Riverbed Central Management Console User s Guide. Version 8.0 December 2012

Transcription

1 Riverbed Central Management Console User s Guide Version 8.0 December 2012

2 2012 Riverbed Technology. All rights reserved. Riverbed, Cloud Steelhead, Granite, Interceptor, RiOS, Steelhead, Think Fast, Virtual Steelhead, Whitewater, Mazu, Cascade, Shark, AirPcap, BlockStream, SkipWare, TurboCap, WinPcap, Wireshark, TrafficScript, Flyscript, WWOS, and Stingray are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iseries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. You must log in to Riverbed Support to view this information. This documentation is furnished AS IS and is subject to change without notice and should not be construed as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as commercial computer software documentation and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Riverbed Technology 199 Fremont Street San Francisco, CA Phone: Fax: Web: Part Number

3 Contents Contents Preface...1 About This Guide...1 Audience...1 Document Conventions...2 Product Dependencies and Compatibility...3 Hardware and Software Dependencies...3 SNMP-Based Management Compatibility...3 CMC Compatibility...4 Multiple Product Support...5 Additional Resources...5 Release Notes...5 Riverbed Documentation and Support Knowledge Base...5 Contacting Riverbed...6 Internet...6 Technical Support...6 Professional Services...6 Documentation...6 Chapter 1 - Overview of the Central Management Console...7 Using the Central Management Console...7 Connecting to the Central Management Console...7 The Home Page...9 Navigating in the Central Management Console...12 Getting Help...15 Upgrading from Previous Versions of the CMC...17 Group Membership...17 Policy Association...17 Configuration...17 Migration Procedures...19 Steelhead Appliance Auto-Registration...20 Chapter 2 - Configuring the CMC...23 Configuring Network Settings...24 Configuring Host Settings...24 Configuring Settings for the Base Interfaces...28 Configuring System Settings...32 Creating Announcements...32 Setting Alarm Parameters...33 Riverbed Central Management Console User s Guide iii

4 Contents Configuring Monitored Ports...39 Setting SNMP Basic Settings...40 Configuring SNMP v Configuring SNMP Authentication and Access Parameters...46 Configuring Notifications...49 Configuring Logging...52 Configuring Security Settings...55 Configuring General Security Settings...56 Configuring CMC Security Settings...57 Managing User Permissions...59 Configuring RADIUS Server Authentication...65 Configuring TACACS+ Server Authentication...68 Unlocking the Secure Vault...70 Configuring the Management ACL...71 Configuring Web Settings...73 Maintaining Your System...76 Working with External CMC Backups...76 Viewing Daily Maintenance Window Settings...82 Displaying Job Status...83 Managing Licenses...85 Upgrading Your Software...87 Rebooting and Shutting Down the CMC...88 Changing the Account Password...89 Managing Configuration Files...90 Chapter 3 - Managing Appliances, Groups, and Policies...93 Managing Appliances and Appliance Groups...93 Tasks and Detailed Procedures...93 Creating a New Appliance Group...95 Registering New Appliances...96 Editing Appliance Configurations...97 Managing or Viewing Appliance Host Settings Managing or Viewing Appliance Base Interfaces Settings Managing or Viewing Appliance In-Path Interface Settings Managing Subnet Side Rules Settings Managing or Viewing Appliance SSL Settings Managing the Licenses Settings Configuring Web Settings Managing Outbound QoS Interfaces Managing Inbound QoS Interfaces Managing Granite Settings Virtual Services Platform Fetching Appliance Specific Configurations Trusting Appliances Using Security Keys Running Appliance Utilities Viewing Policies Inherited by the Appliance Removing Groups and Appliances iv Riverbed Central Management Console User s Guide

5 Contents Moving Groups and Appliances Filtering the Display of Appliances and Appliance Groups Performing Appliance Operations Managing Appliance Configurations Using Policies and Groups Understanding Policies and Policy Usage General Information on Page and Version Incompatibility Centralized Configuration with Groups and Policies Inheriting or Overriding Policy Settings from a Parent Group Fetching Configurations Managing Policies Viewing and Managing System Operation History Managing Appliance Backups and Restores Assigning Rollover Strategy Performing Appliance Backups Restoring a Backup Snapshot to an Appliance Migrating Current Status from One Appliance to Another Removing Backup Configurations Configuring Software Upgrades Managing RSP/VSP Managing RSP/VSP Appliances Configuring the RSP/VSP Package Library Configuring the RSP/VSP Image Library Chapter 4 - Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs Viewing Optimized Throughput Reports Viewing Bandwidth Optimization Reports Viewing Data Reduction Reports Viewing Traffic Summary Reports Viewing Connection History Reports Viewing Connection Forwarding Reports Viewing Connection Pooling Reports Viewing Outbound QoS (Dropped) Reports Viewing Outbound QoS (Sent) Reports Viewing Inbound QoS (Dropped) Reports Viewing Inbound QoS (Sent) Reports Displaying Application Optimization Reports and Logs Viewing HTTP Reports Viewing NFS Reports Viewing SRDF Reports Viewing SSL Servers Reports Viewing DNS Cache Hits Reports Viewing DNS Cache Utilization Reports Data Store Statistics Reports Viewing Data Store Status Reports Viewing Data Store SDR-Adaptive Reports Riverbed Central Management Console User s Guide v

6 Contents Viewing Data Store Disk Load Reports Viewing Data Store Hit Rate Reports Viewing Data Store IO Reports Viewing Data Store Read Efficiency Reports Displaying Branch Storage Reports Viewing the Granite LUN I/O Report Viewing the Granite Initiator I/O Report Viewing the Granite Network I/O Report Viewing the Granite Blockstore Metrics Report Displaying Appliance Diagnostics Reports Viewing Appliance Details Reports Viewing Health Check Details Reports Viewing CPU Utilization Reports Viewing Memory Paging Reports Downloading Logs Viewing Expiring Certificates Displaying CMC Diagnostics Reports and Logs Viewing the Alarm Status Report Viewing CPU Utilization Report Viewing Memory Paging Report Viewing Logs Downloading Logs Viewing the System Dumps List Report Viewing Process Dump List Reports Viewing the TCP Dumps List Reports Exporting Performance Statistics Reports Appendix A - Viewing Policy Configuration Settings Overview of Policy Configurations Optimization Policy Settings Certificate Authorities Data Store General Service Settings In-Path Rules Peering Rules Performance CIFS (SMB1) CIFS Prepopulation SMB Oracle Forms MAPI MS-SQL NFS Lotus Notes Citrix ICA FCIP HTTP vi Riverbed Central Management Console User s Guide

7 Contents SRDF Transport Settings Windows Domain Auth Delegation Auto-Delegation Mode Configuring Replication Users (Kerberos) SSL Main Settings Secure Peering (SSL) Service Ports CRL Management (SSL) Advanced Settings (SSL) Secure Peering (IPSEC) Cloud Accelerator System Settings Policies Alarms Announcements Logging Monitored Ports SNMP ACLs SNMP Basic SNMP v Networking Policy Settings Host Settings WCCP Inbound QoS Inbound QoS Interfaces Outbound QoS Interfaces Hardware Assist Rules Simplified Routing Asymmetric Routing Connection Forwarding Flow Export Outbound QoS (Basic) Outbound QoS (Advanced) QoS Marking (Legacy) Port Labels Security Policy Settings General Security Settings User Permissions Password Policy RADIUS TACACS Management ACL Branch Services Settings Caching DNS RSP/VSP Slots RSP/VSP Data Flow Riverbed Central Management Console User s Guide vii

8 Contents Common Branch Storage Settings Common VSP Settings Appendix B - Riverbed System Ports Default Ports Commonly Excluded Ports Interactive Ports Forwarded by the Steelhead Appliance Secure Ports Forwarded by the Steelhead Appliance Appendix C - CMC Management Information Base (MIB) Accessing MIB Files SNMP Traps viii Riverbed Central Management Console User s Guide

9 Preface Welcome to the Riverbed Central Management Console User s Guide. Read this preface for an overview of the information provided in this guide and the documentation conventions used throughout, hardware and software dependencies, additional reading, and contact information. This chapter includes the following sections: About This Guide on page 1 Hardware and Software Dependencies on page 3 SNMP-Based Management Compatibility on page 3 CMC Compatibility on page 4 Multiple Product Support on page 5 Additional Resources on page 5 Contacting Riverbed on page 6 About This Guide The Riverbed Central Management Console User s Guide describes how to configure and manage the Riverbed Central Management Console (CMC). Audience This guide is written for storage and network administrators familiar with administering and managing WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS. This guide assumes you are familiar with Steelhead Management Console. Riverbed Central Management Console User s Guide 1

10 Preface About This Guide Document Conventions This manual uses the following standard set of typographical conventions to introduce new terms, illustrate screen displays, and describe command syntax. Convention italics boldface Courier Meaning Within text, new terms and emphasized words appear in italic typeface. Within text, CLI commands and GUI controls appear in bold typeface. Code examples appear in Courier font: amnesiac > enable amnesiac # configure terminal < > Values that you specify appear in angle brackets: interface <ipaddress> [ ] Optional keywords or variables appear in brackets: ntp peer <addr> [version <number>] { } Required keywords or variables appear in braces: {delete <filename> upload <filename>} The pipe symbol represents a choice to select one keyword or variable to the left or right of the symbol (he keyword or variable can be either optional or required): {delete <filename> upload <filename>} 2 Riverbed Central Management Console User s Guide

11 Product Dependencies and Compatibility Preface Product Dependencies and Compatibility This section provides information about product dependencies and compatibility. This section includes the following topics: Hardware and Software Dependencies on page 3 SNMP-Based Management Compatibility on page 3 CMC Compatibility on page 4 Hardware and Software Dependencies The following table summarizes the hardware and software requirements for the CMC. Important: Guest 64-bit Virtual Machines (VM) (such as, Windows Server 2008 R2) are not supported on the Models 250, 550 and the 1U xx20s because these models do not incorporate Virtual Technology (VT) support. CMC Hardware Requirements A 19-inch (483 mm) two- or four-post rack. Any computer that supports a Web browser with a color image display. Software and Operating System Requirements The CMC has been tested with Mozilla Firefox v3.6 and higher and Microsoft Internet Explorer v7.x and v8.x. Note: JavaScript and cookies must be enabled in your browser. Note: If you want to encrypt your communication, you must have a Secure Sockets Layer (SSL) capable browser. SNMP-Based Management Compatibility The Steelhead appliance supports a proprietary Riverbed MIB accessible through SNMP. SNMPv1 (RFCs 1155, 1157, 1212, and 1215), SNMPv2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418), and SNMPv3 are supported, even though some MIB items might only be accessible through SNMPv3 and SNMPv2. SNMP support enables the CMC to be integrated into network management systems such as Hewlett - Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management tools. Riverbed Central Management Console User s Guide 3

12 Preface Product Dependencies and Compatibility CMC Compatibility The Steelhead appliance has been tested with the following Central Management Console (CMC) versions: Steelhead Appliance RiOS Version Recommended CMC Version CMC v8.0.x CMC v7.0.x CMC v6.5.x CMC v6.1.x CMC v6.0.x Steelhead appliance v8.0.x Steelhead CX appliance v8.0.x Steelhead EX appliance v2.0.x v8.0 Parity; Granite Edge High Availability only supported on Steelhead EX appliance v2.0 Not supported Not supported Not supported Not supported Steelhead appliance v7.0.x Steelhead CX appliance v7.0.x Steelhead EX appliance v1.0.x v8.0 Parity; Granite Edge High Availability not supported on Steelhead EX appliance v1.0 Parity; Granite Edge High Availability not supported on Steelhead EX appliance v1.0 Not supported Not supported Not supported v6.5.x and v6.5.1 with full QoS support v6.5.3 (requires RiOS v6.5.1 and later for QoS support) Parity Parity Parity with Steelhead appliance v6.5.0 and with Steelhead appliance v6.1.x (partial support). Manages only v6.1x features; does not support QoS Not supported v6.1.x v6.5.3 or v6.1.1 Parity Parity Parity Parity; includes SH-VE Manages all RiOS v6.0.x features and some RiOS v6.1.x features. v6.0.x v6.5.3 or v6.1.1 (requires RiOS and later for RSP management) Not supported Not supported Parity Parity Parity Interceptor appliance v3.0.x Steelhead Mobile ler appliance v3.1.x v7.0.x Parity Parity Parity Not supported v7.0.x Parity Parity Parity. Not supported Not supported Not supported 4 Riverbed Central Management Console User s Guide

13 Additional Resources Preface Multiple Product Support The CMC supports the following products. Product Displays the Steelhead appliance features that are available on the CMC. Displays the Steelhead EX appliance features that are available on the CMC. Displays the Steelhead Mobile ler appliance features that are available on the CMC. Displays the Interceptor appliance features that are available on the CMC. Displays the Virtual Steelhead appliance features that are available on the CMC. Additional Resources This section describes resources that supplement the information in this guide. This section includes the following topics: Release Notes on page 5 Riverbed Documentation and Support Knowledge Base on page 5 Release Notes The following online file supplements the information in this guide. It is available on the Riverbed Support site at Online File <product>_<version_number> <build_number>.pdf Purpose Describes the product release and identifies fixed problems, known problems, and work-arounds. This file also provides documentation information not covered in the guides or that has been modified since publication. Examine this file before you begin installation and configuration. It contains important information about this release of the Steelhead appliance. Riverbed Documentation and Support Knowledge Base For a complete list and the most current version of Riverbed documentation, log in to the Riverbed Support site at Riverbed Central Management Console User s Guide 5

14 Preface Contacting Riverbed The Riverbed Knowledge Base is a database of known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at Contacting Riverbed This section describes how to contact departments within Riverbed. Internet You can learn about Riverbed products at Technical Support If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling RVBD-TAC ( ) in the United States and Canada or outside the United States. You can also go to Professional Services Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, [email protected] or go to Documentation The Riverbed Technical Publications team continually strives to improve the quality and usability of Riverbed documentation. Riverbed appreciates any suggestions you might have about its online documentation or printed materials. Send documentation comments to [email protected]. 6 Riverbed Central Management Console User s Guide

15 CHAPTER 1 Overview of the Central Management Console This chapter provides an overview of the Central Management Console. The Central Management Console makes facilitating administration tasks for the Riverbed system simpler through a Web browser interface. This chapter includes the following sections: Upgrading from Previous Versions of the CMC on page 17 Steelhead Appliance Auto-Registration on page 20 Connecting to the Central Management Console on page 7 Navigating in the Central Management Console on page 12 Getting Help on page 15 This chapter assumes you have installed and performed the initial configuration of the Central Management Console. For details, see the Steelhead Management Console User s Guide. This chapter also assumes that you are familiar with the various deployment options available to you. For details, see the Steelhead Appliance Deployment Guide. Riverbed recommends that you do not use the Riverbed CLI to configure the Central Management Console. Using the Central Management Console The following section describes how to connect to and navigate in the Central Management Console. It includes the following sections: Connecting to the Central Management Console on page 7 The Home Page on page 9 Navigating in the Central Management Console on page 12 Getting Help on page 15 Connecting to the Central Management Console To connect to the Central Management Console, you must know the host, domain, and administrator password that you assigned in the Central Management Console Configuration wizard. For details, see the Riverbed Central Management Console Installation Guide. Riverbed Central Management Console User s Guide 7

16 Overview of the Central Management Console Using the Central Management Console To connect to the CMC 1. Enter the URL for the CMC in the location box of your browser: protocol://host.domain protocol is http or https. The secure HTTPS uses the SSL protocol to ensure a secure environment. When you connect using HTTPS, you are prompted to inspect and verify the SSL certificate. This is a selfsigned certificate used to provide encrypted Web connections to the CMC. The secure vault does not protect the self-signed certificate used with HTTPS connections. It is re-created when the appliance hostname is changed and when the certificate has expired. host is the IP address or hostname you assigned the CMC during initial configuration. If your DNS server maps the IP address to a name, you can specify the DNS name. domain is the full domain name for the CMC. The Riverbed Central Management Console Login page appears, displaying the Login page. Figure 1-1. Login Page 2. In the Username text box, type the user login: admin, monitor or a login from a RADIUS or a TACACS+ database, or a previously configured RBM account. For details on RADIUS and TACACS+ configuration, see Configuring Security Settings on page 55. The default login is admin. Users with administrator privileges can configure and administer the CMC. Users with monitor (monitor) privileges can view CMC reports but they cannot configure the system. 3. In the Password text box, specify the password you assigned in the configuration wizard of the CMC. The Central Management Console is shipped with password as the default password. 4. Click Log In to log in to display the Home page. Tip: Click the appliance IP address to display the appropriate product page. 8 Riverbed Central Management Console User s Guide

17 Using the Central Management Console Overview of the Central Management Console The Home Page The Home page lists the Central Management Console and other appliances status and system up time. The Home page displays for Appliances within Group <name> are controlled by the user permissions. The RBM user (local or remote) requires the RBM Report Role to view all the controls on the Home page. For more information on role-based accounts, see Role-Based Accounts on page 60. The statistics section displays the following reports: Bandwidth Optimization (Bytes) - Provides a three-dimensional view of traffic patterns (byte counts) over the past week. Each column represents the number of bytes, the time of day, and the day of the week. For example, the report might display that there were 4 GBs of WAN traffic from 12 P.M. to 3 P.M. on Wednesday of the prior week. Optimized LAN Throughput (bps) - Summarizes the throughput or total data transmitted for all applications in the past week. Figure 1-2. Home Page Riverbed Central Management Console User s Guide 9

18 Overview of the Central Management Console Using the Central Management Console The top of every page displays the menu bar. The current state of the system is always visible to the right of the menus: Healthy, Admission, Degraded, or Critical. For details, select the current system status to display the Alarm Status page. Field CMC Status Statistics for <group> over <period> / <direction> Summary for <group> System Uptime. Displays the time since the last reboot of the system. This panel displays bandwidth optimization and optimized LAN throughput reports based on the group, period, and direction specified in the Web Preferences page. Bandwidth Optimization (GB). This report displays the following: WAN Data - Displays the bytes sent and received (depending on direction) over the WAN ports. LAN Data - Displays the bytes sent and received (depending on direction) over the LAN ports. Total Data Reduction % - Displays the total decrease of data transmitted over the WAN, according to the following calculation: (Data In Data Out) and (Data In) *100. Optimized Bandwidth Capacity Increase - Displays the increase in the amount of data transmitted over the WAN. Total Bandwidth Capacity Increase - Displays the increase in the amount of data transmitted over the WAN, according to the following calculation: 1 and (1 - Reduction Rate). Optimized LAN Throughput (Mbps) - This report displays the following information: Peak WAN/LAN Throughput - Displays the date and time of the peak data activity. 95th Percentile WAN/LAN Throughput - Displays the 95th percentile for data activity. The 95th percentile is calculated by taking the peak of the lower 95 percent of inbound and outbound throughput samples. Average LAN Throughput - Displays the average amount of data transmitted. This panel summarizes the number and status of the managed appliances (Steelhead appliances, Steelhead EXs, Interceptor appliances, and Steelhead Mobile lers) of the specified group. Total Appliances - Number of total appliances that currently optimizing. Healthy - Number of appliances that currently optimizing. Degraded - Number of appliances optimizing but with an issue. For example, a restart might be required. Critical - Number of appliances that currently in critical status. Disconnected - Number of appliances that currently not connected. Unsupported - Number of appliances that currently unsupported. Needs attention - Number of appliances that currently need attention. 10 Riverbed Central Management Console User s Guide

19 Using the Central Management Console Overview of the Central Management Console Field Appliances tab: Appliances within Group <group> Note: This table can be sorted by any of the column headers. Appliance - Displays the hostname or IP address of the appliance. Product/Model - Displays the product and model number of the appliance. Group - Displays the group of the appliance. Status - Displays the overall status of the appliance. Note: The message from the most severely triggered alarm is displayed here as the health note of the appliance. If there are two equally severe alarms being triggered, the newer alarm is listed here. To view all the alarms related to the appliance, choose Reports > Appliance Diagnostics > Appliance Details page. Appliance Version - Displays the software version running on the appliance. Reduction - Displays the reduction time of the appliance. Peak Throughput - Displays the peak data transmitted. Total Connections - Displays the total connections (optimized and pass through) handled by Steelhead appliances and Steelhead EX appliances. Date store Use - Displays the percent of RiOS data store usage. Appliances Needing Attention tab: Note: This table can be sorted by any of the column headers. Appliance - Displays the hostname or IP address of the appliance. Product/Model - Displays the product and model number of the appliance. Group - Displays the group of the appliance. Status - Displays the overall status of the appliance. Note: The message from the most severely triggered alarm is displayed here as the health note of the appliance. If there are two equally severe alarms triggered, the newer alarm is listed. To view all the alarms related to the appliance, choose Reports > Appliance Diagnostics > Appliance Details page. Appliance Version - Displays the software version running on the appliance. Reduction - Displays the reduction time of the appliance. Peak Throughput - Displays the peak data transmitted. Total Connections - Displays the total connections (optimized and pass through) handled by Steelhead appliances and Steelhead EX appliances. Data store Use - Displays the percent of RiOS data store usage. Groups Display tab: Appliance Groups Name - Displays the name of the appliance group(s). Comment - Displays any comments. Riverbed Central Management Console User s Guide 11

20 Overview of the Central Management Console Using the Central Management Console Field Groups Display tab: Appliances for Group Appliance - Displays the hostname or IP address of the appliance group. Product/Model - Displays the product and model number of the appliance. Group - Displays the group of the appliance. Status - Displays the overall status of the appliance. Note: The message from the most severely triggered alarm is displayed here as the health note of the appliance. If there are two equally severe alarms triggered, the newer alarm is listed. To view all the alarms related to the appliance, choose Reports > Appliance Diagnostics > Appliance Details page. Appliance Version - Displays the software version running on the appliance. Reduction - Displays the reduction time of the appliance. Peak Throughput - Displays the peak data transmitted. Total Connections - Displays the total connections (optimized and pass through) handled by Steelhead appliances and Steelhead EX appliances. Data store Use - Displays the percent of RiOS data store usage. Settings tab: Global Options - Displays statistical data in the graphs, as well as for the Reduction and Peak Throughput columns in the tables. User admin s Options - Displays all the options for the user admin. Note: The user must have permission to change the home page preferences. For more details, see Managing User Permissions on page 59. You can access the Central Management Console of any registered Steelhead appliance by clicking the appliance address under Appliances. For details on automatic sign in from the CMC, see Configuring CMC Security Settings on page 57. Navigating in the Central Management Console You access the tools and reports available to you in the Central Management Console using cascading menus. To display cascading menus 1. Click an item in the menu bar to display its submenus. For example, click Reports to display the submenus WAN Optimization, Application Optimization, Data Store Statistics, Branch Storage, Appliance Diagnostics, CMC Diagnostics, and Export. The menu item that is currently active is a different tone of color. 2. To go to a page, slide your cursor down to the submenu item you want to display and select the menu name. For example, select Reports > WAN Optimization > Bandwidth Optimization to display the Bandwidth Optimization page. 12 Riverbed Central Management Console User s Guide

21 Using the Central Management Console Overview of the Central Management Console The following figure illustrates cascading menus in the CMC. Figure 1-3. Cascading Menus Riverbed Central Management Console User s Guide 13

22 Overview of the Central Management Console Using the Central Management Console The following table summarizes the cascading menus. Menu Home Configure Submenus Displays the Home page. Networking - Configure host settings, such as hostname, DNS servers, hosts, proxies, date and time and network interfaces (primary interface and routing). For details, see Configuring Network Settings on page 24. System Settings - Configure alarm settings, announcements, settings, log settings, monitored ports, SNMP settings, and Web settings. For details, see Configuring System Settings on page 32. Security - Configure general security parameters, RADIUS, TACACS+, and secure vault settings. For details, see Configuring Security Settings on page 55. Maintenance - Start and stop system services, schedule jobs, upgrade software, backup configurations, and reboot or shut down the appliance. For details, see Maintaining Your System on page 76. My Account - Modify the administrator user password. For details, see Changing the Account Password on page 89. Configurations - Manage configuration files for the system. For details, see Managing Configuration Files on page 90. Manage Appliances - Manage Steelhead appliances. You can create groups of appliances, add appliances to a group, edit appliance information, filter information, and perform actions on appliances such as CLI pushes, software upgrades, starting and stopping services, reboots, shut downs, and password changes. For details, see Managing Appliances and Appliance Groups on page 93. Policies - Create and manage optimization, system settings, network, and security policies for groups of appliances. You can create new policies and assign specific features to a particular policy. For details, see Managing Appliance Configurations Using Policies and Groups on page 159. Operation History - View the history of operations such as upgrades, fetches, and reloads. For details, see Viewing and Managing System Operation History on page 174. Appliance Backup/Restore - Manage configuration backups. For example, you can view, delete, and restore configurations for a specified appliance. For details, see Managing Appliance Backups and Restores on page 176. Configure Upgrades - Manage the software image library and configure automatic upgrades. For details, see Configuring Software Upgrades on page 179. RSP/VSP - Manage the RSP or VSP partition of the appliance.for details, see Managing RSP/ VSP on page Riverbed Central Management Console User s Guide

23 Using the Central Management Console Overview of the Central Management Console Menu Reports Submenus WAN Optimization - Display and download WAN optimization reports. For details, see Displaying WAN Optimization Reports and Logs on page 187. Application Optimization - Display and download application optimization reports. For details, see Displaying Application Optimization Reports and Logs on page 220. Data Store Statistics - Display and download data store statistics reports. For details, see Data Store Statistics Reports on page 240. Branch Storage - Display and download branch storage reports. For details, see Displaying Branch Storage Reports on page 255. Appliance Diagnostics - Display and download appliance diagnostic reports such as user and system logs, alarms status, system snapshots, system dumps, TCP dumps, and user permissions. For details, see Displaying Appliance Diagnostics Reports on page 267. CMC Diagnostics - Display and download CMC diagnostic reports such as user and system logs, alarms status, system snapshots, system dumps, TCP dumps, and user permissions. For details, see Displaying CMC Diagnostics Reports and Logs on page 286. Export - Export reports. For details, see Exporting Performance Statistics Reports on page 304. Support Display online help, links to product documentation, contact information for Riverbed Support, appliance details such as the model, revision type, serial number, and software version, and appliance MIB files from this menu. For details, see Getting Help on page 15. Saving Your Configuration As you Apply page settings, the system applies the values to the running configuration. Most Central Management Console configuration pages include an Apply button for you to commit your changes. When you click Apply, the Central Management Console updates the running configuration. Your changes are only written to disk when you save your configuration. The Save icon on the menu bar alerts you if the changes you have made require you to save them to disk. A red dot in a control indicates that the field is required. You must specify a valid entry for all of the required controls on a page before submitting the changes to the system. Printing Pages and Reports You can print Central Management Console pages and reports using the print option on your Web browser. To print pages and reports Choose File > Print in your Web browser to open the Print dialog box. Getting Help The Support tab provides you with the following options: Online Help - Display online help and links to documentation on the Riverbed Support site at Technical Support - Display links and contact information for Riverbed Support at Appliance Details - Display appliance information such as the model number, hardware revision type, serial number, and software version number currently installed on the appliance. Riverbed Central Management Console User s Guide 15

