: Appliances. Click New Group to expand the page. These configuration options are available:

Specifies the name for the group.

Specifies the parent group from the drop-down list. The default value is Global.

Provides a description to help you identify the group.

Adds the group to the Appliance/Group table. The SCC redisplays the table and applies your changes to the running configuration, which is stored in memory.

You can define filters to display only those appliances that need to be managed under Manage > Topology: Appliances. In the menu bar at the top of the page, click Filter to expand the page. Select the appliances that match the specified filter criteria. Type an expression into the fields to filter the display of appliances. The filter applies only to appliances, not groups. Click Apply Filter to select the appliances that match the criteria specified.

Select the Appliances tab on the Appliance page to manage these appliance-specific settings:

You can display appliance tabs under Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs.

You can perform operations on policies, configuration settings, appliance properties, appliance utilities (that is, reconnect and serial number), inherited policies, and policy drift.

You can add a policy to an appliance under Manage > Topology: Appliances. Select the appliance name to expand the page and display the Appliance tabs. Click the + Add/Remove Policies to display the pop-up window, and select the policy you want to add. A message is displayed stating the policy has been added. To remove the policy, click Revert. Click Done to return to the appliances and group table.

You can edit appliance properties under Manage > Topology: Appliances. Select the appliance name to expand the page, and then elect the Edit Appliance tab to display the appliance properties. These configuration options are available:

Displays the serial number for the appliance.

Specifies the hostname or IP address for the appliance.

Provides a comment to help you identify the appliance.

Specifies a group from the drop-down list. The default group is Global.

Prevents any remote action from being performed on the specified appliance. For example, you wouldn’t be able to push configurations to this appliance from the SCC.

Untrusts an appliance. Only applicable to manually trusted appliances.

(Use only when the policies have been configured.) Automatically pushes the current configuration (as defined by the policies for the appliance or appliance group) to the current remote appliance the next time it connects to the SCC. This feature is available only when the remote appliance is disconnected. This setting is automatically disabled after the push.

Specifies the username for the appliance.

Specifies and confirms the password for the appliance.

You can run appliance utilities under Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab. Click Appliance Utilities to display the Editing Appliance Configuration <appliance>, Utilities panel. These configuration options are available:

Updates the current appliance serial number. Sets the serial number for the appliance to the actual value stored on the appliance. The value is changed system-wide; the appliance remains accessible. The appliance must be connected to update the serial number.

Reconnects the SCC to the current appliance. You can establish a new connection to an appliance in about 30 seconds. Reconnecting doesn’t affect policy configurations.

You can view inherited policies under Manage > Topology: Appliances. Select the name of the appliance you want to view to display the Edit Appliance tab. Select the Inherited Policies tab to display the policies for the appliance, and select the page to display the inherited policies. Select the policy to modify the policy. For details about policies, see Managing path selection.

You can view policy drift under Manage > Topology: Appliances. Select an appliance, and then select the Policy Drift tab.

The page is divided into sections for SCC policy pages and appliance policy pages. Selecting an SCC policy page shows the configuration for that page in SCC. Selecting an appliance policy page redirects you to that configuration page in the Management Console for that appliance.

You can compare the two configurations to see where they are not synchronized. The SCC records any unsynchronized policy changes as policy drift. Additionally, changes made directly on a SteelHead appliance, even those that are reversed, are reported as policy drift here in the SCC’s Management Console. Previous versions of the SCC included limited information (an ≠ icon or simple notification) to indicate such changes. Now, the SCC reports policy drift changes page by page to aid in reviewing the specific settings.

Restarting the SCC clears all policy drift information.

You can push SCC configurations (in the form of policies) to selected appliances or appliance groups.

Any changes made to policies on the SCC don’t take effect on remote appliances until the new configurations are pushed to the appliances.

When you push SCC configurations (in the form of policies) to selected appliances or appliance groups, appliance page configurations are also pushed.

For details about appliance page configurations, see Managing appliance pages.

Any scheduled operations on appliance groups execute according to the time on the SCC, not the time on the remote appliance. For example, if the SCC clock is set to Pacific Daylight Time (PDT) but the remote appliance clock is set to Central European Summer Time (CEST), then an operation scheduled for midnight on the SCC (PDT) is executed at 9:00 AM on the remote appliance (CEST). This operation applies only to SteelHeads and Interceptors.

For detailed information about pushing global policies, see Performing global policy pushes.

You can abort a pending policy push using the SCC CLI command cmc policy abort job <job-id>.

You can push a configuration to an appliance or an appliance group under Manage > Topology: Appliances. Click Appliance Operations to display the Appliance Operations page. Select the appliances or appliance groups to which you want to push settings in the appliances table. Select Push Policies from the operation drop-down list. These configuration options are available:

Includes path selection rules, QoS profiles, applications, web proxy settings, and application statistics in the policy push. This option is not applicable to all appliance models. We recommend you do not select this when pushing policies.

Automatically restarts the RiOS service on the appliances after the push.

Automatically restarts the QoS service, if required. We recommend you do not select this when pushing policies.

Restarts Xbridge if required. This applies to Interceptor appliances only.

Schedules the action for a later time and date. If this option isn’t selected, the action occurs the next time the appliance connects.

This operation applies only to SteelHeads and Interceptors.

