About WinSec Controller
  
About WinSec Controller
Riverbed WinSec Controller is a standalone, dedicated tier-0 appliance for security-specific functions. WinSec Controller provides a highly secure method for performing security functions for server-side SteelHead appliances without compromising Microsoft-recommended security best practices. WinSec Controller appliances are purpose-built to operate in highly secure environments and offer these key features:
Internet Protocol Security (IPsec) encrypted connections between WinSec Controllers and server-side SteelHeads with user-selectable Internet Key Exchange (IKE) authentication methods.
Configuration and administration by domain administrators through a web application.
Secure vault protection.
Secure peering using IKE shared secrets or self-signed certificates.
Replication user accounts, server key replication, and control over key fetch scope and password replication policies.
High availability and fault tolerance with active monitoring for enterprise-class uptime (requires multiple appliances).
Support for domain trust relationships.
Secure software upgrades.
Within an enterprise access model topology, a WinSec Controller appliance resides inside the boundaries of the control plane (tier 0) and maintains encrypted connections with configured server-side SteelHead appliances (tier 1), proxying requests and responses between those SteelHead appliances and domain controllers, such as Active Directory.
WinSec Controller supports only Kerberos traffic. New Technology LAN Manager (NTLM) traffic is not supported. If you have NTLM traffic in your environment, we strongly recommend that you configure SteelHead peers to bypass that traffic. If the SteelHead is not configured to bypass NTLM traffic, the traffic could be blackholed (that is, dropped without notification) in the event a domain controller is not reachable or no domain controllers are configured to peer with WinSec Controller. For details, see Chapter: Configuring WinSec Controller Peers.
Secure transport must be disabled on SteelHead peers. Secure transport and secure peering functionality cannot be active at the same time. See About WinSec Controller IPsec peering connections and Configuring WinSec Controller Peers.
WinSec Controller topology
In order to optimize SMB/CIFS and Encrypted MAPI (E-MAPI) traffic, traditional SteelHead deployments placed security functions, such as server key replication, with the SteelHead. Now, using WinSec Controller to host the replication user account and manage server key replication, you can optimize SMB/CIFS and E-MAPI traffic while maintaining strict security best practices. If you are not currently optimizing SMB/CIFS and E-MAPI traffic across your enterprise due to security concerns, WinSec Controller offers a new, highly secure option for doing so and unlocking more value from your optimization products.
Optimization of application traffic that uses NT LAN Manager (NTLM) protocols is not supported. Only Kerberos is supported. If you have NTLM traffic in your environment, you’ll need to configure SteelHead peers to accommodate it. See Chapter: Configuring WinSec Controller Peers.
How WinSec Controller works
WinSec Controller is deployed within the control plane (tier-0) perimeter and uses DNS to discover domain controllers. SteelHead appliances are deployed in lower security tiers, such as the management plane, and are configured to use the WinSec Controller.
WinSec Controller deployed with configured server-side SteelHeads
A client device sends a request for a ticket-granting ticket (TGT) to the domain controller. The domain controller forwards the request to its key distribution center (KDC) component, which returns a ticket to the client. Before the client connects to the server, the client shares the TGT with the ticket-granting service (TGS) and requests the server ticket. The TGS authenticates the client, ensuring that the client is authorized to access the server. The TGS then provides a server ticket that includes the session key to the client.
Time synchronization between WinSec Controllers and domain controllers must be within a five-minute tolerance. If the time synchronization is off by more than five minutes, server key fetch operations may fail. When WinSec Controller fails to provide a server key to the server-side SteelHead, the authentication protocol negotiation falls back from Kerberos to NT LAN Manager (NTLM) protocols.
The client sends a Kerberos request to the server that includes the server ticket and an encrypted session key. The client-side SteelHead intercepts the request and forwards it to the server-side SteelHead. The server-side SteelHead communicates with the WinSec Controller through a secure tunnel to obtain the replicated server key, and then decrypts the client’s Kerberos request, obtaining the session key. The server-side SteelHead uses the session key to decrypt the traffic, and then the optimization of application traffic between the client-side SteelHead and server-side SteelHead begins.
Client Kerberos request intercepted and decrypted by server-side SteelHead
About WinSec Controller IPsec peering connections
The WinSec Controller communicates with server-side SteelHeads through an encrypted peering connection using IPsec. The WinSec Controller and the SteelHead peer with each other through their primary interfaces. Authentication of the peering session secret and keys is handled by Internet Key Exchange (IKE) protocols. To enable peering between WinSec Controller and SteelHead, you’ll need to configure these settings:
SSL certificate exists. SteelHead appliances are supplied with a self-signed certificate during manufacturing. If a new or different certificate is needed, the factory certificate can be replaced. Ensure you validate each certificate.