24 Overview of the Central Management Console Using the Central Management Console MIB Files - Display Riverbed and appliance MIB files in text format. Displaying Online Help The CMC provides page-level help for the appliance. You can also display an online help book for the CMC. To display online help in the CMC Click the question mark icon next to the page heading. The help for the page appears in a new browser window. To display the online help book 1. Click Support in the menu bar to display the Riverbed Support page. 2. Click the Book icon for browser-based online help to display the online help book for the appliance. 3. Go to the item you want to view using the left-pane table of contents. For the most up-to-date documentation for the Steelhead appliance, see the Riverbed Support Web site at Downloading Documentation The Riverbed Support site contains PDF versions of the Riverbed Central Management Console User s Guide and the Riverbed Command-Line Interface Reference Manual. To download the PDF versions of the User s Guide or Command-Line Interface Reference Manual 1. Select Support in the menu bar to display the Support page. 2. You must be registered on the Riverbed Support site to download the documentation. Go to one of the following links: To register on the Riverbed Support site: If you are registered on the Riverbed Support site: 3. Go to the PDF document. 4. Select the document name to download the document. Logging Out In the menu bar, click Logout to end your session. 16 Riverbed Central Management Console User s Guide

25 Upgrading from Previous Versions of the CMC Overview of the Central Management Console Upgrading from Previous Versions of the CMC With v6.0.0 or later, there have been major changes in the structuring of groups and the association of configurations to groups and appliances. The CMC includes upgrade rules to simplify the transition to the new implementation of the feature. In some of the cases, there is no way to upgrade a CMC configuration to perfectly match the configuration you had before. This section includes the following topics: Group Membership on page 17 Policy Association on page 17 Configuration on page 17 Migration Procedures on page 19 Group Membership This feature gave you the flexibility to create groups based on geographic locations or model number, and so forth. The groups could be used for configuration or reporting. Each Steelhead appliance can only belong to one group. A group can be a member of another group. This facilitates visualization of configurations and makes configuration management easier. Policy Association The associated profiles were pushed out when an auto-configuration or full configuration push was performed. When multiple profiles were associated with a group, they were applied in alphabetical order. If there was a conflicting configuration, the latest profile was applied. After the group profiles were applied, the profiles associated with the appliance itself were applied in that order. Multiple policies of the same type cannot be associated with a group or appliance. However, specified settings of the policy configuration can selectively override the policies of its ancestors. You must set up the appliance hierarchy correctly to use the inheritance feature. Profiles are automatically converted to policies. However, they are not automatically applied to appliances. This step must be performed after the upgrade. For details, see Migration Procedures on page 19. Configuration Appliance-specific profiles currently contain some non-appliance-specific configurations, such as DNS, routing information, encryption (IPSEC), host settings, and proxies. When upgrading to CMC v8.0, a similar process for upgrading common profiles to policies is followed: 1. Configuration - Non-appliance-specific configurations are saved as policies. Appliance-specific configurations, such as CLI commands, are saved as settings in the following appliance pages: Host Settings, Base Interfaces, In-Path Interfaces, and SSL. 2. Assignment - Policies are created for the non-appliance-specific configuration aforementioned. Each policy is named after the appliance from whose configuration it is generated. Watch for name collusion with policies created from configurations fetched from the appliance. Riverbed Central Management Console User s Guide 17

26 Overview of the Central Management Console Upgrading from Previous Versions of the CMC 3. Group Organization - Appliance group affiliation is retained as much as possible. With v5.0 or later, appliances can belong to only one group. If an appliance belongs to more than one group, the appliance is assigned to one of the preserved groups alphabetically. 18 Riverbed Central Management Console User s Guide

27 Upgrading from Previous Versions of the CMC Overview of the Central Management Console Migration Procedures This section describes a generic process for migrating to CMC v8.0 or later. Because configurations vary greatly, Riverbed recommends that you consult with Riverbed Professional Services before beginning the migration process. Note: Riverbed recommends that you perform a CMC external backup prior to upgrading to CMC v6.5.x. For details about external backups, see Working with External CMC Backups on page 76. Note: If you are upgrading from a version prior to CMC v6.1, Riverbed recommends that you first upgrade to the latest point release of each major version. For example, if you are upgrading from CMC v6.0, you should first upgrade to CMC v6.1.x, and then to CMC v8.0. This section describes the following procedure: Upgrading the CMC Software Version on page 19 Upgrading the CMC Software Version You can upgrade your CMC software version in the Configure > Maintenance > Software Upgrade page. The following factors affect migration: amount of data size of data for each appliance number of managed appliances To upgrade the software 1. Obtain the new image from the Riverbed Support website at and save it to a local directory. 2. Log in to the current CMC. 3. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page. 4. Under Install Upgrade, select either the From URL or From Local File option. 5. Click Install. 6. After the new image installs, reboot the CMC: Choose Configure > Maintenance > Reboot/Shutdown to display the Reboot/Shutdown page. Click Reboot. After you click Reboot, you are logged out of the system, and it reboots. Note: After upgrading, clear the cache of your browser to ensure that the CMC displays correctly. Riverbed Central Management Console User s Guide 19

28 Overview of the Central Management Console Steelhead Appliance Auto-Registration Steelhead Appliance Auto-Registration Steelhead appliances must be registered with the CMC so that you can monitor and manage them with the CMC. Steelhead appliances are designed to send a registration request periodically to the CMC either to an IP address or hostname you specify when you run the Steelhead appliance installation wizard, or to a default CMC hostname. For auto-registration with the default hostname to work, you must configure your DNS server to map to the hostname riverbedcmc and the IP address of the CMC. The steps to register Steelhead appliances with the CMC depend on the order in which you install the products. After a Steelhead appliance is registered, you can set auto-configuration to automatically push the current configuration when the Steelhead appliance connects. During auto-registration, the Steelhead appliances do not send passwords to the CMC. Unless the password value is modified in the Manage Appliances page, the CMC assumes that the password is password. For details, see Managing Appliances and Appliance Groups on page Riverbed Central Management Console User s Guide

29 Steelhead Appliance Auto-Registration Overview of the Central Management Console To install the CMC before you connect the Steelhead appliances 1. Install the CMC. 2. Use the CMC to complete the registration entries for remote appliances. Registration entries specify: The serial number of the appliance. The user name and password of the account through which the configuration must be performed (defaults are admin and password). Optionally, an initial group assignment. 3. Use the CMC to create the policy and group configuration objects to manage the Steelhead appliances in your system: Create and assign policies. Create groups and assign appliances to the groups. Enable auto-configuration for each Steelhead appliance in the group. Steelhead appliances you have not assigned to groups are members of the default group Global. The default group Global has the auto-configuration feature enabled. Review the Steelhead appliance configuration and add additional CLI commands (if any). For details, see Managing Appliances and Appliance Groups on page Set up a DNS server to map to the hostname riverbedcmc and the IP address for the CMC. 5. Connect the remote Steelhead appliance primary network interface to the network and power it on. When the Steelhead appliance contacts the CMC, the CMC sends the configuration to the remote Steelhead appliance, the appliance is registered with the CMC, and the CMC begins collecting performance metrics for the Steelhead appliance. To install the Steelhead appliances before you install the CMC 1. Install the remote Steelhead appliances. 2. Set up a DNS server to map to the hostname riverbedcmc and the IP address for the CMC. 3. Install the CMC. When you view the CMC, the Steelhead appliances in your system appear in the Manage > Appliances page. It might take as long as an hour for all Steelhead appliances to appear in the Manage > Appliances page. 4. Create and assign policies. 5. Create groups and assign appliances to the groups. Steelhead appliances you have not assigned to groups are members of the default group Global. Riverbed Central Management Console User s Guide 21

30 Overview of the Central Management Console Steelhead Appliance Auto-Registration 6. If necessary, complete the registration entries for the remote Steelhead appliances by specifying: the user name and password of the account through which the configuration must be performed (only if you are not using the defaults admin and password). an initial group assignment (optional). For details, see Managing Appliances and Appliance Groups on page Riverbed Central Management Console User s Guide

31 CHAPTER 2 Configuring the CMC This chapter describes how to modify CMC settings, manage configurations, upgrade software, and stop and start the CMC. This chapter includes the following sections: Configuring Network Settings on page 24 Configuring System Settings on page 32 Configuring Security Settings on page 55 Maintaining Your System on page 76 Changing the Account Password on page 89 Managing Configuration Files on page 90 This chapter assumes that you have installed and performed the initial configuration of the CMC. For details, see the Steelhead Management Console User s Guide. Riverbed Central Management Console User s Guide 23

32 Configuring the CMC Configuring Network Settings Configuring Network Settings The following section describes how to configure network settings in the CMC. This section includes the following topics: Configuring Host Settings on page 24 Configuring Settings for the Base Interfaces on page 28 Configuring Host Settings You can view and modify general host settings in the Configure > Networking > Host Settings page. The Host Settings page is not controlled by the CMC Network role but by the CMC General Settings role. When you initially run the installation wizard, you set required network host settings for the CMC. You can configure or modify the following settings: Name - Displays the hostname. DNS Settings - Riverbed recommends that you use DNS resolution. Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can add additional hosts to the system. Proxies - Configure proxy addresses for Web or FTP proxy access to the CMC. Date and Time - Riverbed recommends that you configure NTP time synchronization. 24 Riverbed Central Management Console User s Guide

33 Configuring Network Settings Configuring the CMC To modify general host settings 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-1. Host Settings Page Riverbed Central Management Console User s Guide 25

34 Configuring the CMC Configuring Network Settings To specify DNS settings 1. Under DNS Settings, complete the configuration, as described in the following table. Primary DNS Server IP Address Secondary DNS Server IP Address Tertiary DNS Server IP Address DNS Domain List Specify the IP address for the primary name server. Optionally, specify the IP address for the secondary name server. Optionally, specify the IP address for the tertiary name server. Specify an ordered list of domain names. If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system. 2. Click Apply to apply the settings to the current configuration. 3. Click Save to save your settings permanently. To add a new host The following procedure is required when you want to override DNS-provided host information. This is optional. 1. Under Hosts, complete the configuration, as described in the following table. Add a New Host IP Address Hostname Add Remove Selected Displays the controls for adding a new host. Specify the IP address for the host. Specify a hostname. Adds the host. Select the check box next to the name and click Remove Selected. 2. Click Save to save your settings permanently. To add a proxy 1. Under Proxies, complete the configuration, as described in the following table. Web/FTP Proxy IP Address Port Specify the IP address for the Web/FTP proxy. Specify the port for the Web/FTP proxy. 2. Click Apply to apply the settings to the current configuration. 3. Click Save to save your settings permanently. 26 Riverbed Central Management Console User s Guide

35 Configuring Network Settings Configuring the CMC To configure the date and time 1. Under Date and Time, complete the configuration, as described in the following table. As a best practice, you should configure your own internal NTP servers; however, if you want to use the Riverbed-provided NTP server, the hard-coded IP address that is pre-configured into every Steelhead appliance is This IP address appears in the NTP server list. Use NTP Time Synchronization Add a New NTP Server - Click to display the controls to add a server. Host Name or IP Address - Specify the hostname or IP address for the NTP server. Version - Select the NTP server version from the drop-down list: 3 or 4. Enabled - Select the connection to the NTP server from the drop-down list. Add - Adds the NTP server to the table list. Remove Selected - Select the check box next to the name and click Remove Selected. Set Time Manually Date - Specify the date in the following format: YYYY/MM/DD. Time - Specify the time in the following format: HH:MM:SS. Time Zone - Select the time zone from the drop-down list. The default is US/ Pacific. Note: If you change the time zone, log messages retain the old time zone until you reboot the system. 2. Click Apply to apply the settings to the current configuration. 3. Click Save to save your settings permanently. Important: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file (or click Save As to save as any filename you choose). For details on saving configurations, see Managing Configuration Files on page 90. Riverbed Central Management Console User s Guide 27

36 Configuring the CMC Configuring Network Settings Configuring Settings for the Base Interfaces You can view and modify settings for the primary and auxiliary interfaces in the Configure > Networking > Base Interfaces page. On the CMC appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the CMC appliance management interface. You connect to the primary interface to use the Web UI or the CLI. To configure base interface settings 1. Choose Configure > Networking > Base Interfaces to display the Base Interfaces page. Figure 2-2. Base Interfaces Page 28 Riverbed Central Management Console User s Guide

37 Configuring Network Settings Configuring the CMC 2. RiOS v6.5 provides the option to enable IPv6 on base interfaces. To enable IPv6, complete the configuration, as described in the following table. Enable IPv6 on Base Interfaces Enables configuration of IPv6 addresses on the primary and auxiliary interfaces. After enabling IPv6 and specifying the IPv6 addresses address and appropriate routing, you can log in to the Central Management Console and Riverbed Command-Line Interface (CLI) using an IPv6 address and perform maintenance tasks from an IPv6-enabled node. By default, IPv6 is disabled. To disable IPv6, clear the Enable IPv6 on Base Interfaces check box. Save the configuration and reboot the CMC. Notes: Because the IPv6 addresses are limited to the management interfaces, network interfaces related to optimization have no knowledge of IPv6. You can configure only one IPv6 address for each management network interface. You can use IPv4 addresses on the same interface. You cannot configure IPv6 addresses on a management in-path interface. Steelhead appliances do not support auto-configuration. You can use IPv6 addresses on the management interfaces only for management functions. Features like out-of-path optimization and RiOS data store synchronization on management interfaces must use IPv4 addresses. IPv6 configuration does not support the use of a Steelhead appliance to manage the Central Management Console. 3. Under Primary Interface, complete the configuration, as described in the following table. Enable Primary Interface Obtain IPv4 Address Automatically Enable IPv4 Dynamic DNS Specify IPv4 Address Manually Enables a primary interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same network subnet. The primary and auxiliary interfaces cannot share the same network subnet. Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Default IPv4 Gateway - Specify the default gateway IPv4 address. The default gateway must be in the same network as the primary interface. You must set the default gateway for in-path configurations. Riverbed Central Management Console User s Guide 29

38 Configuring the CMC Configuring Network Settings Specify IPv6 Address Manually Select this option and specify the following settings to set an IPv6 address: IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the base interfaces. IPv6 Address - Specify an IP address using the following format: eight 16- bit hexadecimal strings separated by colons, 128-bits: for example 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros: for example 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::): for example 2001:38dc:52::e9a4:c5:6282 IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 Speed and Duplex MTU Default IPv6 Gateway - Specify the default gateway IP address. The default gateway must be in the same network as the primary interface. Note: You cannot set an IPv6 address dynamically using a DHCP server. Speed - Select a speed from the drop-down list. The default value is Auto. Duplex - Select Auto, Full, or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. If they do not match, you might have a large number of errors on the interface when it is in bypass mode, because the switch and the router are not set with the same duplex settings. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Under Auxiliary Interface, complete the configuration, as described in the following table. Enable Aux Interface Obtain IPv4 Address Automatically Enable IPv4 Dynamic DNS Specify IPv4 Address Manually Enables an auxiliary interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces cannot share the same network subnet. Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. 30 Riverbed Central Management Console User s Guide

39 . Configuring Network Settings Configuring the CMC Specify IPv6 Address Manually Select this option and specify the following settings to set an IPv6 address: IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the base interfaces. IPv6 Address - Specify an IP address, using the following format: eight 16- bit hex strings separated by colons, 128-bits: for example 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros: for example 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::): for example 2001:38dc:52::e9a4:c5:6282 IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 Note: You cannot set an IPv6 address dynamically using a DHCP server. Speed and Duplex MTU Speed - Select the speed from the drop-down list. The default value is Auto. Duplex - Select Auto, Full or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Click Apply to apply your changes to the running configuration. 6. Click Save to save your changes permanently. Tip: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file (or save it as any filename you choose). 7. Under the Main IPv4 Routing Table, you can configure a static routing in the main routing table for outof-path deployments or if your device management network requires static routes. You can add or remove routes from the table list, as described in the following table. Add a New Route Destination IPv4 Address IPv4 Subnet Mask Displays the controls for adding a new route. Specify the destination IP address for the out-of-path appliance or network management device. Specify the subnet mask. Riverbed Central Management Console User s Guide 31

40 Configuring the CMC Configuring System Settings Gateway IPv4 Address Interface Add Remove Selected Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you are configuring. Select the interface from the drop-down list. Adds the route to the table list. Select the check box next to the name and click Remove Selected. The Central Management Console writes your configuration changes to memory. Configuring System Settings This section describes how to configure settings to manage the system. This section includes the following topics: Creating Announcements on page 32 Setting Alarm Parameters on page 33 Configuring Monitored Ports on page 39 Setting SNMP Basic Settings on page 40 Configuring SNMP v3 on page 43 Configuring SNMP Authentication and Access Parameters on page 46 Configuring Notifications on page 49 Configuring Logging on page 52 Creating Announcements You can create or modify a login message or a message of the day in the Configure > System Settings > Announcements page. The login message appears in the CMC Login page. The message of the day appears on the Home page and when you first log in to the CLI. 32 Riverbed Central Management Console User s Guide

41 Configuring System Settings Configuring the CMC To set an announcement 1. Choose Configure > System Settings > Announcements to display the Announcements page. Figure 2-3. Announcements Page 2. Use the controls to complete the configuration, as described in the following table. Login Message MOTD Type a message in the text box to appear on the Login page. Type a message in the text box to appear on the Home page. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Setting Alarm Parameters You modify default parameters for CMC alarms in the CMC in the Configure > System Settings > Alarms page. When an alarm reaches the rising threshold, it is activated; it is reset when it reaches the lowest or reset threshold. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. Riverbed Central Management Console User s Guide 33

42 Configuring the CMC Configuring System Settings To set alarm parameters 1. Choose Configure > System Settings > Alarms to display the Alarms page. Figure 2-4. Alarms Page 2. Under CMC Alarms, complete the configuration, as described in the following table. CMC Appliance Configuration Backup CMC External Configuration Backup/Restore CMC External Statistics Backup/Restore Enables an alarm when a CMC appliance configuration backup occurs. Enables an alarm when a CMC external configuration backup and restore failure occurs. Enables an alarm when a CMC statistics backup and restore failure occurs. 34 Riverbed Central Management Console User s Guide

43 Configuring System Settings Configuring the CMC CPU Utilization Enables an alarm if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. By default, this alarm is enabled, with a rising threshold of 90 percent and a reset threshold of 80 percent. Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 90 percent. Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 80 percent. Disk Full Enables an alarm if the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var, which is used to hold logs, statistics, system dumps, TCP dumps, and so on. By default, this alarm is enabled. This alarm monitors the following system partitions: Partition "/" Free Space Partition "/boot" Free Space Partition "/bootmgr" Free Space Partition "/config" Free Space Partition "/flash/cfg" Free Space Partition "/flash/img1" Free Space Partition "/flash/img2" Free Space Partition "/proxy" Free Space Partition "/var" Free Space Riverbed Central Management Console User s Guide 35

44 Configuring the CMC Configuring System Settings Hardware Disk Error - Enables an alarm when one or more disks is offline. To see which disk is offline, enter the following CLI command from the system prompt: show raid diagram By default, this alarm is enabled. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and Fan Error - Enables an alarm and sends an notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled. Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled. IPMI - Enables an alarm and sends an notification if an Intelligent Platform Management Interface (IPMI) event is detected. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: Chassis intrusion (physical opening and closing of the appliance case) Memory errors (correctable or uncorrectable ECC memory errors) Hard drive faults or predictive failures Power supply status or predictive failures By default, this alarm is enabled. Memory Error - Enables an alarm and sends an notification if a memory error is detected. For example, when a system memory stick fails. Other Hardware Error - Enables an alarm if a hardware error is detected. The following issues trigger the hardware error alarm: The Steelhead appliance does not have enough disk, memory, CPU cores, or NIC cards to support the current configuration. The Steelhead appliance is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified by Riverbed. Other hardware issues are occurring. By default, this alarm is enabled. Power Supply - Enables an alarm and sends an notification if an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled. RAID - Enables an alarm and sends an notification if the system encounters an error with the RAID array (for example, missing drives, pulled drives, drive failures, and drive rebuilds). An audible alarm might also sound. To see if a disk has failed, enter the following CLI command from the system prompt: show raid diagram For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Rebuilding a disk drive can take 4-6 hours. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and By default, this alarm is enabled. 36 Riverbed Central Management Console User s Guide

45 Configuring System Settings Configuring the CMC Licensing Link State Memory Paging Process Dump Staging Directory Inaccessible Secure Vault SSL Enables an alarm and sends an notification if a license on the CMC is removed, is about to expire, has expired, or is invalid. This alarm triggers if the CMC has no MSPEC license installed for its currently configured model. Insufficient Appliance Management License(s) - This alarm triggers if the CMC has insufficient license(s). Invalid License(s) - This alarm triggers if one or more licenses are invalid. License(s) Expired - This alarm triggers if one or more features have at least one license installed, but all of them are expired. License(s) Expiring - This alarm triggers if the license for one or more features are going to expire within two weeks. License(s) Missing - This alarm triggers if one or more licenses are missing. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1-FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. By default, this alarm is enabled. Enables an alarm and sends an notification if an Ethernet link is lost due to a network event. Depending on which link is down, the system might no longer be optimizing and a network outage could occur. This alarm is often caused by surrounding devices, like routers or switches interface transitioning. It also accompanies service or system restarts on the Steelhead. For WAN/LAN interfaces, the alarm triggers if in-path support is enabled for that WAN/LAN pair. By default, this alarm is disabled. Enables the memory paging alarm. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at By default, this alarm is enabled. Enables an alarm that indicates that the system has detected an error while trying to create a process dump. Contact Riverbed Support to correct the issues, at Enables an alarm and sends an notification if the system encounters a problem with the secure vault: Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Enables an alarm if there are SSL settings problems. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 37

46 Configuring the CMC Configuring System Settings Temperature Enables an alarm when the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the rising alarm is cleared. Critical Temperature - Enables an alarm and sends an notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. Warning Temperature - Enables an alarm and sends an notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared. Rising Threshold - Specify the rising threshold (º C). When an alarm reaches the rising threshold, it is activated. The default value is 70º. Reset Threshold - Specify the reset threshold (º C). When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 67º. 3. Under CMC Managed Appliance Alarms, complete the configuration, as described in the following table. Appliance too slow to respond Configuration Change Duplex Interface High Appliance Usage Warning PFS and RSP enabled together Time drift Too Many Half Open/Closed Connections Unmanaged Appliances Enables an alarm when the appliance is too slow to respond. By default, this alarm is enabled. Enables an alarm when the CMC detects configuration changes on the appliance that it manages. By default, this alarm is enabled. Enables an alarm when the CMC detects duplex settings on the appliance that it manages. By default, this alarm is enabled. Enables an alarm when the CMC detects high usage of the appliance. Connection Limit Warning - Indicates the system connection limit has been reached. By default, this alarm is enabled. Enables an alarm when PFS and RSP are enabled at the same time. By default, this alarm is enabled. Enables an alarm when the time gap between the CMC time and the appliance time exceeds the given limit. This alarm is evaluated every 5 minutes. By default, this alarm is enabled. Enables an alarm when there are too many half open or closed connections. By default, this alarm is enabled. Enables an alarm when the CMC detects unmanaged peers. By default, this alarm is enabled. 4. Click Apply to apply your changes to the running configuration. 5. Click Save to save your settings permanently. 38 Riverbed Central Management Console User s Guide

47 Configuring System Settings Configuring the CMC Configuring Monitored Ports You set the TCP ports that you want to monitor in the Configure > System Settings > Monitored Ports page. The ports that you specify appear in the Traffic Summary report. Make sure the description you specify helps you identify the type of traffic on the port. Discovered ports, along with a label (if one exists), are added to the Traffic Summary report. If a discovered port does not have a label, then an unknown label is added to the discovered port. To change the unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port are preserved from the time the port was discovered. For details, see Viewing Traffic Summary Reports on page 198. By default, traffic is monitored on ports 21 (FTP), 80 (HTTP), 123 (asd), 139 (CIFS:NetBIOS), 443 (SSL), 445 (CIFS:TCP), 1352 (Lotus Notes), 1433 (SQL:TDS), 7830 (MAPI), 8777 (RCU), and (SnapMirror). To configure monitored ports 1. Choose Configure > System Settings > Monitored Ports to display the Monitored Ports page. Figure 2-5. Monitored Ports Page Riverbed Central Management Console User s Guide 39

48 Configuring the CMC Configuring System Settings 2. To add a new monitored port, complete the configuration, as described in the following table. Add Port Port Number Port Add Remove Selected Displays the controls to add a new port. Specify the port to be monitored. Specify a description of the type of traffic on the port. Displays the controls for adding a port. Select the check box next to the name and click Remove Selected. 3. o modify a monitored port, click the port and complete the configuration, as described in the following table. Port Apply Cancel Specify a description of the type of traffic on the port. Applies your settings to the running configuration. Cancels your actions. 4. Click Save to save your settings permanently. Setting SNMP Basic Settings You configure SNMP basic contact and trap receiver settings to allow events to be reported to an SNMP agent in the Configure > System Settings > SNMP Basic page. Traps are messages sent by an SNMP agent that indicate the occurrence of an event. By default, SNMP trap receivers are not confirmed. Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration does not include SNMP traps. RiOS v5.0 provides support for the following: SNMP Version 1 SNMP Version 2c RiOS v6.0 and later provides support for the following: SNMP Version 3, which provides authentication through the User-based Security Model (USM). View-based Access Mechanism (VACM), which provides richer access control. RiOS v7.0 provides support for the following: SNMP Version 3 authentication using AES 128 and DES encryption privacy. For details about SNMP traps sent to configured servers, see SNMP Traps on page Riverbed Central Management Console User s Guide