Pushes your configuration changes to the selected appliances and groups.

You can abort a pending policy push using the SCC CLI command cmc policy abort job <job-id>.

You can replace the peering certificates used to secure the inner channel between the SteelHeads by generating new private keys and self-signed public certificates.

If possible, the certificates are signed by the certificate authority, otherwise they’re self-signed.

A policy push must be initiated to all SteelHeads for the new certificates to be used in peering. If the policy push excludes any affected SteelHeads, SSL optimization to the SteelHeads doesn’t work properly.

If CA is enabled, all newly generated certificates are automatically be signed. The existing certificates must be replaced to be signed.

You can replace (generate) peering certificates under Manage > Topology: Appliances. Click Appliance Operations to display the Appliance Operations page. Select Replace (Generate) Peering Certificates from the operation drop-down list. These configuration options are available under Self-Signed Certificate.

Specifies the common name of a certificate.

To facilitate configuration, you can use wildcards in the name: for example, *.example.com. If you have three origin servers using different certificates, such as webmail.example.com, internal.example.com, and marketingweb.example.com, on the server-side SteelHeads, all three server configurations can use the same certificate name *.example.com.

Specifies the organization name (for example, the company).

Specifies the organization unit name (for example, the section or department).

Specifies the city.

Specifies the state.

Specifies the country (2-letter code only).

Specifies the email address of the contact person.

Specifies how many days the certificate is valid.

Click Replace to replace the peering certificates.

The SCC fetches and pushes licenses to selected appliances or groups. You can also fetch a license from the Riverbed License portal and store it locally. This option ignores the selected appliances and applies the license to all appliances specified in the license file.

CLMF license installation is not supported.

You can update licenses under Manage > Topology: Appliances. Click Appliance Operations to expand the page, and select License Update from the operation drop-down list. These configuration options are available under License Update Method:

Updates the license using the Riverbed Licensing Portal.

Specifies the path. Alternatively, click Browse to navigate to the local file directory.

Updates the current license.

You can start and stop the system service on selected appliances and appliance groups under Manage > Topology: Appliances. Click Appliance Operations to expand the page, and select Start/Stop Services from the operation drop-down list. These configuration options are available:

Specifies Start, Stop, or Restart from the drop-down list.

Clears the RiOS data store. This option only applies to SteelHeads.

Schedules the action for a later time and date. If this option isn’t selected, the action occurs the next time the appliance connects.

This option only applies to SteelHeads and Interceptors.

The results of this operation can be viewed in the Operation History page.

You can shut down the system on selected appliances and appliance groups under Manage > Topology: Appliances. You can also clean the data store and schedule a shutdown.

Click Appliance Operations to expand the page, and select Shutdown from the operation drop-down list. These configuration options are available:

Cleans the RiOS data store.

Schedules the action for a later time and date. If this option isn’t selected, the action occurs the next time the appliance connects.

Shuts down the selected appliance and appliance groups. Click Shutdown.

The results of this operation can be viewed in the Operation History page.

You can set the password for administrator and monitor users on selected appliances and groups under Manage > Topology: Appliances.

The SCC sets the password used to connect with the remote appliance. The SCC automatically updates the password that’s used by the SCC to connect with the remote appliance.

Select the Appliance Operations tab to expand the page.

Select the Appliance Operations tab to expand the page. Select Set Password from the operation drop-down list. These configuration options are available:

Specifies admin or monitor in the text box.

Specifies the password.

Confirms the password.

Sets the specified password.

The results of this operation can be viewed in the Operation History page.

You can unlock the Secure Vault on selected appliances and appliance groups under Manage > Topology: Appliances. This operation applies only to SteelHeads.

The SCC unlocks the secure vault on the selected appliances or groups if the correct password has been specified. If successful, this operation also automatically updates the stored copy of the secure vault password for each selected appliance.

When the secure vault on an appliance or an appliance group is locked, you can’t push some configuration settings.

Click Appliance Operations to display the Appliance Operations page. Select Unlock Secure Vault from the operation drop-down list. Specify the password and click Unlock Vault to unlock the secure vault on the selected appliances or appliance groups.

The results of this operation can be viewed in the Operation History page.

You can change the password for the Secure Vault on selected appliances and appliance groups under Manage > Topology: Appliances. This operation applies only to SteelHeads and SteelHead Mobiles.

The SCC must know the current secure vault password that’s set on the SSL configuration page of each appliance. This operation automatically updates the stored copy of each password on the selected appliance.

The results of this operation can be viewed in the Operation History page.

You can send a set of CLI commands to the selected appliances and groups under Manage > Topology: Appliances. Click Appliance Operations to display the Appliance Operations page. Select Send CLI Commands from the operation drop-down list. These configuration options are available:

Specifies the set of CLI commands. Paste or type the set of CLI commands. Each command must be on a separate line. This feature provides the flexibility to configure your appliances using CLI commands. For example, using the CLI commands in policies:

Sending CLI commands has these restrictions:

Schedules the action for a later time and date. If this option isn’t selected, the action occurs the next time the appliance connects.

Executes the commands on the appliance.

You can start or stop the SteelCentral NetShark service under Manage > Topology: Appliances. This operation applies only to SteelHeads and can take up to five minutes to take effect.