Primary interface is configured. The primary interface on both appliances is used for the peering connection.
Secure transport is disabled. SteelHead only. Secure transport must be disabled because SteelHead appliances do not allow the secure transport feature and the secure peering feature to be enabled at the same time.
IPsec is enabled on the primary interface. Secure peering occurs through the primary interface on both appliances and requires IPsec to be enabled.
IKE authentication mode is configured. IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite and establish the secure session secret and cryptographic keys. These two IKE options are available:
Shared secret—Uses a secret shared between peers to authenticate the session secret and keys.
Certificate—Uses self-signed certificates on the appliances to authenticate the session secret and keys.
Peer IP addresses are configured. You’ll need to add peer IP addresses to the peering list on both appliances.
By design, after you configure those settings the appliances do not automatically connect. You’ll need to manually initiate the first-time traffic between them to activate the connection.
For details about how to configure the WinSec Controller, see Chapter: Configuring WinSec Controller. For details about how to configure SteelHead appliances, see the SteelHead User Guide.
About WinSec Controller high availability
On the SteelHead appliance, you can configure primary and secondary WinSec Controller appliances for high-availability (HA) deployments. We recommend you deploy WinSec Controller appliances in an HA deployment to ensure that traffic to and from the domain controller is not disrupted.
The health status of the primary WinSec Controller appliance is always maintained by the SteelHead appliance. If the primary WinSec Controller appliance is not available, the SteelHead appliance switches to the secondary WinSec Controller appliance and forwards the next set of requests. Within a site, you can have multiple server-side SteelHead appliances and WinSec Controller appliances.
The server-side SteelHead appliance maintains the IPsec tunnel to both the primary and secondary WinSec Controller appliances at all times. The primary and secondary WinSec Controller appliances are independent and do not engage in any configuration or state synchronization. It takes approximately eight seconds for the secondary WinSec Controller appliance to respond when the primary WinSec Controller appliance is unreachable.
Accessing a WinSec Controller management console
WinSec Controller is managed through a secure, web-based graphical user interface (GUI). There is no command-line interface. For troubleshooting support, Secure Shell (SSH) access will be provided upon completion of a challenge-response authentication step.
WinSec Controllers cannot be managed through SteelCentral Controller for SteelHead.
The WinSec Controller web-based GUI uses session cookies to communicate with the backend server. The first time you log in to the management console, you will see a notice regarding these cookies and are prompted to either accept the use of them or log out. Session cookies are renewed every 30 minutes as long as you are actively using the console. After five minutes of no use, you will be automatically logged out. Session cookies expire after you log out and close your browser.
To log in to and out of the WinSec Controller console
1. Go to https://<hostname>.
2. Enter your login credentials.
3. If this is your first time logging in, click Accept & Proceed.
The WinSec Dashboard is displayed.
To log out, click the user icon in the upper right area of the console and select Log out.
Accessing user settings
Click the user icon in the upper right area of the console to access user settings or log out. These settings are available:
Set theme—Enables you to toggle between light and dark themes.
Change password—Enables you to change your password.
About—Enables you to edit your username, enter your full name, enter your email address, and provide a short description for your account.
Upgrading and viewing WinSec Controller software versions
You can upgrade WinSec Controller software and view the current and backup software versions.
To upgrade the WinSec Controller software or view software versions
1. Choose Administration > Upgrade.
2. In the Install Upgrade section, enter the URL to the upgrade image file.
3. Click Submit.
The image is downloaded and installed in a backup partition.
4. Click Switch to backup version.
The system exchanges primary and backup partitions and restarts, loading the new software.
The current and backup software versions are displayed in the Software Upgrade section. To revert to a previous version of the software, simply select the backup version of the software and click Revert.
Shutting down or restarting WinSec Controller
You won’t be able to reach the WinSec Controller through the management console while it is shut down, restarting, or performing a factory reset. If you need to access it and are having problems, contact your WinSec Controller administrator.
To shut down, restart, or factory reset the WinSec Controller
1. Choose Administration > Actions.
2. Do one of these actions:
Shut down
Reboot
Factory reset
Accessing WinSec Controller sysdump information
Sysdump files are useful for troubleshooting problems with your Riverbed support representative. You can generate sysdump files at any time.
To generate, download, or delete sysdump files
1. Choose Administration > Sysdump.
2. Do any of these actions
Click Submit to generate a sysdump file. Optionally, you can enter a descriptive case number. Any alpha-numeric characters are accepted.
Click Download for the sysdump file you want to download.
Click Delete for the sysdump file you want to remove.