49 . Configuring System Settings Configuring the CMC To set SNMP Basic parameters 1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page. Figure 2-6. SNMP Basic Page 2. Under SNMP Server Settings, complete the configuration, as described in the following table. Enable SNMP Traps System Contact System Location Read-Only Community String Enables SNMP traps. Specify the user name for the SNMP contact. Specify the physical location of the SNMP system. Specify a password-like string to identify the read-only community. For example, public. This community string overrides any VACM settings. Riverbed Central Management Console User s Guide 41

50 Configuring the CMC Configuring System Settings 3. To add a new trap receiver, complete the configuration, as described in the following table. Add a New Trap Receiver Receiver Displays the controls to add a new trap receiver. Specify the destination IP address or hostname for the SNMP trap. Destination Port Specify the destination port. The default is 162. Receiver Type Remote User Authentication Authentication Protocol Password/Password Confirm Security Level Privacy Protocol Privacy Privacy Password MD5/SHA Key Privacy MD5/SHA Key Community Enable Receiver Select SNMP version v1, v2c, or v3 (user-based security model). (Appears only when you select v3.) Specify a remote user name. (Appears only when you select v3). Optionally, select either Supply a Password or Supply a Key to use while authenticating users. (Appears only when you select v3.) Select an authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. (Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box. (Appears only when you select v3.) Determines whether a single atomic message exchange is authenticated. Select one of the following from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy. Note: A security level applies to a group, not to an individual user. (Appears only when you select v3 and AuthPriv.) Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm. (Appears only when you select v3 and AuthPriv.) Select Same as Authentication Key, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication Key. (Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box. (Appears only when you select v3 and Authentication Protocol as Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum. (Appears only when you select v3 and Privacy as Supply a Key.) Specify the privacy authentication key. The key is either a 32-hexadecimal digit MD5 or a 40- hexadecimal digit SHA digest created using md5sum or sha1sum. For v1 or v2 trap receivers, specify the SNMP community name. For example, public or private v3 trap receivers need a remote user with an authentication protocol, a password, and a security level. Select to enable the new trap receiver. Clear to disable the receiver. 42 Riverbed Central Management Console User s Guide

51 Configuring System Settings Configuring the CMC Add Remove Selected Adds a new trap receiver to the list. Select the check box next to the name and click Remove Selected. 4. Click Apply to apply your changes to the running configuration. 5. Click Save to save your settings permanently. Configuring SNMP v3 You configure SNMP v3 contact settings to enable events to be reported to an SNMP agent in the Configure > System Settings > SNMP v3 page. RiOS v7.0 supports SNMPv3 message encryption for increased security. Using SNMP v3 is more secure than SNMP v1 or v2; however, it requires more configuration steps to provide the additional security features. Traps are messages sent by an SNMP agent that indicate the occurrence of an event. Basic Steps 1. Create the SNMP-server users. Users can be authenticated using either a password or a key. 2. Configure the SNMP-server views to define which part of the SNMP MIB tree is visible. 3. Configure the SNMP-server groups, which map users to views, allowing you to control who can view what SNMP information. 4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request. Riverbed Central Management Console User s Guide 43

52 Configuring the CMC Configuring System Settings To create users for SNMP v3 1. Choose Configure > System Settings > SNMP v3 to display the SNMP v3 page. Figure 2-7. SNMP v3 Page 2. To add a new trap receiver, complete the configuration, as described in the following table. Add a New User User Name Authentication Protocol Authentication Password Password Confirm Use Privacy Options Privacy Protocol Privacy Privacy Password Displays the controls to add a user. Specify the user name. Select an authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. Optionally, click either Supply a Password or Supply a Key to use while authenticating users. Specify a password. The password must have a minimum of eight characters. Confirm the password. Select to use SNMPv3 encryption. Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm. Select Same as Authentication, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication. (Appears only when you select Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box. 44 Riverbed Central Management Console User s Guide

53 Configuring System Settings Configuring the CMC Key MD5/SHA Key (Appears only when you select Supply a Key.) Specify a unique authentication key. The key is an MD5 or SHA-1 digest created using md5sum or sha1sum. (Appears only when you select Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40- hexadecimal digit SHA digest created using md5sum or sha1sum. Riverbed Central Management Console User s Guide 45

54 Configuring the CMC Configuring System Settings 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Configuring SNMP Authentication and Access Parameters You configure SNMP ACLs contact settings to allow events to be reported to an SNMP agent in the Configure > System Settings > SNMP ACLs page. The features on this page apply to SNMP v1, v2c, and v3 unless noted otherwise: Security Names - Identify an individual user (v1 or v2c only). Groups - Identify a security-name, security model by a group, and referred to by a group-name. Views - Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs. For example, some users have access to critical read-write control data, while some users have access only to read-only data. For a list of OIDs, see SNMP Traps on page 442. Access Policies - Defines who gets access to which type of information. An access policy is composed of <group-name, security-model, security-level, read-view-name>. read-view-name is a preconfigured view that applies to read requests by this security name. write-view-name is a preconfigured view that applies to write requests by this security name. notify-view-name is a preconfigured view that applies to write requests to this security name. An access policy is the configurable set of rules, based on which the entity decides how to process a given request. Traps are messages sent by an SNMP agent that indicate the occurrence of an event. 46 Riverbed Central Management Console User s Guide

55 Configuring System Settings Configuring the CMC To set SNMP ACLs 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure 2-8. SNMP ACLs Page Riverbed Central Management Console User s Guide 47

56 Configuring the CMC Configuring System Settings 2. Under Security Names, complete the configuration, as described in the following table. Add a New Security Name Security Name Community String Source IP Address and Mask Bits Add Remove Selected Displays the controls to add a security name. Specify a name to identify a requestor (allowed to issue gets and sets). The security name might make changes to the View-based Access Model (VACM) security name configuration. Note: Traps for v1 and v2c are independent of the security name. Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the appliance. Note: If you specify a read-only community string (located on the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and enables users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string. Specify the host IP address and mask bits to which you permit access using the security name and community string. Adds the security name. Select the check box next to the name and click Remove Selected. 3. Under Groups, complete the configuration, as described in the following table. Add a New Group Group Name Security Model and Name Pairs Add Remove Selected Displays the controls to add a new group. Specify a group name. Select the security model from the drop-down list, and click the + button to add: v1 or v2c displays another drop-down menu; select a security name. usm displays another drop-down menu, select a user. To add another security model and name pair, click the + button. Adds the group name and security model and name pairs. Select the check box next to the name and click Remove Selected. 4. Under Views, complete the configuration, as described in the following table. Add a New View View Name Includes Displays the controls to add a new view. Specify a descriptive view name to facilitate administration. Specify the Object Identifiers (OIDs) to include in the view, separated by commas. For example, By default, the view excludes all OIDs. You can specify.iso or any subtree or subtree branch. You can specify an OID number or use its string form. For example,.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model. 48 Riverbed Central Management Console User s Guide

57 Configuring System Settings Configuring the CMC Excludes Add Remove Selected Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs. Adds the view. Select the check box next to the name and click Remove Selected. 5. Under Access Policies, complete the configuration, as described in the following table. Add a New Access Policy Group Name Security Level Read View Add Remove Selected Displays the controls to add a new access policy. Select a group name from the drop-down list. Determines whether a single atomic message exchange is authenticated. Select one of the following from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. Note: A security level applies to a group, not to an individual user. Select a view from the drop-down list. Adds the configurations. Select the check box next to the name and click Remove Selected. 6. Click Apply to apply your changes to the running configuration. 7. Click Save to save your settings permanently. Configuring Notifications You can configure notification for events and failures in the Configure > System Settings > page. By default, addresses are not specified for event and failure notification. Riverbed Central Management Console User s Guide 49

58 Configuring the CMC Configuring System Settings To configure notifications 1. Choose Configure > System Settings > to display the page. Figure Page 2. Under Notifications, complete the configuration, as described in the following table. SMTP Server SMTP Port Report Events via Specify the SMTP server. You must have external DNS and external access for SMTP traffic for this feature to function. Important: Make sure that you provide a valid SMTP server to ensure that the users you specify receive notifications for events and failures. Note: If an SMTP error occurs because the file is too big, Riverbed recommends to use either SCP or FTP. Specify the port number for the SMTP server. Specify this option to report events through . Specify a list of addresses to receive the notification messages. Separate addresses by commas. Optionally, select any of the following options: Include Events from Managed Appliances - Select the check box to include events from Steelhead appliances managed by the CMC appliance and control s. Enable Event Aggregation - Select the check box to enable event aggregation and specify the aggregation duration (minutes). This setting aggregates events into a single notification for the specified duration. 50 Riverbed Central Management Console User s Guide

59 Configuring System Settings Configuring the CMC Report Failures via Report Failures to Technical Support Specify this option to report failures through . Specify a list of addresses to receive the notification messages. Separate addresses by commas. Specify this option to report serious failures such as system crashes to Riverbed Support at Riverbed recommends that you activate this feature so that problems are promptly corrected. Important: This option does not automatically report a disk drive failure. In the event of a disk drive failure, contact Riverbed Support at 3. Under RBM User Settings, view the information as described in the following table. User Notification Recipients Aggregation Information Displays the user information. Displays the notifications for the user. Displays the recipient(s) of the notification. Displays the aggregation information. 4. Click Apply to apply the settings to the current configuration. 5. Click Save to save your settings permanently. Riverbed Central Management Console User s Guide 51

60 Configuring the CMC Configuring System Settings Configuring Logging You set up local and remote logging in the Configure > System Settings > Logging page. To set up logging 1. Choose Configure > System Settings > Logging to display the Logging page. Figure Logging Page 2. To rotate logs, click Rotate Logs. 52 Riverbed Central Management Console User s Guide

61 Configuring System Settings Configuring the CMC 3. Under Logging Configuration, complete the configuration, as described in the following table. Minimum Severity Maximum Number of Log Files Lines Per Log Page Rotate Based On Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Note: This control applies to the system log only. It does not apply to the user log. Specify the maximum number of logs to store. The default value is 10. Specify the number of lines per log page. The default value is 100. This can be updated on Reports > CMC Diagnostics > System Logs page or Reports > CMC Diagnostics > User Logs page. Specify one of the following rotation options: Time - Select Day, Week, or Month from the drop-down list. Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB. Note: The size of the log file is checked only in 10-minute intervals. 4. Click Apply to apply the settings to the current configuration. 5. To add a new log server, complete the configuration, as described in the following table. Add a New Log Server Server IP Minimum Severity Displays the controls for configuring new log servers. Specify the server IP address. Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Riverbed Central Management Console User s Guide 53

62 Configuring the CMC Configuring System Settings Add Remove Selected Adds the server to the list. Select the check box next to the name and click Remove Selected. 6. To rotate the logs immediately, click Rotate Logs. 7. Optionally, under Per-Process Logging, complete the configuration, as described in the following table. Add a New Process Logging Filter Process Displays the controls for adding a process-level logging filter. Select a process to include in the log from the drop-down list: alarmd - Alarm Manager, which handles the alarms. autoreg - Appliance Auto-registrar, which handles appliance autoregistration. backupd - Appliance Backup Scheduler, which handles the appliance backup scheduler. app_backup - Appliance Backup/Restore, which handles the appliance backup and restore. rbmd - Appliance Connection Manager, which handles the appliance connection. upgraded - Appliance Upgrade Manager, which handles the appliance upgrade. cmc_backup - CMC Backup/Restore, which handles the CMC backup and restore. cli - Command Line Interface, which handles the CLI for the CMC. mgmtd - Device and Management, which handles the device control and management. export_reports - Export Reports, which handles the report exports. hald - Hardware Abstraction Daemon, which handles access to the hardware. pm - Process Manager, which handles launching of internal system daemons and keeps them up and running. sched - Process Scheduler, which handles one-time scheduled events. rsync_wrapper - Rsync Process Monitor, which handles rsync process events. statsd - Statistics Collector, which handles queries and storage of system statistics. wdt - Watchdog Timer, the motherboard watchdog daemon. webasd - Web Application Process, which handles the Web user interface. 54 Riverbed Central Management Console User s Guide

63 Configuring Security Settings Configuring the CMC Minimum Severity Add Remove Selected Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the appliance. Error - Conditions that probably affect the functionality of the appliance. Warning - Conditions that could affect the functionality of the appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Adds the filter to the list after which the process logs at the selected severity and higher level. Select the check box next to the name and click Remove Selected to remove the filter. 8. Click Apply to apply your changes to the running configuration. 9. Click Save to save your settings permanently. Configuring Security Settings The following section describes how to configure security settings in the CMC. This section includes the following topics: Configuring General Security Settings on page 56 Configuring CMC Security Settings on page 57 Managing User Permissions on page 59 Configuring RADIUS Server Authentication on page 65 Configuring TACACS+ Server Authentication on page 68 Unlocking the Secure Vault on page 70 Configuring the Management ACL on page 71 Configuring Web Settings on page 73 Riverbed Central Management Console User s Guide 55

64 Configuring the CMC Configuring Security Settings Configuring General Security Settings You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the General Configure > Security > General Security Settings page. If an appliance has a local account with the same username as the remote account, then the remote account receives the permissions of the local account. Otherwise, the following authorization policy rules are applied: Remote first - Remote account receives permissions for a local account to which it is validly mapped. Otherwise, the remote account gets permissions of the default account. Initially, this is the administrator account. Remote only - Remote account receives permissions for a local account to which it is validly mapped. Otherwise, the authorization fails. The default account is ignored. Local only - The remote account receives default account permissions and mapping is never used. The Configure > Security > General Security Settings page has a default user and authentication mapping settings. These settings become effective when one of the authentications is chosen with TACACS+ or RADIUS. Three possible authorization map orders, such as, Remote First, Remote Only, and Local Only and a set of possible combinations of appliance and server configurations for each case. Important: Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails using the first method, the next method is attempted, and so forth, until all the methods have been attempted. Tip: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server: service = rbt-exec { local-user-name = "monitor" } where you replace monitor with admin for write access. For details on setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide. To set general security settings 1. Choose Configure > Security > General Security Settings to display the General Security Settings page. Figure General Security Settings Page 56 Riverbed Central Management Console User s Guide

65 Configuring Security Settings Configuring the CMC 2. Under Authentication Methods, complete the configuration, as described in the following table. Authentication Methods For RADIUS/TACACS+, fallback only when servers are unavailable. Authorization Policy Specifies the authentication method. Select an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails using the first method, the next method is attempted, and so on, until all of the methods have been attempted. Specifies that the Steelhead appliance falls back to a RADIUS or TACACS+ server only when all other servers do not respond. This is the default setting. When this feature is disabled, the Steelhead appliance does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure. Appears only for some authentication methods. Optionally, select one of the following policies from the drop-down list: Remote First - Checks the remote server first for an authentication policy, and only check locally if the remote server does not have one set. This is the default behavior. Remote Only - Only checks the remote server. Local Only - Only checks the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored. Default User - Optionally, select admin, monitor, or shark from the drop-down list to define the default authentication policy. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Configuring CMC Security Settings You can configure CMC Security Settings in the Configure > Security > CMC Security page. The CMC security feature enables strict key verification to prevent rogue appliances from accessing the network with a forged IP address (also known as spoofing). Riverbed strongly recommends enabling this feature if appliance configurations contain sensitive data. Riverbed Central Management Console User s Guide 57

66 Configuring the CMC Configuring Security Settings To set CMC security 1. Choose Configure > Security > CMC Security to display the CMC Security page. Figure CMC Security Page 2. Under Web Auto Sign On, use the controls to complete the configuration, as described in the following table. Never When logged in as admin When logged in as the appliance registered user Select this option to require the current user to log in when the Central Management Console opens. Select this option to log in as the admin user for the appliance when the Central Management Console opens. Note: The registered user must have administrative privileges. Select this option to log in when the Central Management Console opens using the same user name used to log in to the CMC. For this option to function properly, the CMC login must match the login configured for the appliance s registered user. 3. Under Appliance Connection, use the controls to complete the configuration, as described in the following table. This setting controls the login information used when the Central Management Console for an individual appliance is accessed directly from the Home page of the CMC. For details on accessing Central Management Consoles appliance, see The Home Page on page Riverbed Central Management Console User s Guide

67 Configuring Security Settings Configuring the CMC These settings control how the URLs are generated for the appliances shown on the Home page. Always use http Always use https Use https if enabled, otherwise http Use the Fully-Qualified Domain Name provided by the appliance Use the IP Address/ Hostname registered with the CMC Select this option to always generate the appliance URL using the HTTP protocol. Select this option to always generate the appliance URL using the HTTPS protocol. Select this option to generate the appliance URL automatically based on whether the appliance is SSL-enabled (HTTPS) or not (HTTP). Select this option to use the fully-qualified domain name provided by the appliance. This is the default setting. If the FQDN is not obtainable, the registered address will be used. Note: The CMC resolves the FQDN to an IP. Select this option to use the IP Address/Hostname registered with the CMC. 4. Under Common Administration Login, use the controls to complete the configuration, as described in the following table. When enabled, the Common Appliance Username/Password is used for all appliance connections. The appliance-specific username/password is ignored. Use Common Appliance Credentials User Name Password Confirm Password Displays the controls for the common administration login. Enter the user name. Enter the password. Confirm the password. 5. Optionally, under SSL, select the check box to enable Strict Key Verification. Strict key verification prevents the CMC from inadvertently connecting with rogue appliances. If you select this option, the CMC does not connect with Steelhead appliances whose correct SSH public keys are not known by the CMC. The CMC requires you to enter the Steelhead appliance s SSH public key before allowing communication. The existing appliances whose SSH public keys are not trusted are disconnected when strict key verification is enabled. For details, see Trusting Appliances Using Security Keys on page Click Apply to apply the changes to the Web Auto Sign On, Appliance Connection, and SSL settings to the current configuration. 7. Click Save to save the settings permanently. Managing User Permissions You can change the administrator or monitor passwords and define role-based users in the Configure > Security > User Permissions page. Riverbed Central Management Console User s Guide 59

68 Configuring the CMC Configuring Security Settings This section describes the following user permission features: Capability-Based Accounts on page 60 Role-Based Accounts on page 60 CMC Roles and Permissions on page 63 Groups Configurations on page 63 Appliance Management Roles and Permissions on page 63 Steelhead Appliance Roles and Permissions on page 63 Steelhead Appliance Roles and Permissions Specific to Diagnostic Pages on page 65 Capability-Based Accounts The system has two accounts based on what actions you can take: Admin - The administrator user has full privileges. For example, as an administrator you can set and modify configuration settings, add and delete users, restart and reboot CMC services, and create and view performance and system reports. Monitor - A monitor user can view reports. Monitor users cannot make configuration changes or change their own passwords. Role-Based Accounts You can create users, assign passwords to the user, and assign configuration roles, including access to group configurations to the user. A user role determines permissions, as follows: Deny - With deny privileges, you cannot view settings or make configuration changes for a feature. Read-only - With read-only privileges, you can view current configuration settings but you cannot change them. Read/Write - With read and write privileges, you can view settings and make configuration changes for a feature. As an example, you might have user Jane who can make configuration changes to QoS, PFS, and SSL whereas user John can only view these configuration settings, and a third user, Joe, who cannot view or change the settings for these features. Available menu items reflect the privileges of the user. For example, any menu items that a user does not have permission to use are dimmed. When a user clicks a dimmed link, the Permissions page appears. Important: The Optimization Services role in RiOS v6.1 and later includes permission to access High-Speed TCP (HSTCP). Consequently, upgrading to RiOS v6.1 or later causes all role-based users with permission for the High-Speed TCP (HS-TCP) role to lose their access. The Administrator must manually reassign those users who require HS-TCP access with permission for the Optimization Services (GUI) or the Acceleration Services (CLI) role. Alternatively, the administrator can create a custom role for the HS-TCP users. 60 Riverbed Central Management Console User s Guide

69 Configuring Security Settings Configuring the CMC To set the user permissions 1. Choose Configure > Security > User Permissions to display the User Permissions page. Figure User Permissions Page 2. Under Capability-Based Accounts, complete the configuration, as described in the following table. admin/monitor Click the magnifying glass to change the administrator or monitor password. Enable Account - Select to enable or clear to disable the administrator or monitor account. Use a Password - Enables password protection. When a user has a null password to start with, the administrator can still set the user s password to null with account control enabled. However, after the user or administrator changes the password, it cannot be reset to null as long as account control is enabled. Password - Type a password in the text box. The password must have a minimum of six characters. Password Confirm - Retype the new administrator password. Riverbed Central Management Console User s Guide 61

70 Configuring the CMC Configuring Security Settings Important: A role-based account cannot modify another role-based or capability account. 3. Under Role-Based Accounts, complete the configuration, as described in the following table. Add a New User Account Name Enable Account Use a Password Roles and Permissions Add Remove Selected Users Displays the controls for creating new role based-accounts. Specify a name for the role-based account. Enables the new role-based account. Select the check box to enable password protection and specify the following: Password - Specify a password in the text box. The password must have a minimum of six characters. Password Confirm - Specify the new password again for confirmation. Grant the user one of the following privileges: Deny - With deny privileges the user cannot view settings or make configuration changes for a feature. This is the default setting. Read-Only - With read privileges the user can view current configuration settings for the feature but cannot change them. Read/Write - With write privileges the user can view settings and make configuration changes for a feature. Roles comprise of groups of settings. With write access permission the user can change the configuration for these roles. For details on available roles and permissions, see Steelhead Appliance Roles and Permissions on page 63. Adds your settings to the system. The new user appears in the User table at the bottom of the page. Check the box next to the name and click Remove Selected Users to remove it from the list. 4. Click Save to save your settings permanently. 62 Riverbed Central Management Console User s Guide

71 Configuring Security Settings Configuring the CMC CMC Roles and Permissions The following table describes the available roles and permissions that can be set for the CMCs. Page CMC Settings AAA Configurations Manages the CMC features. For example, host settings, network settings and reports. Authenticates and authorizes CMC users. Groups Configurations The following table describes the available roles and permissions that can be set for the specific group type. Page <group> Configures the <group> settings. For example, Global. Appliance Management Roles and Permissions The following table describes the available roles and permissions that can be set for the appliance management. Page Appliance Management Appliance Settings Appliance AAA Configuration Optimization Settings Application Optimization Policies Branch Services s appliance upgrades and policy pushes. Manages appliance features. For example, host settings and network settings. Manages appliance security permissions. Manages appliance optimization setup. Configures optimization policies for different applications. Manages branch services setup. For example, RSP and PFS. Steelhead Appliance Roles and Permissions The following table describes the available roles and permissions that can be set for the Steelhead appliances. Page General Settings Network Settings QoS Optimization Service Grants access to CMC-specific settings, including alarms, notifications, SNMP, and log settings. For more information, see General Service Settings on page 315. Grants the ability to modify the CMC hostname and IP settings. For more information, see Networking Policy Settings on page 386. Enforces QoS policies. For more information, see Networking Policy Settings on page 386. Starts and stops the optimization service. For more information, see Optimization Policy Settings on page 312. Riverbed Central Management Console User s Guide 63

72 Configuring the CMC Configuring Security Settings Page In-Path Rules High-Speed TCP CIFS Optimization HTTP Optimization Oracle Forms Optimization MAPI Optimization SQL Optimization NFS Optimization Notes Optimization Citrix ICA Optimization SSL Optimization Replication Optimization Proxy File Service (PFS) Riverbed Services Platform (RSP) Security Settings Basic Diagnostics Diagnostics Configures TCP traffic for optimization and optimization methods traffic by setting inpath rules. Includes WAN visibility to preserve TCP/IP address or port information. For more information, see Optimization Policy Settings on page 312. For details on WAN visibility, see the Steelhead Appliance Deployment Guide. Configures high-speed TCP settings. For more information, see Networking Policy Settings on page 386. Enables CIFS optimization. For more information, see Optimization Policy Settings on page 312. Configures enhanced HTTP optimization settings: cache settings, keep-alive, insert cookie, file extensions to prefetch, and ability to set HTTP optimization for a specific server subnet. For more information, see Optimization Policy Settings on page 312. Optimizes Oracle E-business application content and forms applications. For more information, see Optimization Policy Settings on page 312. Optimizes MAPI and sets Exchange and NSPI ports. For more information, see Optimization Policy Settings on page 312. Configures MS-SQL optimization. For more information, see Optimization Policy Settings on page 312. Configures NFS optimization. For more information, see Optimization Policy Settings on page 312. Configures Lotus Notes optimization. For more information, see Optimization Policy Settings on page 312. Configures Citrix ICA optimization. For more information, see Optimization Policy Settings on page 312. Configures SSL support. For more information, see Optimization Policy Settings on page 312. Configures replication optimization. For more information, see Optimization Policy Settings on page 312. Click to enable the PFS. This setting enables you to configure the CIFS prepopulation in optimization policies in the CMC. For more information, see Optimization Policy Settings on page 312. Adds functionality into a virtualized environment on the client Steelhead appliance. The functionality can include a print server, a streaming video server, or a package that provides core networking services (DNS, DHCP, TFTP and Radius mirroring). For details, see the Riverbed Command-Line Interface Reference Manual. For more information, see Branch Services Settings on page 427. Configures security settings, including RADIUS and TACACS authentication settings and the secure vault password. For more information, see Security Policy Settings on page 418. Customizes the CMC system basic diagnostic logs. Enables the user to view CMC basic diagnostics related reports. For more information, see System Settings Policies on page 369. Customizes the CMC system diagnostic logs. Enables the user to view CMC diagnostics related reports. For more information, see System Settings Policies on page Riverbed Central Management Console User s Guide