Click Appliance Operations to display the Appliance Operations page. Select SteelCentral NetShark from the operation drop-down list. These configuration options are available:

Specifies Start or Stop from the drop-down list.

Applies your settings to the running configuration.

You can disable the SSL server certificate export feature under Manage > Topology: Appliances. For security reasons, once a certificate export has been disabled, it can’t be reenabled.

This operation applies only to SteelHeads.

Consider making SSL server certificates and private keys nonexportable with your particular security goals in mind. Before doing so, you must have a thorough understanding of its impact. Use caution and consider these best practices before making SSL configurations nonexportable:

Click Appliance Operations to display the Appliance Operations page. Select Disable SSL Server Certificate Export from the operation drop-down list. Click Disable Export.

You can join or leave a Windows domain under Manage > Topology: Appliances. This action can take up to five minutes to take effect.

For detailed information about Windows domains, see the SteelHead User Guide.

Click Appliance Operations to display the Appliance Operations page. Select Join/Rejoin/Leave a Windows Domain from the operation drop-down list. These configuration options are available:

Joins, rejoins, or leaves the domain. If you’re in domain mode and have joined a domain, you can’t change to local work-group mode until you leave the domain.

Specifies the domain in which to make the SteelHead a member. Typically, this is your company domain name. RiOS supports Windows 2000 or later domains. RiOS doesn’t support nondomain accounts other than administrator accounts. If you create Local mode shares on a nonadministrator account, your security permissions for the share aren’t preserved on the origin-file server.

Specifies the login name, which must have domain join privileges. Domain administrator credentials aren’t strictly required, except when you join the domain as an Active Directory integration. RiOS deletes domain administrator credentials after the join.

Specifies the password. This control is case sensitive.

Specifies the hosts that provide user login service in the domain, separated by commas. If the Join Account Type is Active Directory Integrated 2008 or later and the Windows domain controllers are a combination of Windows 2003, 2008, and later, then a name list of Windows 2008 or later domain controllers is required. We recommend specifying the domain controller names in environments where there is varying latency between the SteelHead and the domain controllers.

Specifies the short domain (NetBIOS) name if it doesn’t match the first portion of the Active Directory domain name. The short domain name is case sensitive.

Applies your changes to the running configuration.

You can copy (that is, fetch) appliance-specific configuration settings under Manage > Topology: Appliances. The remote appliance must be connected to the SCC.

Select the name of the appliance you want to copy to expand the page and display the Appliance tabs. Select the Appliances Pages tab to expand the page, and scroll to the bottom of the page. Select the check box. By default, none of the fetched pages are included. Click Fetch Appliance Config to display the configuration pages in the pages table.

You can perform global policy pushes for path selection, QoS, web proxy, application Statistics collection, and the Riverbed Global Policy under Manage > Topology: Appliances.

When you perform a policy push, the SCC is the primary configuration; any local changes made on SteelHeads are overwritten.

In SCC 9.0 or later when the SCC creates custom applications using port or host labels, the SCC assumes that the port and host labels are created at the Global policy level (that is, under the Global group). When you perform a policy push to the SteelHead, if the appliance pages include port or host labels, then the policy push might fail. If you’re running RiOS 9.0 or later, we recommend you create any appliance level host and port labels in the Global policy, delete the appliance level pages to include these, and use global policies going forward. For non-RiOS 9.0 or later appliances, we recommend you use Global level host and port labels.

For detailed information about pushing policies to selected appliances or appliance groups, see Pushing policies to selected appliances or groups.

To the right of Global, click the feature link to display the global policy push controls for the feature. Under Policy Push Control on the right side of the page, click Include in Push to expand the page and display the Push to Appliances panel.

To exclude appliances from the push, under Push Control on the right side of the page, click Exclude from Push. (This option only appears if you have clicked Include in Push.)

These configuration options are available:

Pushes your path selection rules:

Pushes all related configurations, such as applications, QoS, and path selection rules.

Pushes only path selection configuration settings to remote appliances.

Pushes configuration settings to the selected sites or site types. Click Clear to clear your settings.

You can view the status of your pushes. In the Push Status panel click More to be directed to the Operations table that lists the status of current pushes.

To push settings for the Riverbed global policy, to the right of Global, click Riverbed Global Policy to display the Editing Policy Riverbed Global Policy page.

Select Include in Policy Push for the policy pages that you want to include in the Riverbed Global Policy and click Apply.

To view push status, choose Manage > Operations > Operation History and view the Operations table. The status of current pushes are listed.

You can enable the SCC to trust detected appliances based on an appliance-specific security keys under Manage > Topology: Appliances. Strict key verification prevents the SCC from inadvertently connecting with rogue appliances. If you select this option, the SCC doesn’t connect with appliances whose correct SSH public keys are not known by the SCC.

The SCC requires you to enter the SteelHead SSH public key before allowing communication.

You must enable strict key verification and configure security keys for the appliance before you can trust appliances using a security key.

For details about creating security keys on appliances, see Managing SSL settings.

You can trust appliances by key verification under Administration > Security: SCC Security. Scroll to the bottom of the page, select Strict Key Verification, and click Apply.

Retrieve the SSH public key of a SteelHead with the show ssh server publickey command:

Copy the security key, and then choose Manage > Topology: Appliances. Scroll to the bottom of the page, and click Trust Appliances by Key to expand the page. Paste the security keys in the text box and click Trust.

You configure appliance configuration settings in the Appliances page: Appliance Pages tab. Appliance configuration settings are organized into appliance configuration pages so that you can easily configure common features, such as host settings and in-path rules.

Each appliance configuration page lists the applicable appliances and supported software on the right side of the page. You must pay close attention to the supported software versions—if the feature isn’t supported by the software you’re running your configuration changes can’t be pushed to the appliance.

Changes made to the appliance configuration pages aren’t applied until you have pushed the configuration to the appliance.

Select the name of the appliance you want to configure to expand the page and display the available configuration tabs, and then select Appliance Pages. Select the name of the feature, such as Host Settings.

Specifies the appliance you want to edit from the drop-down list.

Specifies the feature you want to configure from the drop-down list.

Includes or excludes this page in the policy push.

Lists applicable appliances and software restrictions on the right side of the page. Make sure you have the correct product and software version installed—if you have a version mismatch you can’t push configuration changes to your appliances.

These sections describe each feature you can configure or modify in detail.

You can edit host settings under Editing Appliance Configuration: <hostname>, Host Settings.

This page applies to SteelHead and Interceptor.

Choose Manage > Topology: Appliances, and then select the name of the appliance you want to edit to expand the page and display the Appliance tabs. Select the Appliance Pages tab to display the Appliance Configuration Pages list. Under Appliance Configuration Pages, click Host Settings to display the Editing Appliance Configuration: <hostname>, Host Settings page.

Click Include or Exclude to include or exclude this configuration from the policy push for the specified appliance. Your changes aren’t applied to the specified appliance until the policy is pushed to the appliance.

These configuration options are available:

Specifies the hostname of the appliance.

Applies your settings to the running configuration.

You can configure base interface settings in the Appliance Configuration: <hostname>, Base Interfaces page. This page applies to SteelHead and Interceptor.

When you initially ran the configuration wizard, you set required settings for the base interfaces for the SteelHeads. Only use the controls on this page if you require modifications or additional configuration:

You can configure base interface settings under Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and then select the Appliance Pages tab to display the Appliance Configuration Pages list. Under Appliance Configuration Pages, click Base Interfaces to display the Editing Appliance Configuration: <hostname>, Base Interfaces page.

Click Include or Exclude to include or exclude this configuration from the policy push for the specified appliance. Your changes aren’t applied to the specified appliance until the policy is pushed to the appliance.

These configuration options are available under Primary Interface:

Enables the appliance management interface, which can be used for both managing the SteelHead and serving data for a server-side out-of-path (OOP) configuration.

Automatically obtains the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. The primary and in-path interfaces can share the same network subnet. The primary and auxiliary interfaces can’t share the same network subnet.

Sends the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Networking > Networking: Host Settings page.

Indicates that you don’t use a DHCP server to set the IPv4 address. Specify these settings:

Enables the interface without assigning an IP address.

Allows you to manually specify these settings to set an IPv6 address.

Specifies a speed from the drop-down list. The default value is Auto.

Specifies Auto, Full, or Half from the drop-down list. The default value is Auto.

If your network routers or switches don’t automatically negotiate the speed and duplex, be sure to set them manually.

The speed and duplex must match (LAN and WAN) in an in-path configuration. If they don’t match, you might have a large number of errors on the interface when it is in bypass mode, because the switch and the router aren’t set with the same duplex settings.

Specifies the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

These configuration options are available under Auxiliary Interface:

Enables an auxiliary interface, which can be used only for managing the SteelHead. It can’t be used for an out-of-path (OOP) SteelHead data service. Typically, this is used for device-management networks.

Automatically obtains the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces can’t share the same network subnet.

Sends the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Networking > Networking: Host Settings page.

Indicates that you don’t use a DHCP server to set the IPv4 address. Specify these settings:

Enables the interface without assigning an IP address.

Sets an IPv6 address. Specify these options:

Specifies the speed from the drop-down list. The default value is Auto.

Specifies Auto, Full, or Half from the drop-down list. The default value is Auto.

If your network routers or switches don’t automatically negotiate the speed and duplex, be sure to set them on the device manually.

The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.

Specifies the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

Under the Main IPv4 Routing table, you can configure a static routing in the main routing table for out-of-path deployments or if your device management network requires static routes.

Under the Main IPv4 Routing Table, click + Add a New Route to expand the page. These configuration options are available:

Displays the controls to add a route.

Specifies the destination IP address.

Specifies the IP address for the gateway. The gateway must be in the same network as the in-path interface.

Specifies the interface for the IPv4 route from the drop-down list.

Adds the route to the table list.

You can configure a static routing in the main routing table for out-of-path deployments or if your device management network requires static routes.

Under the Main IPv6 Routing Table, click + Add a New Route to expand the page. These configuration options are available:

Displays the controls for adding a new route.

Specifies the destination IP address.

Specifies a prefix. The prefix length is from 0 to 128 bits, separated from the address by a forward slash (/).

Specifies the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you’re configuring.

Specifies an interface for the IPv6 route from the drop-down list.

Adds the route to the table list.

You can edit in-path interface settings in the Editing Appliance Configuration: <hostname>, In-Path Interfaces page.