73 Configuring Security Settings Configuring the CMC Page Reports TCP Dump Enables the user to view CMC related reports. For more information, see Displaying and Customizing Reports on page 187. Enables access to Cascade Shark operation. For more information, see Performing Appliance Operations on page 139 and Starting, Stopping, or Restarting Appliances and Appliance Groups on page 147. Steelhead Appliance Roles and Permissions Specific to Diagnostic Pages The following table describes the available roles and permissions that can be set for the Diagnostic pages controlled by the Steelhead appliance. Page Steelhead: Reports Steelhead: Basic Diagnostics Steelhead: TCP Dump Permits access to Appliance Details, Health Check, CPU Utilization, Memory Paging, and Expiring Certificates reports. For more details, see the Steelhead Appliance Deployment Guide and the Steelhead and Steelhead CX Management Console User s Guide. Permits access to Health Check, Download Logs, and Expiring Certificates diagnostics. For more details, see the Steelhead Appliance Deployment Guide and the Steelhead and Steelhead CX Management Console User s Guide. Permits access to Health Check and Expiring Certificates reports. For more details, see the Steelhead Appliance Deployment Guide and the Steelhead and Steelhead CX Management Console User s Guide. Configuring RADIUS Server Authentication You set RADIUS server authentication in the Configure > Security > RADIUS page. RADIUS is an access control protocol that uses a challenge and response method for authenticating users. If you add a new server to your network and you do not specify these settings at that time, the global settings are applied automatically. For details on setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide. Enabling this feature is optional. Riverbed Central Management Console User s Guide 65

74 Configuring the CMC Configuring Security Settings To set RADIUS server authentication 1. Choose Configure > Security > RADIUS to display the RADIUS page. Figure RADIUS Page 2. Under Default RADIUS Settings, complete the configuration, as described in the following table. Set a Global Default Key Global Key Confirm Global Key Enables a global server key for the RADIUS server. Specify the global server key. Confirm the global server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. The default value is Click Apply to apply the settings to the current configuration. 66 Riverbed Central Management Console User s Guide

75 Configuring Security Settings Configuring the CMC 4. To add a new RADIUS Server, complete the configuration, as described in the following table. Add a RADIUS Server Hostname or IP Address Authentication Port Override the Global Default Key] Displays the controls for defining a new RADIUS server. Specify the server IP address. Specify the port for the server. Overrides the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default value is 1. Enables the new server. Adds the RADIUS server to the list. Select the check box next to the name and click Remove Selected. 5. Click Save to save your settings permanently. Note: To modify RADIUS server settings, click the server IP address in the list of radius servers. Use the Status dropdown list to enable or disable a server in the list. Riverbed Central Management Console User s Guide 67

76 Configuring the CMC Configuring Security Settings Configuring TACACS+ Server Authentication You set up TACACS+ server authentication in the Configure > Security > TACACS+ page. Enabling this feature is optional. TACACS+ is an authentication protocol that enables a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system. For details on configuring RADIUS and TACACS+ servers to accept login requests from the Steelhead appliance, see the Steelhead Appliance Deployment Guide. To set a TACACS+ server 1. Choose Configure > Security > TACACS+ to display the TACACS+ page. Figure TACACS+ Page 68 Riverbed Central Management Console User s Guide

77 Configuring Security Settings Configuring the CMC 2. Under Default TACACS+ Settings, complete the configuration, as described in the following table. Set a Global Default Key Global Key Confirm Global Key Specify this option to enable a global server key for the server. Specify the global server key. Confirms the global server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default value is Click Apply to apply the settings to the current configuration. 4. To add a TACACS+ server, complete the configuration, as described in the following table. Add a TACACS+ Server Hostname or IP Address Displays the controls for defining a new TACACS+ server. Specify the server IP address. Authentication Port Specify the port for the server. The default value is 49. Authentication Type Override the Global Default Key Click either PAP or ASCII to select the authentication type. Specify this option to override the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default is 1. Enables the new server. Adds the TACACS+ server to the list. Select the check box next to the name and click Remove Selected. 5. Click Save to save your settings permanently. Riverbed Central Management Console User s Guide 69

78 Configuring the CMC Configuring Security Settings Unlocking the Secure Vault You can unlock and change the password for the secure vault in the Configure > Security > Secure Vault page. The secure vault contains sensitive information from your CMC configuration, including SSL private keys and the RiOS data store encryption key. These configuration settings are encrypted on the disk at all times, using AES 256-bit encryption. Initially the secure vault is keyed with a default password known only to the RiOS software. This enables the system to automatically unlock the vault during system startup. You can change the password, but the secure vault does not automatically unlock upon startup. You must unlock the secure store to manage SSL configuration on the CMC and to unlock the secure stores on the Steelhead appliances. To unlock or change the password of the secure vault 1. Choose Configure > Security > Secure Vault to display the Secure Vault page. Figure Secure Vault Page 2. Under Unlock Secure Vault, complete the configuration, as described in the following table. Password Unlock Secure Vault Specify a password and click Unlock Secure Vault. Initially the secure vault is keyed with a default password known only to the RiOS software. This enables the system to automatically unlock the vault during system start up. You can change the password, but the secure vault does not automatically unlock on start up. To optimize SSL connections or to use RiOS data store encryption, you must unlock the secure vault. Unlocks the vault. 3. Under Change Password, complete the configuration, as described in the following table. Current Password New Password Specify the current password. If you are changing the default password that ships with the product, leave the text box blank. Specify a new password for the secure vault. 70 Riverbed Central Management Console User s Guide

79 Configuring Security Settings Configuring the CMC New Password Confirm Change Password Retype the new password for the secure vault. Changes the password to the new value. 4. Click Save to save your settings permanently. Configuring the Management ACL You can modify Management ACL settings in the Configure > Security > Management ACL page. CMCs are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can: Restricts access to certain interfaces or protocols of a CMC. Restricts inbound IP access to a CMC, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall). Specifies which hosts or groups of hosts can access and manage a CMC by IP address, simplifying the integration of CMCs into your network. The management ACL provides the following safeguards to prevent accidental disconnection from the CMC: Detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address. Converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial. Enables the default Steelhead appliance ports 7800, 7801, 7810, 7820, and Enables a previously connected CMC to connect and tracks any changes to the IP address of the CMC to prevent disconnection. Tracks changes to default service ports and automatically updates any references to changed ports in the access rules. Riverbed Central Management Console User s Guide 71

80 Configuring the CMC Configuring Security Settings To modify the management ACL 1. Choose Configure > Security > Management ACL to display the Management ACL page. Figure Management ACL Page 2. Under Management ACL Settings, complete the configuration, as described in the following table. Enable Management ACL Apply Select this check box to enable the management ACL. Applies the settings. 3. To add a new rule, complete the configuration, as described in the following table. Add a New Rule Action Service Protocol Source Network Interface Displays the controls for adding a new rule. Select one of the following rule types from the drop-down list: Allow - Enables a matching packet access to the CMC. This is the default action. Deny - Denies access to any matching packets. Note: The default rule, Allow, enables all remaining traffic from everywhere that has not been selected by another rule, cannot be removed, and is always listed last. Optionally, select All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet from the dropdown list. When specified, the Destination Port is dimmed and unavailable. Select ICMP, TCP, UDP, or All from the drop-down list. Optionally, specify the source subnet of the inbound packet. Optionally, select All, Primary, or AUX from the drop-down list. The default value is All. Optionally, describe the rule, to facilitate administration. 72 Riverbed Central Management Console User s Guide

81 Configuring Security Settings Configuring the CMC Rule Number Log Packets Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). CMCs evaluate rules in numerical order starting with Rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of Rule 1 do not match, Rule 2 is consulted. If Rule 2 matches the conditions, it is applied, and no further rules are consulted. Tracks denied packets in the log. By default, packet logging is enabled. 4. Click Add to add the rule to the list. For information about ACL management rules, see the Steelhead CX Management Console User s Guide. Important: If you add, delete, edit, or move a rule that could disconnect connections to the Steelhead appliance, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning. Configuring Web Settings You can configure and manage Web user interface settings in the Configure > Security > Web Settings page. Web Settings is not controlled by CMC Security Settings role but by CMC General Settings role. This section includes the following topics: To modify Web Settings on page 73 To modify Web Certificates on page 74 To modify Web Settings 1. Choose Configure > Security > Web Settings to display the Web Settings page. Figure Web Settings Page Riverbed Central Management Console User s Guide 73

82 Configuring the CMC Configuring Security Settings 2. Under Web Settings, complete the configuration, as described in the following table. Default Web Login ID Web Inactivity Timeout (minutes) Allow Session Timeouts on Auto- Refreshing Pages Specify the user name that appears on the authentication page. The default value is admin. Specify the number of idle minutes before time-out. The default value is A value of 0 disables time-out. By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear this box to disable the session time-out, remain logged-in indefinitely, and automatically refresh the report pages. Important: Disabling this feature poses a security risk. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. To modify Web Certificates 1. Choose Configure > Security > Web Settings to display the Web Settings page. 2. Under Web Certificate, select the Details tab. The Steelhead appliance identity certificate details appear, as described in the following table. Issued To/Issued By Common Name - Specifies the common name of the certificate authority. - Specifies the organization . Organization - Specifies the organization name (for example, the company). Organization Unit - Specifies the organization unit name (for example, section or department). Locality - Specifies the city. State - Specifies the state. Country - Specifies the country. Validity Issued On - Specifies the date the certificate was issued. Expires On - Specifies the date the certificate expires. Fingerprint Key Specifies the SSL fingerprint. Type - Specifies the key type. Size - Specifies the sizes in bytes. 3. To view the PEM information, under Web Certificate, select the PEM tab. 74 Riverbed Central Management Console User s Guide

83 Configuring Security Settings Configuring the CMC 4. To replace an existing certificate, under Web Certificate, select the Replace tab and complete the configuration, as described in the following table. Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats) Select this option if the existing private key and CA-signed certificate are located in one file. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. Note: The private key is required. Local File - Browse to the local file. Text - Paste the text content of the file into the text box. Decryption Password - Specify the decryption password, if necessary. Import Key And Certificate - Click to import the key and certificate. Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats) Select this option if the existing private key and CA-signed certificate are located in two files. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate, or a text box for copying and pasting the key and certificate. Important: Importing the private key is optional. Local File - Browse to the local file for the private key. Key Text - Paste the text content of the file into the text box. Decryption Password - Specify the decryption password, if necessary. Local File - Browse to the local file for the public certificate. Certificate Text - Paste the text content of the file into the text box. Import Key And Certificate - Click to import the key and certificate. Generate New Private Key and Self-Signed Public Certificate Select this option to generate a new private key and self-signed public certificate. Cipher Bits - Select the key length from the drop-down list. The default value is Organization Name - Specify the organization name (for example, the company). Organization Unit Name - Specify the organization unit name (for example, the section or department). Locality - Specify the city. State - Specify the state (no abbreviations). Country - Specify the country (two-letter code only). Address - Specify the address of the contact person. Validity Period - Specify how many days the certificate is valid. The default value is 730. Generate Key And Certificate - Click to generate key and certificate. Riverbed Central Management Console User s Guide 75

84 Configuring the CMC Maintaining Your System 5. To generate a CSR, under Web Certificate, select the Generate CSR tab and complete the configuration, as described in the following table. Common Name Organization Name Organization Unit Name Locality State Country Address Generate CSR Specify the common name (for example, Riverbed). Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Do not abbreviate. Specify the country (two-letter code only). Specify the address of the contact person. Generates the Certificate Signing Request. 6. Click Apply to apply your changes to the running configuration. 7. Click Save to save your settings permanently. Maintaining Your System This section describes how to manage your system including managing CMC backups, viewing job status, upgrading your software, and shutting down and rebooting the system. You have to back up the CMC before you upgrade. This section includes the following topics: Working with External CMC Backups on page 76 Viewing Daily Maintenance Window Settings on page 82 Displaying Job Status on page 83 Managing Licenses on page 85 Upgrading Your Software on page 87 Rebooting and Shutting Down the CMC on page 88 Working with External CMC Backups You can configure backup of the CMC configuration and appliance statistics to an external location in the Configure > Maintenance >External Backup/Restore page. The following types of data are backed up: Steelhead appliance configuration information (such as policies and host settings) as configured by the CMC. Steelhead appliance statistics (such as traffic summary, connection history and data store cost) as reported by the CMC. CMC configuration information (such as networking, system settings and security settings). 76 Riverbed Central Management Console User s Guide

85 Maintaining Your System Configuring the CMC This type of backup is distinct from appliance backups, which serve an archival purpose for a specific appliance. Some external CMC backups via SSH might partially or completely fail with a particular set of Windowsbased SSH servers, yet might succeed without issue with a different set of servers. SolarWinds SFTP/SCP server The backup server configuration works, but the actual backup or restore operations fail with either Error 13 (permission denied) or Error 74 (IO Error). WinSSHD Ensure that the configured SSH server directory is writable by the username that the CMC uses to connect. If not, the server configuration itself does not work. Important: Riverbed has not tested or qualified any Windows-based SSH servers. If you have successfully integrated one of these servers in your network, contact Riverbed Support. This section describes the following procedures: Configuring External CMC Backups on page 77 Performing Backup Restore on page 81 Configuring External CMC Backups You can configure the external backups in the Configure > Maintenance > External Backup/Restore page. For details, see Steelhead Appliance Deployment Guide. Riverbed Central Management Console User s Guide 77

86 Configuring the CMC Maintaining Your System To configure external backups 1. Choose Configure > Maintenance > External Backup/Restore to display the External Backup/Restore page. Figure External Backup/Restore Page 78 Riverbed Central Management Console User s Guide

87 Maintaining Your System Configuring the CMC 2. Under Backup Server, specify the external location for the backup by completing the configuration, as described in the following table. Protocol Host Name or IP Address Remote Path CIFS Domain User Name Password Password Confirm CIFS Security Mode Select from the drop-down list the file server protocol for the backup server for storing or retrieving the backup: CIFS, NFS, or SSH. Note: If you back up to an NFS or SSH server and the same backup location is subsequently exposed via CIFS, the backup might fail. Specify the hostname or IP address for the backup server. Specify the directory path on the backup server for the backup file. For example, for CIFS: \<sharename>\<directory>\<directory> or <sharename>/<directory> For example, for NFS: /<mount>/<point>/<directory> For example, for SSH: /<directory>/<directory> Note: The directory must already exist on the backup server. (CIFS only) Specify the CIFS domain. Tip: If the user name corresponds to a local account (as opposed to a domain account), this field should contain the NETBIOS name of the backup server. Specify a valid user name for CIFS or SSH access. Supply a valid password for CIFS or SSH access. Confirm the password for CIFS or SSH access. Select from the drop-down NTLM or NTLMv2. Tip: Windows 2K8 is not supported with NTLMv2. Note: For more information on Windows Vista and Windows Server 2008 (WSK8), see Note: For information about security flaws and NTLM, see Time Limit for Statistics Backup Specify the time limit, in minutes. The default value is 0. Disk Space Limit Specify the disk space limit, in MB. The default value is 0. Riverbed Central Management Console User s Guide 79

88 Configuring the CMC Maintaining Your System 3. Under Scheduling, set the options to enable configuration and statistics backup, as described in the following table. Schedule CMC Configuration Backup Schedule Appliance Snapshots Backup Enables the backup of appliance configuration data. Complete the following settings: Start at - Specify the start date and time using the following format: YYYY/MM/DD HH:MM:SS Repeat every - Specify the number of days for which the CMC configuration backup operation should be repeated. Maximum CMC Snapshots Retained - Specify the maximum number of CMC snapshots. Enables the backup of appliance snapshots data. Important: You have to perform a full backup first before you can schedule appliance snapshot backup. Complete the following settings: Start at - Specify the start date and time using the following format: YYYY/MM/DD HH:MM:SS Repeat every - Specify the number of days for which the CMC snapshot backup operation should be repeated. Schedule Statistics Backup Enables the backup of appliance statistic data. Complete the following settings: Start at - Specify the start date and time using the following format: YYYY/MM/DD HH:MM:SS Repeat every - Specify the number of days for which the statistics backup operation should be repeated. 4. Click Apply to apply the settings to the current configuration. 5. Click Save to save your settings permanently. 80 Riverbed Central Management Console User s Guide

89 Maintaining Your System Configuring the CMC Performing Backup Restore You can perform backup operations (for example, creating, restoring, and deleting) in the Backup Operations panel in the Configure > Maintenance > External Backup/Restore page. To perform backup restore 1. Choose Configure > Maintenance > External Backup/Restore to display the External Backup/Restores page and scroll to the bottom. Figure External Backup/Restores Page - Backup Operation The Backup Operations panel displays the history of backup and restore operations for both configuration and statistic data, as described in the following table. Operation Type Status Details CMC Configuration Backup Status CMC Snapshots Restore Status Appliance Snapshots Backup Status Appliance Snapshots Restore Status Statistics Backup Status Statistics Restore Status Displays the status and timestamp of the most recent CMC configuration backup. Indicates whether a CMC snapshot restore is currently in process. Displays the status and timestamp of the most recent appliance snapshot backup. Indicates whether an appliance snapshot backup restore is currently in process. Displays the status and timestamp of the most recent configuration backup. Indicates whether a statistics backup restore is currently in process. An operation can have the following status: success, <timestamp> running <time duration>, <percentage complete> failed <timestamp> failed <timestamp>, last success: <timestamp> Note: A status of idle indicates that there is no backup or restore history. The system does not retain a record of backup and restore statuses from prior to system startup (including reboots). Riverbed Central Management Console User s Guide 81

90 Configuring the CMC Maintaining Your System 2. Select the operation to be performed from the Backup Operation drop-down list. 3. Depending on the operation you select, an additional fields display, as described in the following table. Operation Backup CMC Configuration Restore CMC Snapshot Remove CMC Snapshot Backup Appliance Snapshots Restore Appliance Snapshot Backup Statistics Restore Statistics Performs a backup of the current appliance configurations. When this option is selected, additional field is displayed: New Snapshot Name - Type the new snapshot name in the text box. Restores the specified CMC snapshot. When this option is selected, additional fields display: Restore Snapshot Name - Select the name from the drop-down list. Restore Secure Vault - Select the check box to enable the restore secure vault option. Vault Password - Type the vault password. Restore Primary and Aux network interfaces - Select the check box to restore primary and auxiliary network interfaces. Removes the specified CMC snapshot. When this option is selected, an additional field displays: Remove Snapshot Name - Select snapshot name from the drop-down list. Performs a backup of the current appliance snapshot. When this option is selected, an additional field is displayed: Exclude nightly snapshots older than <number> Days - Enter the number of days to be excluded. The default is 0. Restores the specified appliance snapshot. Performs a backup of the current appliance statistics. Restores the latest statistics backup. 4. Click Start to begin to selected operation. Viewing Daily Maintenance Window Settings You can view daily maintenance window settings in the Configure > Maintenance > Maintenance Window page. The maintenance window is used for nightly jobs, for example, preventative database maintenance and backups for all appliances. To view daily maintenance window settings 1. Choose Configure > Maintenance > Maintenance Window to display the Maintenance Window page. Figure Maintenance Window Page The duration of Maintenance Window should be at least three hours. 82 Riverbed Central Management Console User s Guide

91 Maintaining Your System Configuring the CMC 2. Complete the configuration, as described in the following table. Start Time End Time Apply Type the Start Time. Use the following format: HH:MM:SS. Type the End Time. Use the following format: HH:MM:SS. Applies your settings. Displaying Job Status You can view completed, pending and inactive jobs, as well as jobs that were not completed because of an error in the Configure > Maintenance > Scheduled Jobs page. Jobs are CLI commands that execute at a time you specify. The only jobs you can schedule using the CMC are software upgrades and configuration pushes; for all other jobs, you must use the CLI. For details about scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual. To display job status 1. Choose Configure > Maintenance > Scheduled Jobs to display the Scheduled Jobs page. Figure Scheduled Jobs Page 2. To cancel a job or to remove a completed job from the list, select the check box next to the entry and click Remove Selected Jobs. 3. Click the Job ID number to display details about the job. 4. Optionally, under Details for Job <#>, complete the configuration, as described in the following table. Name Comment Interval (seconds) Executes On Created Last Run Enable/Disable Job Specifies a name for the job. Specifies a comment. Specifies how often the job runs. The default value is 0, which runs the job once. Specifies the date on which the job runs. Specifies the date when the job was created. Specifies the date when the job was last created. Enables the job. Riverbed Central Management Console User s Guide 83

92 Configuring the CMC Maintaining Your System Apply Changes Cancel This Job Execute Now Remove Selected Jobs Applies the changes to the current configuration. Cancels the job. Runs the job. Select the check box next to the name and click Remove Selected Jobs. 5. Click Save to save your settings permanently. 84 Riverbed Central Management Console User s Guide

93 Maintaining Your System Configuring the CMC Managing Licenses This section describes how to install, update, and remove a license. It also describes how to use flexible licensing to manage model configurations and upgrades. This section includes the following topics: Managing CMC Licenses on page 86 Removing a License on page 87 Licenses can be permanent or temporary. Permanent licenses do not display an expiration date in their Status column on the Licenses page; temporary licenses display an expiration date in their Status column. For example, evaluation licenses typically expire in 60 days and display a date within that range. The system warns you two weeks before a license expires by activating the Expiring License alarm. After a license expires, the system activates the Expired License alarm. You can add a license to extend the functionality of expiring licenses. If more than one license exists for a feature, the system uses the license with the latest expiration date. Riverbed Central Management Console User s Guide 85

94 Configuring the CMC Maintaining Your System Managing CMC Licenses You perform all license management and update or remove expired licenses on the appliance in the Configure > Maintenance > Licenses page. For more details, see the Steelhead Management Console User s Guide. For details on hardware platforms that require hardware upgrades, see the Upgrade and Maintenance Guide. For details on installation and configuration, see the Steelhead Appliance Installation and Configuration Guide. To install a license 1. Choose Configure > Maintenance > Licenses to display the Licenses page. Figure Licenses Page The Licenses page includes a table of licenses, with a column showing the date and time the license was installed and the approximate relative time it was installed. The next column shows whether the installation was done manually or automatically. 2. Under Licenses, complete the configuration, as described in the following table. Add a New License Licenses Text Box Add Displays the controls to add a new license. Copy and paste the license key provided by Riverbed Support or Sales into the text box. Tip: Separate multiple license keys by pressing the space key, the tab key, or Enter key. Adds the license. 3. Click Save to save your settings permanently. 86 Riverbed Central Management Console User s Guide

95 Maintaining Your System Configuring the CMC Removing a License Riverbed recommends that you keep old licenses in case you want to downgrade to an earlier software version. To remove a license 1. Choose Configure > Maintenance > Licenses to display the Configure > Maintenance > Licenses page. 2. Select the license you want to delete. 3. Click Remove Selected. 4. Click Save to save your settings permanently. Upgrading Your Software You can upgrade or revert to a backup version of the software in the Configure > Maintenance > Software Upgrade page. To upgrade or revert software versions 1. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page. Figure Software Upgrade Page 2. To revert to a backed-up version, click Switch to Backup Version under Software Upgrade. Riverbed Central Management Console User s Guide 87

96 Configuring the CMC Maintaining Your System 3. Under Install Upgrade, complete the configuration, as described in the following table. From URL From Local File Schedule Upgrade for Later Install Cancel Click this option and type the URL. If you specify a URL in the URL text box, the image is uploaded, installed, and the system is rebooted at the time you specify. Click this option and type the path or click Browse to navigate to the local file directory. If you specify a file to upload in the Local File text box, the image is uploaded immediately, however, the image is installed and the system is rebooted at the time you specify. Schedules the upgrade process. Specify the date and time to run the upgrade: Date and Time - Use the following format: YYYY/MM/DD HH:MM:SS. Installs the software upgrade on your system. Cancels your changes. 4. Under Software Version History, you can view the entire software history of the current CMC. 5. Reboot the CMC. Rebooting and Shutting Down the CMC You can reboot or shut down the system in the Configure > Maintenance > Reboot/Shutdown page. To restart the system, you must manually turn on the appliance. Rebooting the CMC does not affect the optimization of the appliances. The reboot or shut down operation can take a few minutes. Your unsaved configuration changes are lost if the configuration is not saved prior to reboot or shutdown. To reboot or shut down the system 1. Choose Configure > Maintenance > Reboot/Shutdown to display the Reboot/Shutdown page. Figure Reboot/Shutdown Page 2. Click Reboot. After you click Reboot, you are logged out of the system and it is rebooted. 3. Click Shutdown to shut down the system. After you click Shutdown, the system is turned off. 88 Riverbed Central Management Console User s Guide

97 Changing the Account Password Configuring the CMC Changing the Account Password You can change the password in the Configure > My Account page. You must be logged in as the administrator user to change the administrator password. To change the account password 1. Choose Configure > My Account to display the My Account page. Figure My Account Page 2. Under Password, complete the configuration, as described in the following table. Change Password New Password Confirm New Password Specify this option to change the password. Specify a new password. Confirm the new password. 3. Click Apply to apply the settings to the current configuration. The permissions list displays the roles and permissions assigned to your user name. For details, see Managing User Permissions on page Click Save to save your settings permanently. Riverbed Central Management Console User s Guide 89

98 Configuring the CMC Managing Configuration Files Managing Configuration Files You can save, activate, and import configurations in the Configure > Configurations page. Each CMC has an active, running configuration and a written, saved configuration. When you apply your settings in the CMC, the values are applied to the active running configuration, but the values are not written to disk and saved permanently. When you save your configuration settings, the values are written to disk and saved permanently. They take effect after you restart the RiOS services to which the configuration was pushed. Each time you save your configuration settings, they are written to the current running configuration, and a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is backed up to myconfig.bak and myconfig is overwritten with the current configuration settings. The Configuration Manager is a utility that enables you to save configurations as backups or to activate configuration backups. For more information, see the Steelhead and Steelhead CX Management Console User s Guide. Important: Some configuration settings require that you to restart the CMC Steelhead appliance service for the settings to take effect. For details about restarting the Steelhead appliance service, see Starting, Stopping, or Restarting Appliances and Appliance Groups on page 147. To manage configurations 1. Choose Configure > Configurations to display the Configurations page. Figure Configurations Page 90 Riverbed Central Management Console User s Guide