You configure in-path interfaces for deployments where the SCC is in the direct path (the same subnet) as the client and the server in your network. You also set the in-path gateway (WAN router).

In the Riverbed system, appliances have a unique in-path interface for each pair of LAN/WAN ports. For each appliance, the SCC detects LAN/WAN pairs, including those added through bypass cards, and identifies them according to slot (for example, inpath0_0, inpath0_1, inpath1_0, inpath1_1, and so on).

In the In-Path Interfaces page, you can clear either the IPv4 Address field or the IPv6 Address field, but not both. You must use the CLI to clear both addresses. Use the no interface <interface-name> ip address and the no interface <interface-name> ipv6 address <ipv6-address> to clear both. For details, see the Riverbed Command-Line Interface Reference Guide.

For management interfaces, use the main routing table. For detailed information about the main routing table, see Managing base interfaces.

This page applies to SteelHead and Interceptor.

You can configure in-path interfaces under Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click In-Path Interfaces to display the Editing Appliance Configuration: <hostname>, In-Path Interfaces page.

This configuration option is available under In-Path Settings to enable link state propagation:

Shortens the recovery time of a link failure in physical in-path deployments. Link state propagation (LSP) communicates link status between the devices connected to the SteelHead. When you enable this LSP, RiOS monitors the link state of each SteelHead LAN-WAN pair.

If either physical port loses link status, the corresponding interface disconnects, blocking the link. This control allows a link failure to quickly propagate through a chain of devices. If the link recovers, the SteelHead restores the corresponding interface automatically.

LSP is enabled by default.

You can’t reach a MIP interface when LSP is also enabled and the corresponding in-path interface fails.

These SteelHead appliance configurations don’t support LSP:

Select the interface that you want to edit to expand the page.

To edit the interface, select the enable interface check box. These configuration options are available:

Specifies to use IPv4.

Specifies an IP address. This IP address is the in-path main interface.

In the In-Path Interfaces page, you can clear either the IPv4 Address field or the IPv6 Address field, but not both. You must use the CLI to clear both addresses. Use the no interface <interface-name> ip address command and the no interface <interface-name> ipv6 address <ipv6-address> command to clear both. For details, see the Riverbed Command-Line Interface Reference Guide.

Specifies the subnet mask.

Specifies the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway.

If there is a routed network on the LAN-side of the in-path appliance, the router that’s the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.

Assigns an IPv6 address. IPv6 addresses are disabled by default. You can only assign one IPv6 address per in-path interface.

The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces can’t share the same network subnet.

Specifies a global or site-local IPv6 address. This IP address is the in-path main interface. You can’t use a DHCP server to assign an IPv6 address automatically.

In the In-Path Interfaces page, you can clear either the IPv4 Address field or the IPv6 Address field, but not both. You must use the CLI to clear both addresses. Use the no interface <interface-name> ip address and the no interface <interface-name> ipv6 address <ipv6-address> to clear both. For details, see the Riverbed Command-Line Interface Reference Guide.

Specifies the prefix. The prefix length is 0 to 128 bits, separated from the address by a forward slash (/). In this example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60

Specifies the IPv6 address for the in-path gateway. You can use a link local address. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway.

If there is a routed network on the LAN-side of the in-path appliance, the router that’s the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.

If your network routers or switches don’t automatically negotiate the speed and duplex, be sure to set them on the device manually.

The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.

Speed and duplex mismatches can easily occur in a network. For example, if one end of the link is set at half duplex or full duplex and the other end of the link is configured to autonegotiate (auto), the link defaults to half duplex, regardless of the duplex setting on the nonautonegotiated end. This duplex mismatch passes traffic, but it causes interface errors and results in degraded optimization.

These guidelines can help you avoid speed and duplex mismatches when configuring the SteelHead:

Specifies the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500.

Specifies the VLAN tag that the appliance uses to communicate with other SteelHeads in your network. The VLAN Tag ID might be the same value or a different value than the VLAN tag used on the client. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present. As an example, if the in-path interface is 192.168.1.1 in VLAN 200, you would specify tag 200.

When the SteelHead communicates with a client or a server, it uses the same VLAN tag as the client or the server. If the SteelHead can’t determine which VLAN the client or server is in, it doesn’t use the VLAN tag (assuming that there is no router between the SteelHead and the client or server).

You must also define in-path rules to apply to your VLANs.

These configuration options are available under Management Interface <hostname>:

Enables a secondary MIP interface that you can reach through the physical in-path LAN and WAN interfaces. Configuring a secondary MIP interface allows management of SteelHeads from a private network while maintaining a logical separation of network traffic. If LSP or fail-to-block is enabled, a message reminds you to disable the feature before enabling the MIP interface.

Specifies the IP address for the MIP interface.

Specifies the subnet mask.

Enables IPv6 support on this interface.

Specifies the IPv6 address.

Specifies the prefix. The prefix length is 0 to 128 bits, separated from the address by a forward slash (/). In this example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60

Specifies a numeric VLAN Tag ID. When you specify the VLAN Tag ID for the MIP interface, all packets originating from the SteelHead from the MIP interface are tagged with that identification number. The VLAN Tag ID might be the same value or a different value than the in-path interface VLAN tag ID. The MIP interface could be untagged and the in-path interface could be tagged and vice versa. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the MIP interface is 192.168.1.1 in VLAN 200, you would specify tag 200.

You configure subnet side rules in the Editing Appliance Configuration: <hostname>, Subnet Side Rules page.

You need to configure subnet side rules to support Flow Export on a virtual in-path deployment.

Subnet side rules enable you to configure subnets as LAN-side subnets or WAN-side subnets for a virtual in-path SteelHead appliance. The subnet side rules determine whether traffic originated from the LAN or the WAN-side of the SteelHead appliance based on the source subnet. You must configure subnets on each SteelHead appliance in a virtual in-path configuration, as the subnets for each will likely be unique.

With subnet side rules in place, a virtual in-path SteelHead can use flow export collectors such as NetFlow to analyze nonoptimized or passed through traffic correctly. Otherwise, the SteelHead appliance can’t discern whether the traffic is traveling from the LAN to the WAN or in the opposite direction. This can result in over-reporting traffic in a particular direction or for a particular interface.

FakeIndex is necessary for correct optimized traffic reporting. For details, see the SteelHead Deployment Guide.

This page applies to SteelHead.

You can configure subnet side rules settings under Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Subnet Side Rules to display the Editing Appliance Configuration: <hostname>, Subnet Side Rules page. These configuration options are available:

Displays the controls to create a subnet side rule.

Specifies Start, End, or a rule number from the drop-down list. SteelHead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.

Specifies the subnet. Use this format: <ip-address>/<subnet-mask>

In SCC 9.8, this field also accepts IPv6 addresses.

Specifies that the subnet is on the LAN side of the device. In virtual in-path configurations, all traffic is flowing in and out of one physical interface.

Specifies that the subnet is on the WAN side of the device. In virtual in-path configurations, all traffic is flowing in and out of one physical interface.

Adds the rule to the subnet map table. The Management Console redisplays the subnet map table and applies your changes to the running configuration, which is stored in memory.

You configure SSL settings for a specific appliance in the Editing Appliance Configuration: <hostname>, SSL page.

SSL is a cryptographic protocol that provides secure communications between two parties over the internet. Typically, in a web-based application, it is the client that authenticates the server. To identify itself, an SSL certificate is installed on a web server and the client checks the credentials of the certificate to make sure it is valid and signed by a trusted third party. Trusted third parties that sign SSL certificates are called certificate authorities (CA).

This page applies to SteelHead.

For detailed information, see the SteelHead User Guide.

You can display SSL tabs under Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <hostname>, SSL page. To display certificates PEM, replace certificates, or generate CSR, select the Appliance Pages tab to expand the page and display configuration setting.

You can display the certificate PEM for the selected appliance in the Editing Appliance Configuration: <hostname>, SSL page.

Choose Manage > Topology: Appliances to display the Appliances page. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <hostname>, SSL page. Select the Display Certificate PEM tab to display the certificate in PEM format.

You can replace SSL certificates for the selected appliance in the Editing Appliance Configuration: <hostname>, SSL page.

Choose Manage > Topology: Appliances to display the Appliances page. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <hostname>, SSL page. Select the Replace Certificate tab to expand the page.

These configuration options are available:

Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. You can also use the text box to copy and paste a PEM file. The private key is required regardless of whether you’re adding or updating the certificate.

Specifies the private key origin. The Private Key is in a separate file (see below)—You can either upload it or copy and paste it. This file includes the Certificate and Private Key. The Private Key for this Certificate was created with a CSR generated on this appliance.

Imports the certificate and key.

Generates a new private key and self-signed public certificate. The page displays controls to identify and generate the new certificate and key.

Specifies the key length from the drop-down list. The default is 1024.

Generates the certificate and the key.

You can generate the CSR for the selected appliance in the Editing Appliance Configuration: <hostname>, SSL page.

Choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to expand the page and display the Appliance tabs, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <hostname>, SSL page. Select the Generate CSR tab to expand the page.

These configuration options are available:

Specifies the common name (hostname) of the peer.

Specifies the organization name (for example, the company).

Specifies the organization unit name (for example, the section or department).

Specifies the city.

Specifies the state. Don’t abbreviate.

Specifies the country (2-letter code only).

Specifies the email address of the contact person.

Generates the Certificate Signing Request.

You configure web settings and web certificates in the Editing Appliance Configuration: <hostname>, Web Settings page.

This page applies to SteelHead and Interceptor.

Choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Web Settings to display the Editing Appliance Configuration <hostname>, Web Settings page. These configuration options are available:

Specifies the username that appears in the authentication page. The default value is admin.

Specifies the number of idle minutes before time-out. The default value is 15. A value of 0 disables time-out.

Stops the automatic updating of the report pages when the session times out. By default, session time-out is enabled. Clear the Allow box to disable the session time-out, remain logged in indefinitely, and automatically refresh the report pages.

You can manage web certificates in the Web Settings page:

To manage web certificates, select the Details tab under Web Certificate. These identity certificate details are available:

Specifies the SSL fingerprint.

To view the certificate in PEM format, under Web Certificate, select the PEM tab to display the certificate. The certificate appears in PEM format.

To replace an existing certificate, under Web Certificate, click Replace. These configuration options are available:

Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. You can also use the text box to copy and paste a PEM file. The private key is required regardless of whether you’re adding or updating the certificate.