99 Managing Configuration Files Configuring the CMC 2. Under Current Configuration: <name>, complete the configuration, as described in the following table. Current Configuration: <configuration name> View Running Config - Click to display the running configuration settings in a new browser window. Save - Click to save settings that have been applied to the running configuration. Revert - Reverts your settings to the running configuration. Save Current Configuration Specify a new filename to save settings that have been applied to the running configuration as a new file, and click Save. 3. To import a configuration from another appliance, click Import a New Configuration and complete the configuration, as described in the following table. IP/Hostname Remote Admin Password Remote Config Name New Config Name Import Shared Data Only Add Remove Selected Specify the IP address or hostname of the CMC from which you want to import the configuration. Specify the administrator password for the remote CMC. Specify the name of the configuration you want to import from the remote CMC. Specify a new, local configuration name. This value is enabled by default. Copies only the following common settings: in-path and out-of-path interface, protocols, CLI and Web, statistics, NTP, SNMP, and alarm settings. The system does not automatically copy the following settings: failover, SNMP (contact and location), log, and network settings. Adds the configuration. The imported configuration appears in the Configuration list but does not become the active configuration until you click Activate. Select the check box next to the name and click Remove Selected. Tip: Click the configuration name to display the configuration settings in a new browser window. 4. To change the currently active configuration, select another configuration from the drop-down list under Change Active Configuration, and click Activate. Riverbed Central Management Console User s Guide 91

100 Configuring the CMC Managing Configuration Files 92 Riverbed Central Management Console User s Guide

101 CHAPTER 3 Managing Appliances, Groups, and Policies This chapter describes how to use the CMC to manage Steelhead appliance configurations and policies. This chapter includes the following sections: Managing Appliances and Appliance Groups on page 93 Managing Appliance Configurations Using Policies and Groups on page 159 Viewing and Managing System Operation History on page 174 Managing Appliance Backups and Restores on page 176 Configuring Software Upgrades on page 179 Managing RSP/VSP on page 181 Managing Appliances and Appliance Groups You manage appliances and appliance groups in the Manage > Appliances page that displays a table of the currently registered appliances and groups in which they are organized. The Interceptor appliance and the Steelhead Mobile ler have limited functionality in the appliance panel. For information on version incompatibility, see General Information on Page and Version Incompatibility on page 161. The data from managed appliances is cached by the CMC every five minutes. Alarms poll the cached data every five minutes, therefore, the data can lag up to ten minutes between the event happening on the Steelhead and the CMC triggering an alarm. You can perform different appliance operations in the Manage > Appliances page - Appliance Operations tab. For details on performing appliance operations, see Performing Appliance Operations on page 139. Tasks and Detailed Procedures This following table provides the tasks that you can perform in the Manage > Appliances page, followed by detailed procedures. Task Reference Create an appliance group. Creating a New Appliance Group on page 95 Register a new appliance. Registering New Appliances on page 96 Riverbed Central Management Console User s Guide 93

102 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Task Reference Edit an appliance configuration. Editing Appliance Configurations on page 97 Remove groups and appliances from the CMC. Removing Groups and Appliances on page 136 Move groups and appliances from one group to another. Filter the display of appliance groups. Perform operations on appliances or appliance groups. Manage hostname settings on remote appliances. Manage base interfaces on remote appliances. Manage in-path interface settings on remote appliances. Manage subnet side rules settings on remote appliances. Moving Groups and Appliances on page 137 Filtering the Display of Appliances and Appliance Groups on page 139 Performing Appliance Operations on page 139 Managing or Viewing Appliance Host Settings on page 100 Managing or Viewing Appliance Base Interfaces Settings on page 102 Managing or Viewing Appliance In-Path Interface Settings on page 106 Managing Subnet Side Rules Settings on page 110 Manage SSL settings on remote appliances. Managing or Viewing Appliance SSL Settings on page 112 Manage licenses settings on remote appliances. Managing the Licenses Settings on page 119 Manage Web settings on remote appliances. Configuring Web Settings on page 120 Manage Outbound QoS Interface settings on remote appliances. Manage Inbound QoS Interface settings on remote appliances. Managing Outbound QoS Interfaces on page 124 Managing Inbound QoS Interfaces on page 128 Manage Granite settings on remote appliances. Managing Granite Settings on page 130 Manage Virtual Service platform on remote appliance. Virtual Services Platform on page 132 Use keys to trust detected appliances. Trusting Appliances Using Security Keys on page 134 Manage running appliances utilities on remote appliances. Running Appliance Utilities on page 135 Fetch appliance specific configurations. Fetching Appliance Specific Configurations on page 134 Manage policies inherited by an appliance. Viewing Policies Inherited by the Appliance on page 136 Manage removing groups and appliances on remote appliances. Manage moving groups and appliances on remote appliances. Manage filtering the display of appliances and appliance groups on remote appliances. Manage performing appliance operations on remote appliances. Removing Groups and Appliances on page 136 Moving Groups and Appliances on page 137 Filtering the Display of Appliances and Appliance Groups on page 139 Performing Appliance Operations on page Riverbed Central Management Console User s Guide

103 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Creating a New Appliance Group You can create a new appliance group in the Manage > Appliances page. An appliance group enables you to more effectively organize and manage Steelhead appliances. For example, at the group level you can apply policies, push configurations, set passwords, and so forth. A maximum number of 256 groups can be added. To create a new appliance group 1. Choose Manage > Appliances to display the Appliances page that displays the following columns. Groups and Managed Appliances Product/Model Connection Branch Managed Auto Configure Push Recommended Configuration Difference between the CMC and the appliance Policies Time Zone Lists the Steelhead appliances by group membership. You can open and close groups to show or hide the member groups and appliances. Displays the hardware model information for listed Steelhead appliances. Specifies the status of the connection between the CMC and a Steelhead appliance. The message from the most severely triggered alarm appears here as the health note of the appliance. If there are two equally severe alarms being triggered, the newer alarm is listed here. To view all the alarms related to the appliance, go to the Reports > Appliance Diagnostics > Appliance Details page under the CMC Managed Appliance Alarms table. Specifies that a Steelhead appliance is managed individually at the branch office. You cannot manage this Steelhead appliance from the CMC. Specifies that a Steelhead appliance is set for auto-configuration and updates automatically each time it connects. Specifies that the configuration shared by this Steelhead appliance and the CMC has changed. A push configuration might be required to restore synchronization. Push Required - Indicates that there have been policy or configuration changes on the CMC that affect a Steelhead appliance and have not been pushed to the Steelhead appliance. Displays the name of the policies assigned to the group. Displays the time zone for the group. 2. To create a new group, click New Group. Figure 3-1. Creating a New Group Riverbed Central Management Console User s Guide 95

104 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 3. Complete the configuration, as described in the following table. Name Parent Group Comment Add Specify the name for the group. Select the parent group for the group from the drop-down list. The default parent value is Global. Specify a comment to help you identify the group. Adds the group to your list of managed Steelhead appliances and groups. 4. Click Save to save the settings permanently. Registering New Appliances You can register new appliances in the Manage > Appliances page. Registering a Steelhead appliance creates a connection between the CMC and the Steelhead appliance, enabling you to perform configuration tasks for the appliance on the CMC. The CMC also collects statistics, health, and connection history information from registered Steelhead appliances. To add a new appliance to a group 1. Choose Manage > Appliances to display the Appliances page. 2. To add a new appliance to a group, click New Appliance to display the New Appliance page. Figure 3-2. New Appliance Page If you are using the Common Appliance Credentials, the following message displays: The Common Appliance Credentials will be used to connect to the appliance. 96 Riverbed Central Management Console User s Guide

105 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 3. Complete the configuration, as described in the following table. Appliance Type Serial Number Hostname or IP Address Comment Group Branch Managed Auto Configure Disable Automatic Upgrades User Name Password Confirm Password Add Identify the appliance type. The options are: Steelhead - Selects the Steelhead Appliance option. Steelhead EX - Selects the Steelhead Appliance for EX option. Mobile ler - Selects the Steelhead Mobile ler Appliance option. Interceptor - Selects the Interceptor appliance option. Specify the serial number for the appliance. Optionally, specify the IP address or hostname for the remote appliance. Specify a descriptive comment to help you identify the group. Select from the drop-down list the group to which the new appliance belongs. The default value is Global. Select the check box to prevent any remote action from being performed on the specified appliance. For example, you would not be able to push configurations to this appliance from the CMC. Select the check box to automatically push the current configuration (as defined by the policies applied in this page to the appliance or appliance group) to the current Steelhead appliance the next time it connects to the CMC. This feature is available only when the Steelhead appliance is disconnected. This setting is automatically disabled after the push. Select the check box to prevent automatic upgrades from being performed on the specified appliance. For more information about automatic upgrades, see Configuring Software Upgrades on page 179. Specify the administrator user name for the remote appliances. Specify the corresponding password. Confirm the corresponding password. Adds the new appliance. 4. Click Save to save the settings permanently. 5. To set up the auto-registration, see Steelhead Appliance Auto-Registration on page 20. Editing Appliance Configurations You can modify Steelhead appliance-specific and non-specific configurations settings directly in the Manage > Appliances page. Changes made to the appliance configuration settings modify the appliance after a policy push and the changes are not applied to the appliance configuration until you have pushed the configuration to the appliance. For details, see Pushing Policies to Appliances and Appliance Groups on page 141. Riverbed Central Management Console User s Guide 97

106 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups This following table provides the tasks that you can perform in the Manage > Appliances page, followed by detailed procedure. Task Manage host settings on remote appliances. Manage base interfaces on remote appliances. Manage in-path interface settings on remote appliances. Manage subnet side rules settings on remote appliances. Reference Managing or Viewing Appliance Host Settings on page 100 Managing or Viewing Appliance Base Interfaces Settings on page 102 Managing or Viewing Appliance In-Path Interface Settings on page 106 Managing Subnet Side Rules Settings on page 110 Manage SSL settings on remote appliances. Managing or Viewing Appliance SSL Settings on page 112 Manage licenses settings on remote appliances. Managing the Licenses Settings on page 119 Manage Web settings on remote appliances. Configuring Web Settings on page 120 Manage Outbound QoS Interface settings on remote appliances. Manage Inbound QoS Interface settings on remote appliances. Managing Outbound QoS Interfaces on page 124 Managing Inbound QoS Interfaces on page 128 Manage Granite Core settings on remote appliances. Managing Granite Settings on page 130 Use keys to trust detected appliances. Trusting Appliances Using Security Keys on page 134 Manage running utilities on remote appliances. Running Appliance Utilities on page 135 Manage policies inherited by an appliance. Viewing Policies Inherited by the Appliance on page 136 Manage removing groups and appliances from remote appliances. Manage moving groups and appliances from remote appliances. Manage filtering the display of appliances and appliance groups on remote appliances. Manage performing operations on remote appliances. Removing Groups and Appliances on page 136 Moving Groups and Appliances on page 137 Filtering the Display of Appliances and Appliance Groups on page 139 Performing Appliance Operations on page Riverbed Central Management Console User s Guide

107 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Editing an Appliance Group Panel You can edit appliance details in the Manage > Appliances page. To edit an appliance group panel 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the group you want to edit to display the Edit Appliance panel. 3. Click the Edit Group tab to display the Edit Group panel. Figure 3-3. Edit Group Panel 4. Select the parent group from the drop-down list. 5. Optionally, type a comment. 6. Click Apply to save your changes. Editing the Policies Panel You can edit policy details in the Manage > Appliances page. To edit the policies panel 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the group you want to edit to display the Edit Appliance panel. 3. Click the Policies tab to display the Edit Group panel. Figure 3-4. Edit Policies Panel 4. Select Add/Remove Policies to make the necessary edits. For more details, see Adding or Removing Policies on page 170. Riverbed Central Management Console User s Guide 99

108 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Editing Appliance-Specific Pages You can edit Steelhead appliance-specific pages in the Manage > Appliances page in the Appliance Pages tab. To edit appliance-specific pages 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the group you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the specific appliance pages. For information on each configuration, see Editing Appliance Configurations on page 97. Figure 3-5. Appliance Pages Tab Changes made to the appliance configuration settings modify the appliance after a policy push. Managing or Viewing Appliance Host Settings You can edit host settings in the Editing Appliance Configuration: <Appliance ID>, Host Settings page. This page applies to Steelhead appliance and Steelhead EX appliance. To modify host settings for the selected appliance 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. Figure 3-6. Edit Appliance Panel 100 Riverbed Central Management Console User s Guide

109 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure 3-7. Appliances Page - Appliance Pages Panel 4. Under Appliance Configuration Pages, click Host Settings to display the Editing Appliance Configuration: <Appliance ID>, Host Settings page. Figure 3-8. Editing Appliance Configuration: <Appliance>, Host Settings Page 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Host Settings from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. 6. Under Name, type or modify the Hostname value. 7. Click Apply to apply your changes to the running configuration. Riverbed Central Management Console User s Guide 101

110 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Managing or Viewing Appliance Base Interfaces Settings You can edit base interface settings in the Editing Appliance Configuration: <Appliance ID>, Base Interfaces page. This page applies to Steelhead appliance and Steelhead EX appliance. When you initially ran the Configuration wizard, you set required settings for the base interfaces for the Steelhead appliance. Use the following groups of controls on this page only if modifications or additional configuration is required: IPv6 - Enables IPv6 configuration. Primary interface - On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the appliance management interface. You connect to the primary interface to use the Web UI or the CLI. Auxiliary interface - On the appliance, the auxiliary interface is an optional port you can use to connect the appliance to a non-riverbed network management device. The IP address for the auxiliary interface must be on a subnet that is different from the primary interface subnet. Main IPv4 routing table - Displays a summary of the main routing table for the appliance. If necessary, you can add static routes that might be required for out-of-path deployments or particular device management subnets. To modify base interfaces settings for the selected appliance 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure 3-9. Appliances Page - Appliance Pages Panel 102 Riverbed Central Management Console User s Guide

111 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 4. Under Appliance Configuration Pages, click Base Interfaces to display the Editing Appliance Configuration: <Appliance ID>, Base Interfaces page. Figure Editing Appliance Configuration: <Appliance ID>, Base Interfaces Page 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Base Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. Riverbed Central Management Console User s Guide 103

112 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 6. Under IPv6, complete the configuration, as described in the following table. Enable IPv6 on Base Interface Enables IPv6 on a base interface. 7. Under Primary Interface, complete the configuration, as described in the following table. Enable Primary Interface Obtain IPv4 Address Automatically Enable IPv4 Dynamic DNS Specify IPv4 Address Manually Speed and Duplex MTU Enables a primary interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same network subnet, but the primary and auxiliary interfaces cannot share the same network subnet. Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Configure > Networking > Host Settings page. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Default IPv4 Gateway - Specify the default gateway IPv4 address. The default gateway must be in the same network as the primary interface. You must set the default gateway for in-path configurations. Speed - Select a speed from the drop-down list. The default value is Auto. Duplex - Select Auto, Full, or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. If they do not match, you might have a large number of errors on the interface when it is in bypass mode, because the switch and the router are not set with the same duplex settings. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Under Auxiliary Interface, complete the configuration, as described in the following table. Enable Aux Interface Obtain IPv4 Address Automatically Enables an auxiliary interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same subnet, but the primary and auxiliary interfaces cannot share the same network subnet. 104 Riverbed Central Management Console User s Guide

113 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Enable IPv4 Dynamic DNS Specify IPv4 Address Manually Specify IPv6 Address Manually Speed Duplex MTU Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Configure > Networking > Host Settings page. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Select this option if you do not use a DHCP server to set the IPv6 address. Specify the following settings: IPv6 Address - Specify an IP address. IPv6 Prefix - Specify a subnet mask. Select the speed from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Select Auto, Full or Half from the drop-down list. The default value is Auto. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Click Apply to apply your changes to the running configuration. 10. Click Save to save your changes permanently. Tip: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified the changes, you can write the active configuration that is stored in memory to the active configuration file (or save it as any filename you choose). Riverbed Central Management Console User s Guide 105

114 .. Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups To configure routes for IPv4 Under the Main IPv4 Routing table, you can configure a static routing in the main routing table for outof-path deployments or if your device management network requires static routes. You can add or remove routes from the table list, as described in the following table. Add a New Route Destination IPv4 Address IPv4 Subnet Mask Gateway IPv4 Address Interface Add Displays the controls for adding a new route. Specify the destination IP address for the out-of-path appliance or network management device. Specify the subnet mask. Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you are configuring. Select the interface from the drop-down list. Adds the route to the table list. Remove Selected The Central Management Console writes your configuration changes to memory. To configure routes for IPv6 Select the check box next to the name and click Remove Selected. Under the Main IPv6 Routing Table you can configure a static routing in the main routing table for outof-path deployments or if your device management network requires static routes. You can add or remove routes from the table list, as described in the following table. Add a New Route Destination IPv6 Address IPv6 Prefix Gateway IPv6 Address Add Remove Selected Displays the controls for adding a new route. Specify the destination IP address for the out-of-path appliance or network management device. Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you are configuring. Adds the route to the table list. Select the check box next to the name and click Remove Selected. Managing or Viewing Appliance In-Path Interface Settings You can edit in-path interface settings in the Editing Appliance Configuration: <Appliance ID>, In-Path Interfaces page. This page applies to Steelhead appliance and Steelhead EX appliance. To modify in-path interface settings for the selected appliance 1. Choose Manage > Appliances to display the Appliances page. 106 Riverbed Central Management Console User s Guide

115 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliance Pages Panel 4. Under Appliance Configuration Pages, click In-Path Interfaces to display the Editing Appliance Configuration: <Appliance ID>, In-Path Interfaces page. Figure Editing Appliance Configuration: <Appliance ID>, In-Path Interfaces Page Riverbed Central Management Console User s Guide 107

116 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Version Incompatibilities Select the appliance you want to edit from the drop-down list. Select the In-Path Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. For more details, see Version Incompatibilities for In-Path Rules on page Under In-Path Settings, complete the configuration, as described in the following table. Enable Link State Propagation Apply Enables link state propagation (LSP). With LSP enabled, if the LAN interface drops the link, the WAN also drops the link. LSP is enabled by default. If you require a Steelhead appliance to perform fail-to-wire (bypass) when the LAN or WAN ports become disconnected, enable this feature. This feature is similar to what ISPs do to follow the state of a link. You cannot reach a MIP interface when LSP is also enabled and the corresponding in-path interface fails. In physical in-path deployments, LSP shortens the recovery time of a link failure. LSP communicates link status between the devices connected to the Steelhead appliance and is enabled by default in RiOS v6.0 and later. Cloud Steelhead and Virtual Steelhead models do not support LSP. Applies your changes to the running configuration. 7. Select the interface that you want to edit to view the configuration properties details. Figure Editing Appliance Configuration: <Appliance ID>, Editing In-Path Interfaces Page 108 Riverbed Central Management Console User s Guide

117 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 8. Modify the configuration, as described in the following table. Interface inpath0_0 Configured Obtain IPv4 Address Automatically Specify IPv4 Address Manually LAN Speed WAN Speed MTU (Bytes) VLAN Tag ID Duplex Specify IPv6 Address Manually Enables an interface. Specify this option to set the appliance to automatically obtain the IPv4 address. Important: The primary and auxiliary interfaces cannot share the same network subnet, and the auxiliary and in-path interfaces cannot share the same subnet. You cannot use the auxiliary port for out-of-path Steelhead appliances. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. In-Path Gateway IP - Specify the default gateway IP address. The default gateway must be in the same network as the primary interface. You must set the default gateway for in-path configurations. Select the LAN speed from the drop-down list. The default value is Auto. Select the WAN speed from the drop-down list. The default value is Auto. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Specify the VLAN Tag ID. Select Auto, Full or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Select this option if you do not use a DHCP server to set the IPv6 address. Specify the following settings: IPv6 Address - Specify an IP address using the following format: eight 16-bit hex strings separated by colons, 128-bits: for example 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros: for example 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::): for example 2001:38dc:52::e9a4:c5:6282 IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 IPv6 Gateway - Specify the gateway IP address. The default gateway must be in the same network as the primary interface. Note: You cannot set an IPv6 address dynamically using a DHCP server. Riverbed Central Management Console User s Guide 109

118 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 9. Under Management Interface <Appliance ID>, modify the configuration as described in the following table. Enable Appliance Management on This Interface IPv4 Address IPv4 Subnet Mask VLAN Tag ID Enables a MIP interface. If LSP or fail-to-block is enabled, a message reminds you to disable the feature before enabling the MIP interface. Specify the IP address for the MIP interface. Specify the subnet mask. Specifies a numeric VLAN tag ID. When you specify the VLAN Tag ID for the MIP interface, all packets originating from the Steelhead appliance are tagged with that identification number. Specify the VLAN tag that the appliance uses to communicate with other Steelhead appliances in your network. The VLAN Tag ID might be the same value or a different value than the in-path interface VLAN tag ID. The MIP interface could be un-tagged and in-path interface could be tagged and vice versa. A zero (0) value specifies non-tagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the MIP interface is in VLAN 200, you would specify tag Under Additional Interfaces, select any additional interfaces. 11. Click Apply to apply your changes to the running configuration. 12. Click Save to save your settings permanently. Version Incompatibilities for In-path Interfaces In-path interfaces is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. Steelhead appliance v7.0.x - is configurable with limitations. Steelhead EX appliance v1.0.x - is configurable with limitations. Managing Subnet Side Rules Settings You can manage subnet side rules settings in the Editing Appliance Configuration: <Appliance ID>, Subnet Side Rules page. This page applies to Steelhead appliance and Steelhead EX appliance. To modify subnet side rules settings for the selected appliance 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 110 Riverbed Central Management Console User s Guide

119 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click Subnet Side Rules to display the Editing Appliance Configuration: <Appliance ID>, In-Path Interfaces page. Figure Editing Appliance Configuration: <Appliance ID>, Subnet Side Rules Page 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Subnet Side Rules from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. 6. Modify the configuration, as described in the following table. Add a Subnet Side Rule Insert Rule At Subnet Subnet is on the LAN side of this appliance Displays controls for adding a subnet side rule. Determines the order in which the system evaluates the rule. Select start, end, or a rule number from the drop-down list. Specify the subnet. Select this option if the subnet is on the LAN side of the appliance. Riverbed Central Management Console User s Guide 111

120 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Subnet is on the WAN side of this appliance Remove Subnet Rules Move Subnet Rules Add Select this option if the subnet is on the WAN side of the appliance. Select the check box next to the name and click Remove Subnet Rules. Select the check box next to the name and click Move Subnet Rules. Adds the new subnet side rule. 7. Click Save to save your settings permanently. Managing or Viewing Appliance SSL Settings You can edit the SSL settings for a specific appliance in the Manage > Appliances page. This page applies to Steelhead appliance and Steelhead EX appliance. The following procedures are described in these sections: Accessing SSL Settings for a Specific Appliance on page 112 Displaying the Certificate PEM on page 113 Replacing the SSL Certificate on page 115 Exporting the Certificate on page 117 Generating the CSR on page 117 For detailed information, see the Steelhead Management Console User s Guide. Accessing SSL Settings for a Specific Appliance All SSL settings for a specific appliance can be modified or viewed from the Appliance Pages panel. To access the SSL settings for a specific application 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 112 Riverbed Central Management Console User s Guide

121 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <Appliance ID>, SSL page. Figure Editing Appliance Configuration: <Appliance ID>, SSL Page 5. For detailed procedures for each configuration page, see: Displaying the Certificate PEM on page 113 Replacing the SSL Certificate on page 115 Exporting the Certificate on page 117 Generating the CSR on page 117 Displaying the Certificate PEM You can display the certificate PEM for the selected appliance in the Editing Appliance Configuration: <Appliance ID>, SSL page. To view peering certificate details 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. Riverbed Central Management Console User s Guide 113

122 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <Appliance ID>, SSL page. 5. Complete the configuration, as described in the following table. Editing Appliance Page Include Page Applicable to Select the appliance you want to edit from the drop-down list. Select the SSL from the drop-down list. Optionally, click Include to include this page in the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. 6. Click the Display Certificate PEM panel to display the contents. Figure Display Certificate PEM Panel 114 Riverbed Central Management Console User s Guide

123 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Replacing the SSL Certificate You can replace SSL certificates for the selected appliance in the Editing Appliance Configuration: <Appliance ID>, SSL page. To replace the SSL certificate 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <Appliance ID>, SSL page. 5. Click the Replace Certificate panel to display the contents. Figure Replace Certificate Panel Riverbed Central Management Console User s Guide 115

124 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 6. Use the controls to complete the configuration, as described in the following table. Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats) Click this option if the existing private key and CA-signed certificate are located in one file. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. The private key is required. Local File - Browse to the local file. Text - Paste the text content of the file into the text box. Decryption Password - Specify the decryption password, if necessary. Import Key And Certificate - Imports the key and the certificate. Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats) Click this option if the existing private key and CA-signed certificate are located in two files. The page displays a Private Key and Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. Importing the private key is optional. Local File - Browse to the local file. Key Text - Paste the text content of the file into the text box. Decryption Password - Specify the description password. Certificate Text - Paste the certificate text content of the file into the text box. Import Key And Certificate - Imports the key and the certificate. Generate New Private Key and Self-Signed Public Certificate Click this option to generate a new private key and self-signed public certificate. Cipher Bits - Select the key length from the drop-down list. The default value is Common Name - Specify the hostname of the peer. Organization Name - Specify the organization name (for example, the company). Organization Unit Name - Specify the organization unit name (for example, the section or department). Locality - Specify the city. State - Specify the state. Country - Specify the country (two-letter code only). Address - Specify the address of the contact person. Validity Period (Days) - Specify how many days the certificate is valid for. The default value is 730. Generate Key And Certificate - Generates the key and the certificate. 7. Click Save to save the settings permanently. 116 Riverbed Central Management Console User s Guide

125 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Exporting the Certificate You can export the SSL certificate from the selected appliance in the Editing Appliance Configuration: <Appliance ID>, SSL page. To export the SSL certificate 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <Appliance ID>, SSL page. 5. Click the Export Certificate panel to display the contents. Figure Export Certificate Panel 6. Select the Include Private Key check box. 7. Type and confirm the password. 8. Click Export. Generating the CSR You can generate the certificate for the selected appliance in the Editing Appliance Configuration: <Appliance ID>, SSL page. Riverbed Central Management Console User s Guide 117

126 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups To generate the certificate 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration: <Appliance ID>, SSL page. 5. Click the Generate CSR panel to display the contents. Figure Generate Certificate Panel 6. Use the controls to complete the configuration, as described in the following table. Common Name Organization Name Organization Unit Name Locality State Specify the common name (hostname). Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. 118 Riverbed Central Management Console User s Guide