Specifies the private key origin. The Private Key is in a separate file (see below)—You can either upload it or copy and paste it. This file includes the Certificate and Private Key. The Private Key for this Certificate was created with a CSR generated on this appliance.

Imports the certificate and key.

Generates a new private key and self-signed public certificate. The page displays controls to identify and generate the new certificate and key:

Generates CSR and private key.

To generate a CSR, under Web Certificate select Generate CSR. These configuration options are available:

Specifies the common name (hostname).

Specifies the organization name (for example, the company).

Specifies the organization unit name (for example, the section or department).

Specifies the city.

Specifies the state.

Specifies the country (two-letter code only).

Specifies the email address of the contact person.

Generates the CSR.

You configure legacy outbound QoS interfaces for Basic and Advanced QoS in the Editing Appliance Configuration: <hostname>. Outbound QoS Interfaces page.

This feature applies to SteelHead.

For detailed information about QoS, see the SteelHead User Guide.

Perform this task to modify Outbound QoS (Basic) interface settings:

To modify Outbound QoS (Basic) interface settings, choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab, and then select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Outbound QoS Interfaces to display the Editing Appliance Configuration: <hostname>, Outbound QoS (Basic) page. These configuration options are available under WAN Link:

Specifies its bandwidth link rate in kilobits per second. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your SCC connects to a router with a 100-Mbps link, don’t specify this value; specify the actual WAN bandwidth (for example, T1 or T3). Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly.

Allows you to select the necessary check boxes.

Allows you to select the necessary check boxes.

You can modify outbound QoS (advanced) interface settings under Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, select Outbound QoS Interfaces (Advanced) to display the Editing Appliance Configuration: <hostname>, Outbound QoS (Basic) page. Click Outbound QoS (Advanced) to display the Editing Appliance Configuration: <hostname>, Outbound QoS page.

These configuration options are available under WAN Link:

Allows you to select the necessary check boxes.

Allows you to select the necessary check boxes.

You configure legacy inbound QoS interfaces in the Editing Appliance Configuration: <hostname>. Outbound QoS Interfaces page.

This feature applies only to SteelHead.

For detailed information about QoS, see the SteelHead User Guide.

Choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Inbound QoS Interfaces to display the Editing Appliance Configuration: <hostname>, Inbound QoS Interfaces page. These configuration options are available under WAN Link:

Specifies WAN interface bandwidth link rate in kilobits per second. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your CMC appliance connects to a router with a 100-Mbps link, don’t specify this value; specify the actual WAN bandwidth (for example, T1 or T3). Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly.

Allows you to select the necessary check box(es).

Allows you to select the necessary check box(es).

You configure legacy path selection rules in the Editing Appliance Configuration: <hostname>, Path Selection page.

This page applies to SteelHead.

To add a new path, choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Path Selection to display the Editing Appliance Configuration: <hostname>, Path Selection page. Click + Add a New Path to expand the page. These configuration options are available:

Specifies the path selection name.

The path selection name is case sensitive and must match the path name in the policy being pushed to this appliance. If the names don’t match, policy push will fail.

Specifies the IP address for the gateway. The gateway must be in the same network as the in-path interface.

The gateway IP address must be in the same subnet (local network) as the in-path interface.

Specifies a relay interface over which the appliance reaches the path.

Specifies the tunnel mode from the drop-down list: None or GRE. GRE provides IPv4 generic routing encapsulation (GRE) for direct uplinks. Direct uplinks using GRE become direct tunneled uplinks. You must create direct tunneled uplinks to steer traffic over any uplink that traverses a stateful firewall between the SteelHeads.

Without GRE, traffic attempting to switch midstream to an uplink that traverses a stateful firewall might be blocked. The firewall needs to track the TCP connection state and sequence numbers for security reasons. Because the firewall hasn’t logged the initial connection handshake, and has partial or no packet sequence numbers, it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, path selection can encapsulate that traffic into a GRE tunnel.

Adds the path to the path table. The SCC redisplays the path table and applies your changes to the running configuration, which is stored in memory.

You configure connection forwarding for a network with multiple paths from the server in the Editing Appliance Configuration: <hostname>, Connection Forwarding page.

You enable connection forwarding only in asymmetric networks; that is, networks in that a client request traverses a different network path than the server response. The default port for connection forwarding is 7850.

This feature applies to SteelHead.

For detailed information about connection forwarding, see the SteelHead User Guide.

To configure connection forwarding, choose Manage > Topology: Appliances. Select the name of the appliance you want to edit to display the Edit Appliance tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Connection Forwarding to display the Editing Appliance Configuration: <hostname>, Connection Forwarding page. These configuration options are available under Connection Forwarding Settings:

Enables connection forwarding by default on all neighbors added to the peer list. The default value is 7850.

Specifies the port number to use as the default for the neighbor SteelHead in-path port. The default value is 7850.

Specifies the number of seconds to use as the default interval for ping commands between neighbor SteelHeads. The default value is 1 second.

Specifies the number of tries to use as the default number of failed ping attempts before an appliance terminates a connection with a neighbor. The default value is 3.

Uses the neighbor appliance to optimize new connections if the appliance fails.

For in-path deployments that use connection forwarding with WCCP, enabling this option ensures that if one appliance fails, the neighbor appliance continues to optimize new connections.