127 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies Country Address Generate CSR Specify the country (two-letter code only). Specify the address of the contact person. Generates the Certificate Signing Request (CSR). Managing the Licenses Settings You can view licenses for the selected appliance in the Editing Appliance Configuration: <Appliance ID>, Licenses page. The CMC does not edit or delete licenses for a Steelhead appliance, it can only add new license keys. This page applies to Steelhead appliance and Steelhead EX appliance. For details, see the Steelhead Management Console User s Guide. To view licenses 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel Riverbed Central Management Console User s Guide 119

128 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 4. Under Appliance Configuration Pages, click Licenses to display the Editing Appliance Configuration <Appliance ID>, Licenses page. Figure Edit Appliance Configuration <appliance>, Licenses Page 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Licenses from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. 6. Use the controls to complete the configuration, as described in the following table. s Add a New License Text box Add Remove Selected License Status Installation Date & Time Method s Displays the controls for adding a new license. Type or paste the license into the text area. Adds the new license. Select the check box next to the license name and click Remove Selected. Displays the license number. Displays the description of the license. Displays the status of the license. Displays the installation date and time of the license. Displays the upload method of the license. Configuring Web Settings You can configure Web settings in the Editing Appliance Configuration: <Appliance ID>, Web Settings page. This page applies to Steelhead appliance and Steelhead EX appliance. For details, see the Steelhead Management Console User s Guide. 120 Riverbed Central Management Console User s Guide

129 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies To modify Web settings 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click Web Settings to display the Editing Appliance Configuration <Appliance ID>, Web Settings page. Figure Web Settings Page 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Web settings from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. Riverbed Central Management Console User s Guide 121

130 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Page Applicable to Version Incompatibility This page is applicable to Steelhead appliance and Steelhead EX appliance. Displays the version incompatibility for this page. For more information, see Version Incompatibility for Web Settings on page Under Web Settings, complete the configuration, as described in the following table. Default Web Login ID Web Inactivity Timeout (minutes) Allow Session Timeouts When Viewing Auto- Refreshing Pages Specify the user name that appears in the authentication page. The default value is admin. Specify the number of idle minutes before time-out. The default value is 0. A value of 0 disables time-out. By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear the Allow check box to disable the session timeout, remain logged-in indefinitely, and automatically refresh the report pages. Important: Disabling this feature poses a security risk. 7. The identity certificate details appear, as described in the following table. Issued To/Issued By Common Name - Specifies the common name of the certificate authority. - Specifies the . Organization - Specifies the organization name (for example, the company). Organization Unit - Specifies the organization unit name (for example, section or department). Locality - Specifies the city. State - Specifies the state. Country - Specifies the country. Validity Fingerprint Key Issued On - Specifies the date the certificate was issued. Expires On - Specifies the date the certificate expires. Specifies the SSL fingerprint. Type - Specifies the key type. Size - Specifies the size, in bytes. 8. To view PEM information, under Web Certificate, click PEM. 122 Riverbed Central Management Console User s Guide

131 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 9. To replace an existing certificate, under Web Certificate, click Replace and complete the configuration, as described in the following table. Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats) Click this option if the existing private key and CA-signed certificate are located in one file. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. The private key is required. Local File - Browse to the local file. Text - Paste the text content of the file into the text box. Decryption Password - Specify the decryption password, if necessary. Set - Sets the peer. Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats) Generate New Private Key and Self-Signed Public Certificate Select this option if the existing private key and CA-signed certificate are located in two files. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. Importing the private key is optional. Select to generate a new private key and self-signed public certificate. Cipher Bits - Select the key length from the drop-down list. The default value is Common Name (required) - Specify the hostname of the peer. Organization Name - Specify the organization name (for example, the company). Organization Unit Name - Specify the organization unit name (for example, the section or department). Locality - Specify the city. State (no abbreviations) - Specify the state. Country (2-letter code) - Specify the country (two-letter code only). Address - Specify the address of the contact person. Validity Period (Days) - Specify how many days the certificate is valid. The default value is To generate a CSR, under Web Certificate, click Generate CSR and complete the configuration as described in the following table. Organization Name Organization Unit Name Locality State Country (2-letter code) Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Do not abbreviate. Specify the country (two-letter code only). Riverbed Central Management Console User s Guide 123

132 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Address Generate CSR Specify the address of the contact person. Generates the Certificate Signing Request (CSR). 11. Click Apply to apply your changes to the running configuration. 12. Click Save to save your settings permanently. Version Incompatibility for Web Settings Web Settings are incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Managing Outbound QoS Interfaces This section describes how to set Riverbed Quality of Service (QoS) policies. This section includes the following topics: Configuring Outbound QoS (Basic) on page 124 Configuring Outbound QoS (Advanced) on page 126 QoS is a reservation system for network traffic. In its most basic form, QoS enables organizations to allocate network resources across multiple traffic types of varying importance. Advanced QoS implementations allow organizations to accurately control their applications by the amount of bandwidth they have access to and by their sensitivity to delay. For more information on QoS, see the Steelhead Management Console User s Guide. For QoS configuration examples, see the Steelhead Appliance Deployment Guide. This page applies to Steelhead appliance and Steelhead EX appliance. Configuring Outbound QoS (Basic) This section describes Outbound QoS (Basic). For information on whether to deploy basic outbound or advanced outbound QoS, see the Steelhead Management Console User s Guide. Outbound QoS (Basic) simplifies QoS configuration by accurately identifying business applications and classifying traffic according to priorities. The Steelhead appliance uses this information to control the amount of WAN resources that each application can use. This ensures that your important applications are prioritized and removes the guesswork from protecting performance of key applications. In addition, basic outbound QoS prevents recreational applications from interfering with business applications. Outbound QoS (Basic) comes with a predefined set of six classes, a list of global applications, and a predefined set of policies. All interfaces have the same link rate. To view the predefined global application list, go to Outbound QoS (Basic) includes a default site that is tied to the predefined service policy Medium Office. The bandwidth for the default site is automatically set to the same bandwidth as the interfaces WAN throughput value. You can edit the bandwidth for the default site, but you cannot edit the subnet. You cannot add or delete classes in Outbound QoS (Basic). 124 Riverbed Central Management Console User s Guide

133 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies To modify Outbound QoS (Basic) settings 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click Outbound QoS Interfaces to display the Editing Appliance Configuration: <Appliance ID>. 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Version Incompatibility Select the appliance you want to edit from the drop-down list. Select the Outbound QoS Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. Displays the version incompatibility for this page. For more information, see Version Incompatibilities for Outbound QoS (Basic) on page 408. Riverbed Central Management Console User s Guide 125

134 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 6. Click Outbound QoS (Basic) tab to display the Outbound QoS Interfaces - Outbound QoS (Basic) option page. Figure Outbound QoS (Basic) Page 7. Under WAN Link, complete the configuration, as described in the following table. WAN Bandwidth (kbps) Interfaces detected on the Appliance Additional Interfaces Specify its bandwidth link rate in Kbps. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your Steelhead appliance connects to a router with a 100-Mbps link, do not specify this value; specify the actual WAN bandwidth (for example, T1 or T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Select the necessary check box(es). Select the necessary check box(es). 8. Click Apply to apply your changes to the running configuration. 9. Click Save to save your settings permanently Configuring Outbound QoS (Advanced) Outbound QoS (Advanced) provides a greater degree of configurability than Outbound QoS (Basic); for example, you can separate rules by sites and you can perform Application Flow Engine (AFE) matching. For more details, see the Steelhead Management Console User s Guide. 126 Riverbed Central Management Console User s Guide

135 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies If you are configuring QoS for the first time, you must migrate from Outbound QoS (Basic) to Outbound QoS (Advanced). To modify Outbound QoS (Advanced) settings 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click Outbound QoS Interfaces to display the Editing Appliance Configuration: <Appliance ID> page. 5. Complete the configuration, as described in the following table. Editing Appliance Page Include Page Applicable to Version Incompatibility Select the appliance you want to edit from the drop-down list. Select the Outbound QoS Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. Displays the version incompatibility for this page. For more information, see Version Incompatibilities for Outbound QoS (Advanced) on page 414. Riverbed Central Management Console User s Guide 127

136 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 6. Click Outbound QoS (Advanced) tab to display the Outbound QoS Interfaces- Outbound QoS (Advanced) option page. Figure Outbound QoS (Advanced) Page 7. Under WAN Link, complete the configuration, as described in the following table. In a basic QoS configuration, the WAN bandwidth specified for the primary interface is applied to all the interfaces. Interfaces detected on the Appliance Additional Interfaces Select the necessary check box(es). Select the necessary check box(es). 8. Click Apply to apply your changes to the running configuration. 9. Click Save to save your settings permanently. Managing Inbound QoS Interfaces This section describes how to manage the inbound Riverbed Quality of Service (QoS) interfaces. For more information on QoS, see the Steelhead Management Console User s Guide. For QoS configuration examples, see the Steelhead Appliance Deployment Guide. This page applies to Steelhead appliance and Steelhead EX appliance. 128 Riverbed Central Management Console User s Guide

137 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies To modify Inbound QoS interfaces 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page 97. Figure Appliances Page - Appliances Pages Panel 4. Under Appliance Configuration Pages, click Inbound QoS Interfaces to display the Editing Appliance Configuration: <Appliance ID>, Inbound QoS Interfaces page. Figure Inbound QoS Interfaces Page Riverbed Central Management Console User s Guide 129

138 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 5. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Version Incompatibility Select the appliance you want to edit from the drop-down list. Select the Inbound QoS Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead appliance and Steelhead EX appliance. Displays the version incompatibility for this page. For more information, see Version Incompatibilities for Inbound QoS Interfaces on page Under WAN Link, complete the configuration, as described in the following table. WAN Bandwidth (kbps) Interfaces detected on the Appliance Additional Interfaces Apply Specify WAN interface bandwidth link rate in Kbps. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your Steelhead appliance connects to a router with a 100-Mbps link, do not specify this value; specify the actual WAN bandwidth (for example, T1 or T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Select the necessary check box(es). Select the necessary check box(es). Click Apply to apply your changes to the running configuration. Managing Granite Settings This section describes how to manage the Granite settings. For more information on Granite, see the Granite Core Management Console Users Guide. For Granite Core configuration examples, see the Steelhead Appliance Deployment Guide. This feature applies to Steelhead EX appliances. To modify Granite Core interfaces 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page Riverbed Central Management Console User s Guide

139 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 4. Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Inbound QoS Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead EX appliance. 5. Under Appliance Configuration Pages, click Granite Settings to display the Editing Appliance Configuration: <Appliance ID>, Granite Settings page. Figure Granite Settings Page 6. Under Granite Core Settings, complete the configuration, as described in the following table. Connect to a Granite Core Hostname/IP Granite Edge Identifier Port Local Interface Connect to an active Granite Edge as standby Peer for High Availability Enables Granite Core settings. Specify the hostname of the Granite Core appliance. Important: The Granite Core identifier is case-sensitive. Specify a value by which the current appliance device can be recognized by the Granite Core appliance. You may use any value. For example, the device s hostname. Note: The Steelhead EX machine must be licensed. Important: If failover is configured, both appliances must use the same self identifier. In this case, you can use a value that represents the group of appliances. For more information, see the Steelhead Management Console User s Guide for Steelhead EX. Specify the port number for the Granite Core appliance. Select the local interface from the drop-down list. Enables Granite Edge settings. Riverbed Central Management Console User s Guide 131

140 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Granite Edge Serial Number Granite Edge Identifier Granite Edge IP Address Interface Alternate Granite Edge IP Address Alternate Interface Interface to Granite Core Apply Specify the Granite Edge number. Specify a value by which the current appliance device can be recognized by the Granite Edge appliance. Specify the Granite Edge IP address. A legal IPv4 address (nnn.nnn.nnn.nnn) is required. Select the interface from the drop-down list. Specify the Granite Edge IP address. A legal IPv4 address (nnn.nnn.nnn.nnn) is required. Select an alternate interface from the drop-down list. Select the interface to Granite Core from the drop-down list. Click to complete the Granite Core appliance configuration. Virtual Services Platform This section describes how to manage the virtual services platform. This feature applies to Steelhead EX appliances. To modify virtual services platform 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click the Appliance Pages tab to display the Appliance Pages panel. For information on each configuration, see Editing Appliance Configurations on page Complete the configuration, as described in the following table. Editing Appliance Page Include/Exclude Page Applicable to Select the appliance you want to edit from the drop-down list. Select the Inbound QoS Interfaces from the drop-down list. Optionally, click Include to include this page in the policy push. Or, click Exclude to exclude this page from the policy push. This page is applicable to Steelhead EX appliance. 132 Riverbed Central Management Console User s Guide

141 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies 5. Under Appliance Configuration Pages, click Virtual Services Platform to display the Editing Appliance Configuration: <Appliance ID>, Virtual Services Platform page. Figure Virtual Services Page 6. Select the ESXi Management Interface from the drop-down list. 7. Under vmk1 (ESXi primary), complete the configuration, as described in the following table. Enable Interface Obtain IPv4 Address Automatically Specify IPv4 Address Manually Enables vmk1 (ESXi primary) interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same network subnet, but the primary and auxiliary interfaces cannot share the same network subnet. Enable IPv4 DHCP DNS - Select this option to enable IPv4 DHCP DNS option. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Riverbed Central Management Console User s Guide 133

142 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 8. Under vmk2 (ESXi aux) complete the configuration, as described in the following table. Enable Interface Obtain IPv4 Address Automatically Specify IPv4 Address Manually Gateway Apply Enables vmk2 (ESXi aux) interface. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same network subnet, but the primary and auxiliary interfaces cannot share the same network subnet. Enable IPv4 DHCP DNS - Select this option to enable IPv4 DHCP DNS option. Select this option if you do not use a DHCP server to set the IPv4 address. Specify the following settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Specify the gateway. Click Apply to apply your changes to the running configurations. Version Incompatibilities for Virtual Services Platform Virtual Services Platform is incompatible with: Steelhead EX appliance v1.0.x - is not configurable. Fetching Appliance Specific Configurations You can copy the appliance specific configuration (network interfaces, licenses, etc.) into the Appliance Pages. The appliance must be connected. To fetch appliance specific configurations 1. Choose Manage > Appliances to display the Manage > Appliances page. Scroll to the bottom of the page. 2. Under Fetch Appliance- Specific Configuration, select Set the fetched pages to be included in a policy push. By default, none of the fetched pages are included. 3. Click Fetch Appliance Configuration. Trusting Appliances Using Security Keys You can enable the CMC to trust detected Steelhead appliances based on an appliance-specific security keys in the Manage > Appliances page. This feature requires generating a key for the Steelhead appliance. For details, see Managing or Viewing Appliance SSL Settings on page Riverbed Central Management Console User s Guide

143 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies To use the Trust Appliances by Key feature 1. Choose Manage > Appliances to display the Manage > Appliances page. Scroll to the bottom of the page and toggle open the Trust Appliances by Key field to open the text box. 2. Paste in the keys for the appliances to be automatically trusted, and click Trust. If you enable the Strict Key Verification feature, you must create keys for all Steelhead appliances to enable them to connect to the CMC. For details on Strict Key Verification, see Configuring CMC Security Settings on page 57. Running Appliance Utilities You can run appliance utilities (reconnecting and fetching configurations) in the Manage > Appliances page. To run appliance utilities 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to edit to display the Edit Appliance panel. 3. Click Appliance Utilities to display the Editing Appliance Configuration <appliance>, Utilities panel. Figure Edit Appliances Utility Panel 4. Complete the configuration as described in the following table. Update Reconnect Click Update to update the current appliance serial number. Set this appliance's serial number to be the actual value stored on the appliance itself (This will be changed system-wide but all state will remain intact and accessible). The appliance must be connected. Click Reconnect to reconnect the CMC to the current appliance. Establishing a new connection to an appliance takes about half a minute. Note: Reconnecting does not affect policy configurations. 5. After clicking Reconnect, the Edit Appliance <serial number> panel closes. Riverbed Central Management Console User s Guide 135

144 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups Viewing Policies Inherited by the Appliance You can view the policies that are inherited by the appliance in the Manage > Appliances page. Only pushed pages to the appliance are displayed. To view policies inherited by an appliance 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the appliance you want to view to display the Edit Appliance panel. 3. Click the Inherited Policies panel to display the Inherited Policies panel. Figure Appliances Page - Inherited Policies Panel 4. Select the Page that you want to view or edit. The Inherited Policies panel lists the policies and feature sets that are inherited by the appliance. Click a link in the Page column to display and edit the appliance configuration for that page. Click the link in the Policy column to edit the policy. For details on each policy and page, see Managing Appliance Configurations Using Policies and Groups on page 159. The Page column lists the policy and the Policy column displays the feature source. Clicking the policy edits the policy. The Inherited Policies panel lists the policies and feature sets that are inherited by the appliance. Figure Example of Inherited Policies Page Removing Groups and Appliances You can remove groups and appliances in the Manage > Appliances page. The Global group cannot be deleted. 136 Riverbed Central Management Console User s Guide

145 Managing Appliances and Appliance Groups Managing Appliances, Groups, and Policies To remove an appliance or a group 1. Choose Manage > Appliances to display the Appliances page. Figure Appliances Page 2. Select the check boxes next to the appliances or groups you want to remove. 3. Click Remove Selected. When you remove a group, the child appliances in the group automatically move to the nearest available ancestor, such as the Global group. 4. Click Save to save the settings permanently. Moving Groups and Appliances You can move groups and appliances from one parent group to another in the Manage > Appliances page. When moving a group, all appliances and subgroups within that group move. To move groups and appliances 1. Choose Manage > Appliances to display the Appliances page. Figure Appliances Page 2. Select the check boxes next to the appliances or groups you want to move to another group. 3. Click Move Selected. Arrows display next to all available groups to which the selected items can be moved. 4. Click the arrow next to the group to which you want to move the selected items. Riverbed Central Management Console User s Guide 137

146 Managing Appliances, Groups, and Policies Managing Appliances and Appliance Groups 5. Click Save to save the settings permanently. 138 Riverbed Central Management Console User s Guide

147 Performing Appliance Operations Managing Appliances, Groups, and Policies Filtering the Display of Appliances and Appliance Groups You can filter the display of managed appliances in the Manage > Appliances page. For example, if you specify A16, only appliances and groups with that string in their identifiers display in the list. To filter the display of managed appliances 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Filter tab to display the filter controls. Figure Filter Table 3. Type an expression into the fields to filter the display of appliances. This filter applies only to appliances, not groups. You can filter by the following string values: Products: Steelhead, Steelhead EX, Interceptor, Mobile ler Group Name Address or Serial Number Model Number Software Version Connection State Health Status Policy Comment 4. Click Apply Filter to select the appliances that match the filtered criteria. Performing Appliance Operations You can perform different appliance operations in the Manage > Appliances page - Appliance Operations tab. Riverbed Central Management Console User s Guide 139

148 Managing Appliances, Groups, and Policies Performing Appliance Operations To perform different appliance operations 1. Choose Manage > Appliances to display the Manage > Appliances page. 2. Click the Appliances Operations tab to display the different options. Figure Manage > Appliances Page - Appliance Operations Tab 3. The following table provides the tasks that you can perform in the Manage > Appliances page - Appliance Operations tab, followed by detailed procedures: Task Push configurations to selected appliances and appliance groups. Reference Pushing Policies to Appliances and Appliance Groups on page 141 Replace (generate) the peering certificates. Replacing (Generating) Peering Certificates on page 143 Update the license. Updating Licenses on page 144 Upgrade the software images on selected appliances and appliance groups. Upgrading Software on page 144 Reboot selected appliances and appliance groups. Rebooting Appliances and Appliance Groups on page 147 Start and stop the system service on selected appliances and appliance groups. Shut down the system on selected appliances and appliance groups. Set the password for administrator and monitor users on selected appliances and appliance groups. Unlock the Secure Vault on selected appliances and appliance groups. When the vault on an appliance is locked, you cannot push some configuration settings. Change the password for the Secure Vault on selected appliances and appliance groups. Send a set of CLI commands to the selected appliances and groups. Starting, Stopping, or Restarting Appliances and Appliance Groups on page 147 Shutting Down Appliances and Appliance Groups on page 149 Setting the Password for Appliances and Appliance Groups on page 150 Unlocking the Secure Vault on page 151 Changing the Secure Vault Password on page 152 Sending CLI Commands to Appliances and Appliance Groups on page 153 Start or stop the Cascade service. Starting or Stopping Cascade Shark Service on page 154 Disable the SSL Server Certificate Export. Disabling SSL Server Certificate Export on page 155 Disconnect selected Steelhead EX from the Granite Core appliance. Removing Granite Core on page 156 Join or leave a Windows domain. Joining or Leaving a Windows Domain on page Riverbed Central Management Console User s Guide

149 Performing Appliance Operations Managing Appliances, Groups, and Policies Pushing Policies to Appliances and Appliance Groups You can push CMC configurations (in the form of policies) to selected appliances or appliance groups in the Manage > Appliances page. Any changes made to policies on the CMC do not take effect on Steelhead appliances until the new configurations are pushed to the Steelhead appliance. Any time you push CMC configurations (in the form of policies) to selected appliances or appliance groups, appliance page configurations are also pushed. Similarly, appliance page configurations are also populated when you fetch policies from an appliance. For details on appliance page configurations, see Editing Appliance Configurations on page 97. For details on fetching configurations from appliances, see Running Appliance Utilities on page 135. Any scheduled operations on appliance groups execute on the CMC s time and not the managed appliance time. For example, if the CMC clock is set to PDT but the managed appliance clock is set to Central European Summer Time (CEST), then an operation scheduled for midnight (PDT) on the CMC is executed at 9 AM on the managed appliance (CEST). Important: This operation applies only to Steelhead appliances. To push a configuration to an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Push Policies from the operation drop-down list. Figure Appliance Operation - Push Policy Option Riverbed Central Management Console User s Guide 141

150 Managing Appliances, Groups, and Policies Performing Appliance Operations 4. Under Push Policies, complete the configuration, as described in the following table. The results of this operation can be viewed in the Operation History page. Restart Optimization Service If Required Restart QoS Service If Required Schedule Deferred Push Push Click to restart the optimization services after the push. Click to stop the QoS service on the appliance when QoS policies are being pushed. The service restarts if QoS Classification and Enforcement are enabled in the QoS policy being pushed. The QoS service must be disabled if the policy push changes the queue type of an existing QoS class on the appliance. (This applies only to Advanced QoS.) In that case, the push fails if QoS is not disabled. This option disables QoS for the duration of the push on all appliances that a basic or advanced QoS page is pushed to. This temporarily disrupts QoS enforcement. Specify the date and time, using the following formats: YYYY/MM/DD, HH:MM:SS If this option is not selected, the push occurs the next time the appliance connects. Select the check box next to the name of the appliance and appliance groups you want to change and click Push to push the configuration to the selected appliances or appliance groups. 5. Click Save to save the settings permanently. 142 Riverbed Central Management Console User s Guide

151 Performing Appliance Operations Managing Appliances, Groups, and Policies Replacing (Generating) Peering Certificates You can replace the peering certificates used to secure the inner channel between the Steelhead appliances by generating new private keys and self-signed public certificates in the Manage > Appliances page. A policy push must be initiated to all Steelhead appliances for the new certificate(s) to be used in peering. If the policy push excludes any affected Steelhead appliances, SSL optimization to the Steelhead appliances does not work properly. To replace (generate) peering certificates 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Replace (Generate) Peering Certificates from the operation drop-down list. Figure Replace (Generate) Peering Certificates Option 4. Under Self-Signed Certificate, complete the configuration, as described in the following table. Common Name Organization Name Organization Unit Name Locality State Country Address Validity Period Specify the common name of a certificate. To facilitate configuration, you can use wildcards in the name. For example, *.nbttech.com. If you have three origin servers using different certificates, such as webmail.nbttech.com, internal.nbttech.com, and marketingweb.nbttech.com, on the server-side Steelhead appliances, all three server configurations can use the same certificate name *.nbttech.com. Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Specify the country (2-letter code only). Specify the address of the contact person. Specify how many days the certificate is valid. Riverbed Central Management Console User s Guide 143

152 Managing Appliances, Groups, and Policies Performing Appliance Operations 5. Click Replace to replace the peering certificates. 6. Click Save to save the settings permanently. Updating Licenses You can update your license in the Manage > Appliances page. To update a license 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select License Update from the operation drop-down list. Figure License Update Option 4. Under License Update Method, complete the configuration, as described in the following table. Update License using Riverbed Licensing Portal From Local File Update Select the option to update the license using the Riverbed Licensing Portal. Click this option and type the path, or click Browse to navigate to the local file directory. Click Update to update the current license. Upgrading Software You can upgrade the software image on selected appliances or groups in the Manage > Appliances page. Software images can be obtained from a URL or the image library, which is managed on the Configure Upgrades page. To upgrade appliances or appliance groups 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 144 Riverbed Central Management Console User s Guide

153 Performing Appliance Operations Managing Appliances, Groups, and Policies 3. Select Upgrade Software from the operation drop-down list. Figure Upgrading Software Option Riverbed Central Management Console User s Guide 145

154 . Managing Appliances, Groups, and Policies Performing Appliance Operations 4. Complete the configuration, as described in the following table. Image Source Upgrade Options Reboot Options Upgrade This panel provides the same set of options for 32-bit appliances and 64-bit appliances, and for transitioning to 64-bit. Under the appropriate set, select and configure one of the following options: From the Library - Specify this option to specify an image currently in the image library. Select the image from the Image drop-down list. From a URL - Specify the URL source for the software image. When the upgrade is performed, the CMC sends the URL to the Steelhead appliance, which obtains the image from the URL directly (as opposed to from the CMC). Select one of the following options: Upgrade now - Upgrades the image immediately. Schedule upgrade - Optionally, specify this option to schedule the upgrade for a specific date and time. Use the following the format: YYYY/MM/DD, HH:MM:SS Select one of the following options: Do not reboot after upgrade - Does not reboot the selected appliances or appliance groups in conjunction with the upgrade. When this option is selected, the upgraded appliances do not automatically upgrade when rebooted. To complete the upgrade process, reboot the appliances using the Reboot operation with the Switch to Backup Partition option. For details, see Rebooting Appliances and Appliance Groups on page 147. Reboot immediately after upgrade - Reboots the selected appliances or appliance groups immediately after upgrade. Schedule a reboot after upgrade - Reboots the selected appliances or appliance groups to the upgraded version at the specified date and time (YYYY/MM/DD, HH:MM:SS). Select the check box next to the name of the appliance and appliance groups you want to change and click Upgrade to install the software image on the selected appliances or appliance groups. 5. Click Save to save the settings permanently. The results of this operation are viewed in the Operation History page. 146 Riverbed Central Management Console User s Guide

155 Performing Appliance Operations Managing Appliances, Groups, and Policies Rebooting Appliances and Appliance Groups You can reboot selected appliances and appliance groups in the Manage > Appliances page. To reboot an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Reboot from the operation drop-down list. Figure Reboot Option 4. Complete the configuration, as described in the following table. Switch to the Backup Partition Schedule Deferred Reboot Select this option to have the selected appliances upgrade to loaded versions when they reboot. Note: This step is required to complete an upgrade that was configured with the Do not reboot after upgrade option. For details, see Upgrading Software on page 144 Specify the date and time for scheduled reboot. Use the following format: YYYY/MM/DD HH:MM:SS. 5. Click Reboot to reboot the selected appliances or appliance groups. The results of this operation can be viewed in the Operation History page. Starting, Stopping, or Restarting Appliances and Appliance Groups You can start, stop, and restart selected appliances and appliance groups in the Manage > Appliances page. For more information on user permissions, see User Permissions on page 419. Important: This operation applies only to Steelhead appliances, Steelhead EXs, and Interceptor appliances. To start, stop, or restart an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. Riverbed Central Management Console User s Guide 147

156 Managing Appliances, Groups, and Policies Performing Appliance Operations 2. Click the Appliance Operations tab to display the operation options. 3. Select Start/Stop Services from the operation drop-down list. Figure Appliances Page - Start/Stop Services Option 4. Complete the configuration, as described in the following table. Service Action Clean Data Store Schedule Deferred Service Action Apply Select Start, Stop, or Restart from the drop-down list. This option applies only to Steelhead appliances and Interceptor appliances. Specify this option to clean the RiOS data store. Note: This option only applies to Steelhead appliances. Specify the date and time. Use the following format: YYYY/MM/DD HH:MM:SS Note: This option only applies to Steelhead appliances, Steelhead EXs, and Interceptors. Click Apply to apply your changes to the selected appliances or appliance groups. The results of this operation can be viewed in the Operation History page. 5. Click Save to save the settings permanently. 148 Riverbed Central Management Console User s Guide

157 Performing Appliance Operations Managing Appliances, Groups, and Policies Shutting Down Appliances and Appliance Groups You can shut down selected appliances and appliance groups in the Manage > Appliances page. To shut down an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Shutdown from the operation drop-down list. Figure Shutdown Option 4. Complete the configuration, as described in the following table. Clean Data Store Schedule Deferred Shutdown Shutdown Specify to clean the RiOS data store. Specify the date and time. Use the following formats: YYYY/MM/DD HH:MM:SS Select the check box next to the name of the appliance and appliance groups you want to shut down and click Shutdown. The results of this operation can be viewed in the Operation History page. 5. Click Save to save the settings permanently. Riverbed Central Management Console User s Guide 149

158 Managing Appliances, Groups, and Policies Performing Appliance Operations Setting the Password for Appliances and Appliance Groups You can set the password for selected appliances and appliance groups in the Manage > Appliances page. The CMC sets the password for the user the CMC is using to connect with the Steelhead appliance. The CMC automatically updates the password that is used by the CMC to connect with the Steelhead appliance. To set the password for an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Set Password from the operation drop-down list. Figure Set Password Option 4. Complete the configuration, as described in the following table. User Password Confirm Password Set Password Type admin or monitor in the text box. Specify the password. Confirm the password. Click Set Password to set the specified password. The results of this operation can be viewed in the Operation History page. 5. Click Save to save the settings permanently. 150 Riverbed Central Management Console User s Guide

159 Performing Appliance Operations Managing Appliances, Groups, and Policies Unlocking the Secure Vault You can unlock the Secure Vault on selected appliances and appliance groups in the Manage > Appliances page. The CMC unlocks the Secure Vault on the selected appliances if the correct password is specified. After it unlocks the Secure Vault, it updates the CMC s stored copy of each selected appliance s Secure Vault password. When the vault on an appliance is locked, you are unable to push some configuration settings. To unlock the secure vault on an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Unlock Secure Vault from the operation drop-down list. Figure Unlock Secure Vault Option 4. Type the password and click Unlock Vault to unlock the secure vault on the selected appliances and appliance groups. The results of this operation can be viewed in the Operation History page. Riverbed Central Management Console User s Guide 151

160 Managing Appliances, Groups, and Policies Performing Appliance Operations Changing the Secure Vault Password Important: This operation applies only to Steelhead appliances, Steelhead EX appliances, and Steelhead Mobile lers. You can change the password for the Secure Vault on selected appliances and appliance groups in the Manage > Appliances page. The CMC attempts to change the Secure Vault password for the selected appliances. After it changes the Secure Vault password, it updates the CMC s stored copy of each selected appliance s Secure Vault password. The CMC must know the current Secure Vault password, which is set on the SSL configuration page of each appliance. This operation automatically updates the CMC s stored copy of each selected appliance s password. To change the secure vault password on an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Change Secure Vault Password from the operation drop-down list. Figure Change Secure Vault Password Option 4. Type the current password, or leave the text box blank if factory password is used. 5. Type the new vault password, or leave the text box blank to reset factory password. 6. Confirm the new secure vault password. 7. Click Change Password to change the secure vault password. The results of this operation can be viewed in the Operation History page. 152 Riverbed Central Management Console User s Guide

161 Performing Appliance Operations Managing Appliances, Groups, and Policies Sending CLI Commands to Appliances and Appliance Groups You can send CLI commands to selected appliances and appliance groups in the Manage > Appliances page. To send CLI commands to an appliance or an appliance group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Send CLI Commands from the operation drop-down list. Figure Send CLI Commands Option Riverbed Central Management Console User s Guide 153

162 Managing Appliances, Groups, and Policies Performing Appliance Operations 4. Complete the configuration, as described in the following table. Text field Schedule Deferred Command Execution Send Paste or type in the set of CLI commands in the provided text field. This feature provides the flexibility to configure your appliances using CLI commands. For example, using the CLI commands in policies: enables you to configure new Steelhead features. enables you to override specific configuration items at a subpage granularity without maintaining multiple copies of otherwise identical policies. Note: While this is a great feature keep the following in mind: The CMC cannot parse the CLI commands itself and perform a check to verify if they are compatible with the rest of the configuration, therefore, a failure is harder to diagnose. The CLI commands from all assigned policies are sent with every push. In this case, you have to go through every policy that is assigned to every parent group of the Steelhead and individually check its details to view what was exactly pushed. Note: Each command must be on a separate line. Select this option to schedule a deferred command and specify the date and time. Use the following format: YYYY/MM/DD, HH:MM:SS. Click Send to execute the commands on the appliance. The results of this operation can be viewed in the Operation History page. 5. Click Save to save the settings permanently. Starting or Stopping Cascade Shark Service You can start or stop Cascade Shark in the Manage > Appliances page. This operation only applies to Steelhead appliances and might take up to five minutes to take effect. To start or stop the Cascade Shark service 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Cascade Shark from the operation drop-down list. Figure Cascade Shark Option 154 Riverbed Central Management Console User s Guide

163 Performing Appliance Operations Managing Appliances, Groups, and Policies 4. Complete the configuration, as described in the following table. Service Action Apply Select Start or Stop from the drop-down list. Click Apply to save your settings. Disabling SSL Server Certificate Export You can send CLI commands to selected appliances and appliance groups in the Manage > Appliances page. For security reasons, once a certificate export has been disabled, it cannot be re-enabled. Important: This operation only applies to Steelhead appliances. Consider making SSL server certificates and private keys non-exportable with your particular security goals in mind. Before doing so, you must have a thorough understanding of its impact. Use caution and consider the following before making SSL configurations non-exportable: After disabling export on a new Steelhead appliance running v7.0.1, you cannot re-enable it unless you perform a factory reset on the Steelhead appliance (losing the configuration) or clear the secure vault. After upgrading a Steelhead appliance to RiOS v7.0.1 and disabling export, you cannot export any preexisting or newly added server certificates and private keys to another Steelhead appliance. After disabling export, any newly added server certificates and keys are marked as non-exportable. After disabling export and then downgrading a Steelhead appliance to a previous RiOS version, you cannot export any of the existing server certificates and private keys. You can export any newly added server certificates and private keys. Disabling export prevents the copy of the secure vault content. For more details, see the Steelhead Management Console User s Guide. To disable SSL server certificate export 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Disable SSL Server Certificate Export from the operation drop-down list. Figure Disable SSL Server Certificate Export Option 4. Click Disable SSL Server Export. The system reminds you that disabling export cannot be undone. Riverbed Central Management Console User s Guide 155

164 Managing Appliances, Groups, and Policies Performing Appliance Operations 5. Click Disable Export. 6. Click Apply to apply your settings. 7. Click Save to save your settings permanently. Removing Granite Core You can disconnect selected Steelhead EX appliances from the Granite Core appliance they are connected to in the Manage > Appliances page. For more information, see the Steelhead Management Console User s Guide for Steelhead EX. Important: This operation only applies to Steelhead EX appliances. To remove Granite Core 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 3. Select Remove Granite Core from the operation drop-down list. Figure Remove Granite Core Option 4. Click Remove and click Save. Joining or Leaving a Windows Domain You can join or leave a Windows domain in the Manage > Appliances page. For more information, see the Steelhead Management Console User s Guide. To join or leave a Windows domain 1. Choose Manage > Appliances to display the Appliances page. 2. Click the Appliance Operations tab to display the operation options. 156 Riverbed Central Management Console User s Guide

165 Performing Appliance Operations Managing Appliances, Groups, and Policies 3. Select Join/Leave a Windows Domain from the operation drop-down list. Figure Join/Leave a Windows Domain Option 4. Complete the configuration, as described in the following table. Domain action Active Directory Domain Name/Realm Joins the domain or leaves the domain. Important: If you are in domain mode and have joined a domain, you cannot change to local workgroup mode until you leave the domain.\ Specify the domain in which to make the Steelhead appliance a member. Typically, this is your company domain name. RiOS v5.5 and later supports Windows 2000 or later domains. RiOS does not support nondomain accounts other than administrator accounts. If you create Local mode shares on a nonadministrator account, your security permissions for the share are not preserved on the origin-file server. Riverbed Central Management Console User s Guide 157

166 Managing Appliances, Groups, and Policies Performing Appliance Operations Join Account Type Domain Login Specifies which account type the server-side Steelhead appliance uses to join the domain controller. In RiOS v7.0, you can optimize the traffic to and from hosted Exchange servers using the Microsoft hosted Business Productivity Online Services - Dedicated (BPOS-D). You must join the server-side Steelhead appliance to the domain as either an RODC for Windows 2008 and higher or a BDC for Windows 2003 and higher domains. This allows the Steelhead appliance to use authentication within the BPOS-D environment on the Exchange servers that provide Microsoft Exchange online services. The domain that the server-side Steelhead appliance joins must be either the same as the client user or any domain that trusts the domain of the client user. The BDC and RODC account types provide a way to optimize NTLM authentication from Windows 7/2008 R2 and newer clients when using transparent mode. The server-side Steelhead appliance joins a domain with DC privileges and then uses NTLM pass-through authentication to perform the authentication. Using transparent mode simplifies the configuration. Select one of the following options from the drop-down list: Workstation - Joins the server-side Steelhead appliance to the domain with workstation privilege. You can join the domain to this account type using any ordinary user account that has the permission to join a machine to the domain. This is the default setting. BDC - Joins the server-side Steelhead appliances as a backup domain controller (BDC) in the Active Directory domain. If the account for the server-side Steelhead was not already present, it is created in organizational unit (OU) domain controllers. If the account existed previously as a domain computer then its location does not change. You can move the account to a different OU later. When you select BDC, you must specify one or more domain controller name(s), separated by commas. You must have Administrator privileges to join the domain as a BDC. BDC does not support cross-domain authentication where the user is from a domain trusted by the domain to which the server-side Steelhead appliance is joined. RODC - Joins the server-side Steelhead appliance to the read-only domain controller (RODC) in the Active Directory domain. RODC support is for Windows 2008 DCs and higher and supports authentication across domains. You must explicitly specify the Windows 2008 DCs as a comma-separated list in the Domain ler Names field. The list should contain either the name or IP address of the Windows 2008 DCs. You must have Administrator privileges to join the domain as an RODC. Additionally, if the user account is in a domain that is different from the domain to which the join is being performed, specify the user account in the format domain\\username. Do not specify the user account in the format username@realmname. In this case, domain is the short domain name of the domain to which the user belongs. This feature does not support BPOS-S or BPOS-F. Even though the Steelhead appliance is acting as an RODC, it does not provide any Windows domain controller functionality to any other machines in the domain. Specify the login name, which must have domain join privileges. Domain administrator credentials are not strictly required, except when you join the domain as an RODC or BDC. RiOS deletes domain administrator credentials after the join. 158 Riverbed Central Management Console User s Guide

167 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies Password Domain ler Name(s) Short Domain Name Apply Specify the password. This control is case-sensitive. Specify the hosts that provide user login service in the domain, separated by commas. (Typically, with Windows 2000 Active Directory Service domains, given a domain name, the system automatically retrieves the DC name.) The domain controller name is required when joining the domain as an RODC. Note: Riverbed recommends specifying the domain controller name in high latency situations, because it reduces the time to join the domain significantly. Specify the short domain (NetBIOS) name if it does not match the first portion of the Active Directory domain name. Case matters; NBTTECH is not the same as nbttech. Applies your settings. Managing Appliance Configurations Using Policies and Groups You can manage appliance configurations using the policies and groups in the Manage > Policies page. For information on how to configure high availability for Granite Edge-enabled Steelhead EX appliances, see the Steelhead EX Management Console User s Guide. This section describes the following: Understanding Policies and Policy Usage on page 159 General Information on Page and Version Incompatibility on page 161 Centralized Configuration with Groups and Policies on page 162 Inheriting or Overriding Policy Settings from a Parent Group on page 162 Fetching Configurations on page 163 Managing Policies on page 164 Understanding Policies and Policy Usage This section describes policies and policy usage. This section includes the following topics: How Policies and Inheritance Work on page 159 Policy Types on page 160 Basic Steps to Create and Push a Policy on page 160 How Policies and Inheritance Work A policy is a collection of configuration settings that can be applied to Steelhead appliances or groups of Steelhead appliances. The configuration settings can be inherited by all members of the group. All groups and Steelhead appliances are contained within the Global group. As a result, all policy configurations from the Global group are inherited by all child groups and Steelhead appliances. Riverbed Central Management Console User s Guide 159

168 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups To modify these configurations, you can apply different policies at the group or Steelhead appliance level. For greater flexibility, you can configure policies to inherit some feature-set values from the parent group but override others. The resulting policy configuration is a combination of feature sets inherited from the parent and feature sets from the policy, and are applied to the child Steelhead appliance or group. Policy Types Each policy type is made up of particular RiOS features. Only one policy type can be applied to a group or an appliance. The following table summarizes the available policies and their respective feature sets. Type Optimization Policy System Settings Policy Networking Policy Security Policy Branch Services Policy - Feature Sets Use optimization policies to organize appliances in which optimization is a key component. For more details on optimization policy settings, see Optimization Policy Settings on page 312. Use system settings policies to organize and manage the feature sets. For more details on system settings policy, see System Settings Policies on page 369. Use networking policies to manage the feature sets. For more details on networking policy settings, see Networking Policy Settings on page 386. Use security policies to manage appliances in which security is a key component. For more details on security policy settings, see Security Policy Settings on page 418. Use branch services policies to manage the feature sets. For more details on branch service policy settings, see Branch Services Settings on page 427. For details on RiOS feature sets, see the Steelhead Management Console User s Guide. Basic Steps to Create and Push a Policy The following table lists the basic steps needed to create and configure a policy, followed by detailed procedures. Task Reference 1. Add an appliance to an appliance group. To add a new appliance to a group on page Create a policy. Creating a New Policy on page Assign a policy to an appliance or appliance group. Assigning Policies on page Push a configuration to an appliance or appliance group. To push a configuration to an appliance or an appliance group on page Riverbed Central Management Console User s Guide

169 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies General Information on Page and Version Incompatibility The following table lists the type of version incompatibility, followed by a cross-references to that section. Type In-Path Interfaces version incompatibility. Reference Version Incompatibilities for In-path Interfaces on page 110 Web Settings version incompatibility Version Incompatibility for Web Settings on page 124 Virtual Services Platform version incompatibilities Version Incompatibilities for Virtual Services Platform on page 134 In-Path Rules version incompatibility Version Incompatibilities for In-Path Rules on page 324 HTTP version incompatibility Version Incompatibilities for HTTP on page 348 Windows Domain Authorization version incompatibility Cloud Accelerator version incompatibility Version Incompatibilities for Windows Domain Auth on page 354 Version Incompatibilities for Cloud Accelerator on page 368 Logging version incompatibility Version Incompatibilities for Logging on page 381 SNMP ACLs, version incompatibility Version Incompatibilities for SNMP ACLs on page 383 SNMP Basic version incompatibility Version Incompatibilities for SNMP Basic on page 384 Host Settings version incompatibility Version Incompatibilities for Host Settings on page 388 Inbound QoS version incompatibility Version Incompatibilities for Inbound QoS on page 395 Inbound QoS Interfaces version incompatibility Version Incompatibilities for Inbound QoS Interfaces on page 396 Outbound QoS Interfaces version incompatibility Version Incompatibilities for Outbound QoS Interfaces on page 397 Outbound QoS (Basic) version incompatibility Outbound QoS (Advanced) version incompatibility QoS Marking (Legacy) version incompatibility Version Incompatibilities for Outbound QoS (Basic) on page 408 Version Incompatibilities for Outbound QoS (Advanced) on page 414 Version Incompatibilities for QoS Marking (Legacy) on page 417 Password Policy version incompatibility Version Incompatibilities for Password Policy on page 422 RADIUS version incompatibility Version Incompatibilities for RADIUS on page 423 TACACS+ version incompatibility Version Incompatibilities for TACACS+ on page 424 Common Branch Storage Settings version incompatibility Common VSP Settings version incompatibility Version Incompatibilities for Common Branch Storage Settings on page 432 Version Incompatibilities for Common VSP Settings on page 433 Riverbed Central Management Console User s Guide 161

170 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups Centralized Configuration with Groups and Policies The CMC uses appliance policies and appliance groups to facilitate centralized configuration and reporting of remote Steelhead appliances. Groups are comprised of Steelhead appliances or subgroups of Steelhead appliances; all groups and Steelhead appliances are contained in the root default Global group. Policies are sets of common configuration options that can be shared among different Steelhead appliances independently or via group membership. The following policy types are available: Optimization policy - Use optimization policies to manage optimization features such as the RiOS data store, in-path rules, and SSL settings, in addition to many others. For more details on the optimization policy, see Optimization Policy Settings on page 312. System settings policy - Use system settings policies to organize and manage system setting features such as alarms, announcements, notifications, log settings, and others. For more details on the system settings policy, see System Settings Policies on page 369. Networking policy - Use networking policies to manage networking features such as asymmetric routing, DNS settings, host settings, QoS settings, and others. For more details on the networking policy, see Networking Policy Settings on page 386. Security policy - Use security policies to manage security settings such as RBM appliances in which security is a key component. For more details on the security policy, see Security Policy Settings on page 418. Branch services policy - Use branch services policies to manage RiOS Services Platform and Caching DNS settings. For more details on the branch services policy, see Branch Services Settings on page 427. Each policy type is made up of particular RiOS features. For example, system settings policies contain feature sets for common system administration settings such as alarm settings, announcements, notification settings, among others, while security policies contain feature sets for encryption, authentication methods, and user permissions. Each group or Steelhead appliance can be assigned one of each type of policy. Because the Global group serves as the root group, or parent, to all subsequent groups and appliances, any policies assigned to the Global group provide the default values for all groups and Steelhead appliances. Inheriting or Overriding Policy Settings from a Parent Group Policies comprise of feature sets whose values can be inherited from the parent group. By default, no policies are assigned to the Global group, but any policies assigned to the Global group can be inherited by all groups and appliances. Similarly, specific feature sets in individual policies can be enabled, in which case they override the values that would otherwise be inherited from a parent. You can also assign different policies directly to groups and appliances. For flexibility, the policy you apply can also be configured to inherit or override specific feature-set values from the nearest parent group. For example, in the Policies page: a group uses optimization policy accg, whose in-path rules feature set specifies four rules. an appliance in that group uses optimization policy acca, whose in-path rules feature set specifies only three rules. unselecting the Enable Page option for in-path rules in the acca policy definition ensures that the appliance uses the accg In-Path Rules settings. 162 Riverbed Central Management Console User s Guide

171 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies Fetching Configurations If a remote Steelhead appliance has been independently configured, you can fetch that configuration, which can be saved as newly generated policies. These can then be applied to other appliances. For more details, see Fetching Appliance Specific Configurations on page 134. Riverbed Central Management Console User s Guide 163

172 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups Managing Policies You can manage create, edit, add, and remove a policy in the Manage > Policies page. This section includes the following topics: Creating a New Policy on page 164 Editing Existing Policies on page 168 Adding or Removing Policies on page 170 Resolving Page Conflicts on page 172 Assigning Policies on page 173 Creating a New Policy You create a policy in the Manage > Policies page. You can perform the following tasks: Creating a new policy - Create a new policy to change the configuration settings on a group of appliances. For details, see To create a new policy on page 164. Copying an existing policy - Copy an existing policy and apply these configurations to a group of appliances. For details, see To add a copy of an existing policy on page 166. Importing a policy - Import an existing policy from an appliance and apply the settings to a group of appliances. For details, see To import a policy from an appliance configuration on page 167. Merging a policy - Merge at least two existing policy from an appliance and apply the settings to a group of appliances. For details, see To merge a policy from an appliance configuration on page 167. To create a new policy 1. Choose Manage > Policies to display the Policies page. Figure Manage > Policies Page 2. Click Add Policy to display the controls to add a policy. Figure Add Policy Option 164 Riverbed Central Management Console User s Guide

173 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies 3. Select Add a new policy, and complete the configuration, as described in the following table. Policy Name CLI Commands Add Type the name for the policy. Optionally, type a description. Optionally, type the CLI command(s). Click Add to create the new policy. 4. Click Add. 5. Click Add/Remove Pages to display the Add/Remove Policy Pages display to configure the policy. Figure Add/Remove Policy Page 6. Select the pages that you want to add to your policy, and click Apply. Important: You have to scroll to view the full list of the policy pages. 7. Under Include in Policy Push, select the check box of the page that you want to include in the policy push and click Apply. Riverbed Central Management Console User s Guide 165

174 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups If the policy push check box is not selected, then the page is not pushed to the appliance. Included pages or CLI commands are required for the policy to be pushed. Figure Selected Policies To add a copy of an existing policy 1. Choose Manage > Policies to display the Policies page. Figure Manage > Policies Page 2. Click Add Policy to display the controls to add a policy. 3. Enter the policy name. Figure Add Policy - Copy of Existing Policy Option 4. Select Add a copy of an existing policy. 5. Optionally, enter the description. 6. Select a copy of the policy from the drop-down list, and click Add. 7. Edit the policy as necessary, and click Apply. 166 Riverbed Central Management Console User s Guide

175 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies To import a policy from an appliance configuration 1. Choose Manage > Policies to display the Policies page. Figure Manage > Policies Page 2. Click Add Policy to display the controls to add a policy. 3. Enter the policy name. Figure Add Policy - Import Policy from Appliance Configuration Option 4. Select Import policy from an appliance configuration. 5. Select the appliance from the drop-down list, and click Add. 6. Select the imported policy to make any edits, and click Apply. To merge a policy from an appliance configuration 1. Choose Manage > Policies to display the Policies page. Figure Manage > Policies Page 2. Click Add Policy to display the controls to add a policy. Riverbed Central Management Console User s Guide 167

176 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups 3. Enter the policy name. Figure Add Policy - Merge Existing Policy from Appliance Configuration Option 4. Select Merge existing policies. 5. Select the policies from the drop-down list, and click Add. 6. Select the imported policy to make any edits, and click Apply. Editing Existing Policies You can edit existing policies in the Manage > Policies page. If you delete or rename a policy, you cannot create another policy with the same name until you save the configuration changes. 168 Riverbed Central Management Console User s Guide

177 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies To edit an existing policy 1. Choose Manage > Policies to display the Policies page. 2. Select the name of the policy in the list to display the information for that policy. Figure Sample Edit Polices Page 3. Complete the configuration, as described in the following table. CLI Commands Rename Policy New Name Add/Remove Pages Include in Policy Push Enter the description. Enter the CLI command. Select this option to rename the policy. Enter the new name for the policy. Select this option to add or remove pages. Select the Include in Policy Push check box next to the page that you want to include on the policy push. If no pages are checked and if no CLI commands are specified, the policy is not be pushed. 4. Modify the feature sets as desired. For details on all policy feature sets and their parameters, see Appendix A, Viewing Policy Configuration Settings. 5. Click Apply to apply your settings. 6. Under the Page column, click the page name to change the settings of a specific feature set. The Page drop-down list, shows only the pages that are present in the selected policy. The Copy Contents From Policy drop-down list, shows only the policies in which the given page exists. To copy the specified feature set values from another policy, select the policy containing the values you want to duplicate from the Copy Contents From Policy drop-down list, and click Copy. Riverbed Central Management Console User s Guide 169

178 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups For more information on page conflict, see Resolving Page Conflicts on page 172. Adding or Removing Policies You can add or remove a policy in the Manage > Appliances page. You can perform the following tasks: Adding a policy - For details, see To add a policy on page 170. Removing a policy - For details, see To remove a policy on page 171. To add a policy 1. Choose Manage > Appliances to display the Appliances page. 2. Select the name of the policy in the list to display the information for that policy. Figure Policies Tab 3. Select Add/Remove Policies to display the Add/Remove Policies page. Figure Add/Remove Policies Pages 4. Click the check box next to the policy that you want to add, and click Done. The message Added policy <policyname> is displayed. 170 Riverbed Central Management Console User s Guide