For in-path deployments that use connection forwarding without WCCP, enabling this option ensures that a SteelHead attempts to optimize new connections that are symmetrically routed, even after all of the neighbor SteelHeads on another network path failed. New asymmetrically routed connections aren’t optimized but passed through.

Enables high availability on SteelHeads configured with multiple in-path interfaces and using connection forwarding with another multiport SteelHead. This option makes all neighbor in-path interface IP addresses visible to each peer to ensure proper neighbor communication if the in-path0_0 interface fails.

RiOS 6.5 and later require connection forwarding in a WCCP cluster. You must enable multiple interface support for a connection-forwarding neighbor to work with IPv6.

Enables IPv6 connection forwarding mode. Enabling this option disallows IPv4 addresses for neighbors.

These configuration options are available under Neighbor Table:

Displays the controls to add a new neighbor.

Specifies a hostname.

Specifies the in-path IP address for the neighbor SteelHead. When you define a neighbor, you must specify the appliance in-path IP address, not the primary IP address. Either IPv4 or both IPv4 and IPv6 can be specified. To use connection forwarding with IPv6, both SteelHeads must be running RiOS 8.5 or later and you must enable multiple interface support.

Specifies the in-path port for the neighbor SteelHead. The default port is 7850.

Adds a neighbor SteelHead to the neighbor list.

Adds a new neighbor.

You can configure the web proxy cache size for VCX-10 to VCX-90 SteelHeads in the Editing Appliance Configuration: <hostname>, Web Proxy Settings page.

You can configure the total cache size in the SCC Web Proxy Settings page for the managed VCX-10 to VCX-90 models.

If you make a change to the web proxy cache size and web proxy is running, the web proxy is automatically restarted.

Disabling web proxy on VCX models will disable all web proxy alarms but it will not affect the existing cache.

This feature applies only to SteelHead VCX-10 to VCX-90 models.

For more about web proxy, see About Web Proxy. and the SteelHead User Guide.

To configure web proxy cache settings, choose Manage > Topology: Appliances. Select the VCX appliance you want to edit to display the Edit Appliance tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click Web Proxy Settings to display the Editing Appliance Configuration: <hostname>, Web Proxy Cache Settings page. These configuration options are available under Web Proxy Cache Settings:

Specifies the minimum web proxy cache size in gigabytes (GB), as specified by the license. The minimum cache size is 5 GB. This value is updated after a policy push or a change is detected in the license.

Specifies the maximum cache size in gigabytes (GB), as specified by the license. This value is updated after a policy push or a change is detected in the license. The maximum cache size is 800 GB, depending on the available disk size and your license maximum size. The maximum cache size can’t exceed the available disk space. If you exceed the available disk space, an alarm is triggered.

Specifies the disk space used by the current web proxy cache. This value is updated after a policy push or a change is detected in the license. The actual disk size differs if the cache size isn’t configured or if the disk doesn’t have enough disk space for the configured cache size.

Specifies the total cache size in gigabytes (GB). This value is your configured cache size. If the configured cache size is larger than what the management disk can support (that is, the actual cache size) then an alarm is raised.

You can enable SAML on a single appliance using the SAML page of that appliance, or you can configure SAML in a policy and then push the policy across multiple appliances.

Before you enable SAML on a single appliance or on multiple appliances, you must configure IdP individually for each appliance because the IdP metadata required to enable SAML is unique for each appliance.

For detailed information, see the SteelHead User Guide.

You can configure IdP in the Editing Appliance Configuration: <hostname>, SAML page.

Choose Manage > Topology: Appliances to display the Appliances page. Select the name of the appliance you want to edit to display the Appliance Pages tab. Select the Appliance Pages tab to display the Appliance Configuration Pages list.

Under Appliance Configuration Pages, click SAML to display the Editing Appliance Configuration: <hostname>, SAML page. Click Include to include this configuration from the policy push for the specified appliance. Your changes aren’t applied to the specified appliance until the policy is pushed to the appliance. Under IdP Configuration, paste the IdP metadata you received from the IdP website, and click Apply.

You have completed IdP configuration that is specific to an appliance. You can now create a policy to configure and enable SAML. This policy can be pushed to an appliance of your choice or to a group of appliances.

Choose Manage > Policies. Click + Add Policy to expand the page. Type a policy name and description and click Add to display the Editing Policy page.

Click + Add/Remove Pages to display the Add/Remove Policy Pages pop-up window. Under Security, select SAML and click Apply to display the Editing Policy page. In the Editing Policy page, click SAML to display Editing <policy-name> page. Click Include to include the policy in the policy push.

These SAML request and response settings are available under IdP Configuration:

Allows you to paste the IdP metadata you copied or received from the IdP website.

Under IdP Configuration, configure the SAML request and response settings:

Pastes the IdP metadata you copied or received from the IdP website.

Click Apply to save your configuration settings. Under SAML, to enable SAML, select the Enable SAML check box and click Apply. Click Save to Disk to save you settings permanently.

Choose Manage > Topology: Appliances to return to the Appliances page. Click Appliance Operations to expand the page. Select the appliance you want to push, select Push Policies from the drop-down list, and click Push.

Choose Manage > Operations: Operations History to verify that the operation was successful.

Settings are similar to those described in the section on remote log servers.