179 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies To remove a policy 1. Choose Manage > Appliances to display the Appliances page. 2. Select the name of the policy in the list to display the information for that policy. Figure Policies Tab 3. Select Add/Remove Policies to display the Add/Remove Policies page. Important: You have to scroll to view the full list of the policy pages. Figure Add/Remove Policies Pages 4. Uncheck the policy that you want to remove, and click Revert. The message Removed policy <policyname> is displayed. 5. Click Done to close the page. Riverbed Central Management Console User s Guide 171

180 Managing Appliances, Groups, and Policies Managing Appliance Configurations Using Policies and Groups Resolving Page Conflicts The Page Conflict Report displays when you cannot enable the page because of a conflict. The message suggests that the conflict is with the pushed page on one or more policies. In addition, the message displays when two policies are assigned to an appliance or appliance group. The page cannot be pushed until the conflict is resolved. 172 Riverbed Central Management Console User s Guide

181 Managing Appliance Configurations Using Policies and Groups Managing Appliances, Groups, and Policies Assigning Policies You assign policies to groups and appliances in the Manage > Appliances page. Policies are optional for groups and appliances. It includes the following procedures: To assign a policy to a group on page 173 To edit a group on page 173 To assign a policy to a group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the group for which you want to assign a policy. Figure Appliances Page 3. Under Policies, use the controls to complete the configuration as described in the following table. Setting Add/Remove Policies Policy Displays the setting for adding and removing policies. Select the check box next to the policy that you want to add or remove and select either Done or Revert. Select a policy from the drop-down list. To edit a group 1. Choose Manage > Appliances to display the Appliances page. 2. Click the name of the group for which you want to assign a policy. 3. Select Edit Group to display the edit group settings. Figure Edit Group Tab Riverbed Central Management Console User s Guide 173

182 Managing Appliances, Groups, and Policies Viewing and Managing System Operation History 4. Use the controls to complete the configuration, as described in the following table. Setting Parent Group Comment Select the parent group from the drop-down list. Optionally, enter a comment. 5. Click Apply to apply your settings; click Cancel to cancel your settings. 6. Click Save to save the new settings permanently. After you have assigned the policies, you must push the configuration to the specified group. Viewing and Managing System Operation History You can view the operation history for the system, including the ID, time stamp, type, and the status of the operation in the Manage > Operation History page. You can open each operation in the history to view operation details, including the serial number of the appliance, current status of the operation for the appliance, and messages associated with the operation. For more information, see the Steelhead Management Console User s Guide. Users can view the operation history of only those appliances and appliance groups for which they have permission. The CMC can fetch and push configurations that are hidden in Steelhead appliances running different versions. 174 Riverbed Central Management Console User s Guide

183 Viewing and Managing System Operation History Managing Appliances, Groups, and Policies To view and manage operation history 1. Choose Manage > Operation History to display the Operation History page. Figure Operation History Page 2. Under Filter, select your option and click Apply Filter. 3. Under Operations, click the Date/Time value to display the appliances, detailed status, and messages associated with the operation. Click x to close the operation details. 4. Optionally, under History Management, complete the configuration, as described in the following table. Clear History Clear Specifies to clear the history based on one of the following options Clear All History - Specify to clear all history. Clear History Older Than - Specify date (YYYY/MM/DD) and time (HH:MM:SS). Clears history based on the above options. Riverbed Central Management Console User s Guide 175

184 Managing Appliances, Groups, and Policies Managing Appliance Backups and Restores Managing Appliance Backups and Restores You can view, delete, and restore configurations of a remote appliance in the Manage > Appliance Backup/ Restore page. To back up the current appliance configuration to the CMC, restore a configuration from the CMC to the appliance, or restore a configuration from the CMC to a different appliance. First, select the source appliance (the appliance to be backed up or, for a restore operation, the source appliance of the CMC backup). The CMC collects backups automatically, every day, at 3 AM, with the filename YYYY.MM.DDCONFIG_NAME, where CONFIG_NAME is the name of the active configuration on the Steelhead appliance. Alternatively, you can use the controls on the Manage > Appliance Backup/Restore page to create backups, reset the appliance to a backup restore point, or migrate state from one appliance to another. This section describes the following: Assigning Rollover Strategy on page 176 Performing Appliance Backups on page 177 Restoring a Backup Snapshot to an Appliance on page 178 Migrating Current Status from One Appliance to Another on page 178 Removing Backup Configurations on page 178 Typically, you do not need to use backups. Riverbed recommends that you restore an appliance to health by resending its configuration policies. If using policies for restoration is not possible, you can use the following procedure to restore the system to the backup restore point. However, the restore point does not include SSL settings configured in the SSL page. Assigning Rollover Strategy You assign a rollover strategy in the Manage > Appliance Backups/Restore page. You select the rollover strategy for the backups. To assign a rollover strategy 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. Figure Appliance Snapshot Rollover Strategy Option 176 Riverbed Central Management Console User s Guide

185 Managing Appliance Backups and Restores Managing Appliances, Groups, and Policies 2. Under Appliance Snapshot Rollover Strategy, select the rollover strategy from the drop-down list, as described in the following table. Age-Limited Deduplicated Select this option to keep only the most recent backups. All backups for the last 30 days are kept and for anything older only the first backup of the month is kept. Select this option to keep only the most recent backups. 3. Click Apply to commit to the running configurations. Performing Appliance Backups You back up appliance configurations in the Manage > Appliance Backups/Restore page. On this page, you back up the current appliance configuration to the CMC, restore an appliance snapshot from the CMC to the appliance, or restore an appliance snapshot from the CMC to a different appliance. In addition, this page lists the backups that have been previously saved for the appliance selected in the Source Appliance dropdown list. Daily appliance backups are performed as a part of daily maintenance operations. To configure the Daily Maintenance window, go to Configure > Maintenance > Maintenance Window Page. This section describes how to perform a backup on an appliance. To perform a backup on an appliance 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. Figure Appliance Backup/Restore Page 2. Select the source appliance from the drop-down list. 3. Enter the name for the backup, and click Backup. To back up this appliance to the CMC, provide a backup name. Riverbed Central Management Console User s Guide 177

186 Managing Appliances, Groups, and Policies Managing Appliance Backups and Restores 4. Click Apply to apply the settings to the current configuration. 5. Click Save to save the settings permanently. Restoring a Backup Snapshot to an Appliance You restore appliance snapshots to an appliance in the Manage > Appliance Backup/Restore page. This feature also displays the CLI configuration for the selected appliance backup. This section describes the following: To restore a backup snapshot on page 178 To remove a snapshot from the CMC on page 178 To restore a backup snapshot 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. 2. Select the source appliance from the drop-down list. 3. Enter the snapshot name to back up the appliance to the CMC, and click Backup. To remove a snapshot from the CMC 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. 2. Select the source appliance from the drop-down list. 3. Under Restore Operation, select the check box next to the name and click Remove Selected Snapshot. Migrating Current Status from One Appliance to Another You can migrate state from one appliance to another in the Manage > Appliance Backup/Restore page. To migrate status from one appliance to another 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. 2. Select the source appliance from the drop-down list. 3. Under Migrate Operation, select the group and the target appliance. 4. Click Migrate. 5. Click Apply to save your settings. Removing Backup Configurations You can remove configuration backups in the Manage > Appliance Backup/Restore page. User-generated backups must be removed manually; they are not deleted automatically. Daily backups are automatically deleted as follows: 178 Riverbed Central Management Console User s Guide

187 Configuring Software Upgrades Managing Appliances, Groups, and Policies The first automatic daily backup of the month is automatically deleted after three years. All other daily automatic backups are automatically deleted after thirty days. To remove configuration backups 1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page. 2. Select the appliance from the Source Appliance drop-down list to display the configuration backups for the specified appliance. 3. Select the check box next to the backup name and click Remove Selected Snapshots to remove the configuration backups from the list. Configuring Software Upgrades You can configure software upgrade settings in the Manage > Configure Upgrades page. You can also manage Steelhead appliance, Interceptor appliance, and Steelhead Mobile ler appliance software images and enable automatic upgrades on this page. For more information, see the Steelhead Management Console User s Guide, Interceptor Appliance User s Guide, or Steelhead Mobile ler User s Guide. The software upgrade process is completed only when the targeted Steelhead appliances connect to the CMC. Connected Steelhead appliances upgrade the next time they connect. To configure upgrades 1. Choose Manage > Configure Upgrades to display the Configure Upgrades page. Figure Configure Upgrades Page Riverbed Central Management Console User s Guide 179

188 . Managing Appliances, Groups, and Policies Configuring Software Upgrades 2. Under Manage the Image Library, manage Steelhead software images by using the controls described in the following table. Add Image Image Name Add Image Remove Image Click to display additional controls for adding images to the CMC image library. Type a name for the image. To obtain the image, select and configure one of the following options: Download from a URL - Specify the URL source for the software image. When the upgrade is performed, the CMC obtains the image. Upload from a Local File - Specify the path for the software image or click Browse to go to a local file directory. The image is uploaded immediately. Adds the specified image to the CMC image library. Select the check box next to the image and click Remove Image. 3. In the Maximum Concurrent Upgrades field, specify the number of appliances to be concurrently upgraded. The default value is 15. For example, if your network has 25 appliances, and this value is set to five, only five appliances are upgraded at a time. 4. In the Timeout for Upgrades field, specify the seconds. The default value is Under Configure Automatic Upgrades, use the following controls to automate upgrades. Enable Automatic Steelhead Upgrades 32-bit Steelhead Image 64-bit Steelhead Image Enables automated upgrades and activates the rest of the controls in this panel. When Automatic Steelhead Upgrades are enabled, a 32-bit image or 64-bit image must be selected. Images in the library are selected for automatic installation on Steelhead appliances. The CMC checks the Steelhead appliance and, if necessary, performs automatic upgrades whenever a Steelhead appliance reconnects to a CMC. You can limit the number of simultaneous upgrades with the Maximum Concurrent Upgrades field. Select from the drop-down list the 32-bit image to which all 32-bit Steelhead appliances are to be upgraded. Optionally, specify Do not auto-upgrade to prevent auto-upgrade. The contents of the drop-down list are limited to the 32-bit software images already in the image library. Select from the drop-down list the 64-bit image to which all 64-bit Steelhead appliances are to be upgraded. Optionally, specify Do not auto-upgrade to prevent auto-upgrade. The contents of the drop-down list are limited to the 64-bit software images already in the image library. 6. Click Apply to apply the settings to the running configuration. For example, all 32-bit Steelhead appliances are automatically upgraded to the specified 32-bit image the next time they connect to the CMC. 180 Riverbed Central Management Console User s Guide

189 Managing RSP/VSP Managing Appliances, Groups, and Policies Managing RSP/VSP You manage RSP/VSP appliances in the Manage > RSP/VSP page. For details, see the Steelhead Management Console User s Guide and the Steelhead Management Console User s Guide for Steelhead EX. This section includes the following topics: Managing RSP/VSP Appliances on page 181 Configuring the RSP/VSP Package Library on page 185 Configuring the RSP/VSP Image Library on page 186 CMC 8.0 does not support management of the ESXi version of VSP in Steelhead EX Managing RSP/VSP Appliances You can manage RSP and VSP appliance in the Manage > RSP/VSP > RSP/VSP Appliances page. This section includes the following topics: Configuring RSP/VSP Service on page 181 Configuring RSP and VSP Packages and Slots on page 182 Configuring RSP/VSP Service You configure RSP/VSP service settings in the Manage > RSP/VSP > RSP/VSP Appliances page that displays only connected RSP- and VSP- capable Steelhead appliances. To configure RSP/VSPservice 1. Choose Manage > RSP/VSP > RSP/VSP Appliances to display the RSP/VSP Appliances page. Figure RSP/VSP Appliances Page Riverbed Central Management Console User s Guide 181

190 Managing Appliances, Groups, and Policies Managing RSP/VSP 2. Click RSP/VSP Service to display the RSP/VSP Service Operation options. Figure RSP/VSP Service Operation Options 3. Complete the configuration, as described in the following table. RSP Service Operation 32-bit RSP Image 64-bit RSP Image Schedule operation Install Select Install RSP Service, Manage RSP Service, (Re)install ESXi, or Restart ESXi from the drop-down list. Select the image from the drop-down list. Select the image from the drop-down list. Select an option to schedule an operation. Date and Time - Use the following format: YYYY/MM/DD HH:MM:SS. Click Install to continue with your settings. Configuring RSP and VSP Packages and Slots You configure RSP and VSP packages and slots settings in the Manage > RSP/VSP > RSP/VSP Appliances page. For details, see the Steelhead Management Console User s Guide. To configure RSP and VSP packages and slots 1. Choose Manage > RSP/VSP > RSP/VSP Appliances to display the RSP/VSP Appliances page. 2. Click Packages & Slots to display the package options. Figure Packages & Slots Options 182 Riverbed Central Management Console User s Guide

191 Managing RSP/VSP Managing Appliances, Groups, and Policies 3. Complete the configuration, as described in the following table. Package / Slot Operation Select an option from the drop-down list: Transfer Packages - This option enables for the selected packages to be transferred and made available for later installation. Packages are only be transferred if necessary. If a package already exists on the selected appliance, it is skipped. Install Packages - This option enables any required package files that do not exist on the target appliance to be automatically transferred.if a specified slot does not exist on the target appliance, an empty slot is renamed to the specific slot name. Manage Slots - This option enables you to select the slot(s) to perform the operation on. Only selected packages are transferred and made available on local appliances for later installation. Packages are transferred only if necessary. If a package already exists on the selected appliance, it is skipped. 4. Select the appliance to view the details. Figure RSP Service Details for Steelhead 5. For Steelhead appliances, select RSP Service Details and complete the configuration, as described in the following table and continue with Step 7: RSP Supported RSP Installed RSP Free Space RSP Free Memory RSP Enabled RSP State Displays whether RSP is supported. Displays whether or not RSP is installed. Displays how much RSP free space is available. Displays how much RSP free memory is available. Displays whether or not RSP is enabled. Displays RSP state. Riverbed Central Management Console User s Guide 183

192 Managing Appliances, Groups, and Policies Managing RSP/VSP 6. For Steelhead EX appliances, select VSP Service Details and complete the configuration, as described in the following table and continue with Step 7. VSP Service Details VSP Free Memory VSP State Displays details about VSP. Displays how much VSP free memory is available. Displays VSP state. 7. Select Slot Details, and select the slot to view the details and complete the configuration, as described in the following table. Enable Slot Disable Slot Restart Slot Uninstall Slot Enables the selected slot. Disables the selected slot. Restarts the selected slot. Uninstalls the selected slot. 8. Select Backups to view the details. 9. Complete the configuration, as described in the following table. Appliance Slot Compress backup Backup to Appliance RSP Backup Library Backup to Appliance VSP Backup Library Backup to Remote URL Schedule for Later Create Import Backup Name URL Import Remove Selected Backups Select the appliance slot from the drop-down list. Select this option to enable compress backup. Select this option to back up an appliance RSP backup library. Applies only to Steelhead appliances. Select this option to back up an appliance VSP backup library. Applies only to Steelhead EX appliances. Select this option to back up to a remote URL. URL - Enter the URL of the backup. Select this option to schedule a backup for later. Date and Time - Use the following format: YYYY/MM/DD, HH:MM:SS. Click to start the backup. Click to display additional controls for importing an appliance. Enter the filename of the new uploaded backup. Enter the URL of the file. Imports the new backup. Deletes the selected backup files. 10. Select High Availability to view the details. 184 Riverbed Central Management Console User s Guide

193 Managing RSP/VSP Managing Appliances, Groups, and Policies 11. Complete the configuration, as described in the following table. Accept Incoming HA Transfers HA Password Confirm HA Password Apply Remote Host Slot Schedule as Future Transfer Job Apply Select the Enable check box to accept incoming HA transfers. Enter the high availability password. Confirm the HA password. Click to apply the changes. Select the remote host from the drop-down list. Select the slot to view the details Select this option to schedule a future transfer. Date and Time - Use the following format: YYYY/MM/DD HH:MM:SS. Applies your changes. The CMC might require up to 5 minutes to refresh with the current appliance data. Configuring the RSP/VSP Package Library You can add and remove RSP and VSP packages in the Manage > RSP/VSP > RSP/VSP Package Library page. For details, see the Steelhead Management Console User s Guide. To configure the RSP/VSP package library 1. Choose Manage > RSP/VSP > RSP/VSP Package Library to display the RSP/VSP Package Library page. Figure RSP/VSP Package Library Page 2. Click Add Package to display the options. Figure Add Package Page 3. Complete the configuration, as described in the following table. File Name From URL Type the filename. Type the URL. Riverbed Central Management Console User s Guide 185

194 Managing Appliances, Groups, and Policies Managing RSP/VSP From Local File (for packages less than 2GB in size) Add Package Remove Selected Packages Click Browse to navigate to the file. Click Add Packages to add the package. Select the check box next to the name and click Remove Selected Packages. 4. Select the filename to rename the file, enter the name of the new name, and click Rename. Configuring the RSP/VSP Image Library You configure RSP image library settings in the Manage > RSP/VSP > RSP Image Library page. For details, see the Steelhead Management Console User s Guide. To configure the RSP image library 1. Choose Manage > RSP/VSP > RSP Image Library to display the RSP Image Library page. 2. Click Add Image to display the Add Image options. Figure RSP Image Library Page 3. Complete the configuration, as described in the following table. File Name From URL From Local File (for images less than 2GB in size) Add Image Type a descriptive name for the image. Select this option and type the URL to the image. Click this option and type the path or click Browse to navigate to the local file directory. Downloads the image to your system. 4. To remove an entry, select the check box next to the name and click Remove Selected Images. 5. Select the filename to rename the file, and click Rename. 186 Riverbed Central Management Console User s Guide

195 CHAPTER 4 Displaying and Customizing Reports This chapter describes how to display and customize remote Steelhead appliance reports, download remote appliance logs, and display and customize CMC reports. This chapter includes the following sections: Displaying WAN Optimization Reports and Logs on page 187 Displaying Application Optimization Reports and Logs on page 220 Data Store Statistics Reports on page 240 Displaying Branch Storage Reports on page 255 Displaying Appliance Diagnostics Reports on page 267 Displaying CMC Diagnostics Reports and Logs on page 286 Exporting Performance Statistics Reports on page 304 Displaying WAN Optimization Reports and Logs This section describes how to create managed Steelhead reports and logs. This section includes the following topics: Viewing Optimized Throughput Reports on page 188 Viewing Bandwidth Optimization Reports on page 191 Viewing Data Reduction Reports on page 194 Viewing Traffic Summary Reports on page 198 Viewing Connection History Reports on page 200 Viewing Connection Forwarding Reports on page 205 Viewing Connection Pooling Reports on page 207 Viewing Outbound QoS (Dropped) Reports on page 209 Viewing Outbound QoS (Sent) Reports on page 212 Viewing Inbound QoS (Dropped) Reports on page 215 Viewing Inbound QoS (Sent) Reports on page 217 Riverbed Central Management Console User s Guide 187

196 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs Reports are based on data gathered from registered remote Steelhead appliances by the CMC every five minutes. Viewing Optimized Throughput Reports The Optimized Throughput report summarizes the throughput or total data transmitted for the application and time period specified. For details on the Data Store Status information, see the Viewing Appliance Details Reports on page 268. The Optimized Throughput report includes Optimized LAN and WAN Link Throughput graphs which include the following statistics that describe data activity for the application and the time period you specify. Field Peak LAN Throughput At <time> on <date> 95th Percentile LAN Throughput Average LAN Throughput Peak WAN Throughput 95th Percentile WAN Throughput At <time> on <value> Average WAN Throughput Displays the date and time of the peak data activity. Displays the 95th percentile for data activity. The 95th percentile is calculated by taking the peak of the lower 95 percent of inbound and outbound throughput samples. Note: Peak and the 95th percentile statistics are not reported if more than one appliance or a group is selected. Displays the average amount of data transmitted. Displays the date and time of the peak data activity. Displays the 95th percentile for data activity. The 95th percentile is calculated by taking the peak of the lower 95 percent of inbound and outbound throughput samples. Note: Peak and the 95th percentile statistics are not reported if more than one appliance or a group is selected. Displays the average amount of data transmitted. What This Report Tells You The Optimized Throughput report answers the following questions: What was the average throughput? What was the peak throughput? At what time did the peak throughput occur? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. 188 Riverbed Central Management Console User s Guide

197 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 189

198 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs To view the Optimized Throughput report 1. Choose Reports > WAN Optimization > Optimized Throughput to display the Optimized Throughput page. Figure 4-1. Optimized Throughput Page 190 Riverbed Central Management Console User s Guide

199 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 2. Use the controls to customize the report, as described in the following table. Period Group Traffic Application Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select a group from the drop-down list. The default value is Global or Custom. You can also select [Custom] to display a drop-down list from which you can select one or more individual appliances to include in the report. Select Bi-directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list. Select the application from the drop-down list. The default value is All. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Bandwidth Optimization Reports The Bandwidth Optimization report summarizes the overall inbound and outbound bandwidth improvements for your network. You can create reports according to the time period of your choice, application, and type of traffic. The Bandwidth Optimization report includes the following table of statistics that describe bandwidth activity for the time period you specify. Field WAN Data LAN Data Displays the bytes sent and received (depending on direction) over the WAN ports. Displays the bytes sent and received (depending on direction) over the LAN ports. Riverbed Central Management Console User s Guide 191

200 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs Field Total Data Reduction % Peak Data Reduction Occurred At <time> on <date> Optimized Bandwidth Capacity Increase Displays the total decrease of data transmitted over the WAN, according to the following calculation: (Data In Data Out)/(Data In) Displays the date and time that the peak data reduction occurred. Displays the increase in the amount of data transmitted over the WAN, according to the following calculation: 1/(1-Reduction Rate) What This Report Tells You The Bandwidth Optimization report answers the following questions: How much bandwidth optimization has occurred? What was the average and peak amount of data sent? What was the overall increase in the amount of data that can be transmitted? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 192 Riverbed Central Management Console User s Guide

201 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports To view a Bandwidth Optimization report 1. Choose Reports > WAN Optimization > Bandwidth Optimization to display the Bandwidth Optimization page. Figure 4-2. Bandwidth Optimization Page 2. Use the controls to customize the report, as described in the following table. Period Group Traffic Application Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. The default value is Global. Select Bi-Directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list. Select the application from the drop-down list. The default value is All. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. Riverbed Central Management Console User s Guide 193

202 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. Viewing Data Reduction Reports The Data Reduction report summarizes the percent reduction of data transmitted by an application such as FTP, HTTP, NetBIOS and TCP, traffic in CIFS, and MAPI. The Data Reduction report includes the following table of statistics that describe data reduction for the application and the time period you specify. Field Total Data Reduction % Peak Data Reduction At <time> on <date> Optimized Bandwidth Capacity Increase Specifies the total decrease of data transmitted over the WAN, according to the following calculation: (Data In Data Out)/(Data In) Displays the date and time that the peak data reduction occurred. Specifies the increase in the amount of data transmitted over the WAN, according to the following calculation: 1/(1-Reduction Rate) 194 Riverbed Central Management Console User s Guide

203 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports What This Report Tells You The Data Reduction report answers the following questions: What was the total reduction in the amount of data that was transmitted over WAN for each application? What was the peak reduction in the amount of data transmitted for each application? What was the total increase of data transmitted for the application and time period specified? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 195

204 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs To view the Data Reduction report 1. Choose Reports > WAN Optimization > Data Reduction to display the Data Reduction page. Figure 4-3. Data Reduction Page 2. Use the controls to customize the report, as described in the following table. Period Group Traffic Application Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance group from the drop-down list. The default value is Global. Select Bi-Directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list. Select the application from the drop-down list. The default value is All. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 196 Riverbed Central Management Console User s Guide

205 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Riverbed Central Management Console User s Guide 197

206 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs Viewing Traffic Summary Reports The Traffic Summary report provides a percentage breakdown of the amount of traffic going through the system by the port and type of traffic. The Steelhead appliance automatically discovers all the ports in the system that have traffic. The discovered port along with a label (if one exists) is added to the report. If a label does not exist then an unknown label is added to the discovered port. If you want to change the unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port label are preserved from the time the port was discovered. The Traffic Summary report displays a maximum of 16 colors for ports. If you have more than 16 ports, the colors in the report wrap from the beginning. The Traffic Summary report provides the following table of statistics that describe data activity for the application and the time period you specify. Port Reduction LAN Data WAN Data Traffic % Displays the TCP/IP port number and application for each row of statistics. Displays the amount of data reduction. Displays the amount of traffic on the LAN. Displays the amount of traffic on the WAN. Displays the percentage of the total traffic each port represents. What This Report Tells You The Traffic Summary report answers the following questions: How much data reduction has occurred? What was the percentage of the total traffic for each port? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. 198 Riverbed Central Management Console User s Guide

207 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. To view the Traffic Summary report 1. Choose Reports > WAN Optimization > Traffic Summary to display the Traffic Summary page. Figure 4-4. Traffic Summary Page Riverbed Central Management Console User s Guide 199

208 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs 2. Use the controls to customize the report, as described in the following table. Period Group Type Traffic Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance group from the drop-down list. Select Optimized, Pass Through, or Both from the drop-down list. The default value is Optimized. Select Bi-Directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list. Set the refresh rate for the report display: To refresh the report every 5 minutes, select 5 minutes. To refresh the report every 10 minutes, select 10 minutes. To refresh the report every 15 minutes, select 15 minutes. To turn refresh off, click Off. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Connection History Reports The Connection History report summarizes the optimized traffic for the time period specified. The Connection History report contains the following graphs: Optimized vs. Pass Through Connections (Connections) - This graph displays the total number of optimized and passed-through connections for the time period specified. Optimized Connections (Connections) - This graph displays the total number of optimized, established, half-opened, and half-closed connections for the time period specified. 200 Riverbed Central Management Console User s Guide

209 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports The Connection History report contains the following table of statistics that summarize connection activity. Packet Type Total Optimized Total Optimized (Active) Total Pass Through Forwarded Total Optimized (Established) Total Optimized (Half Opened) Total Optimized (Half Closed) Displays the total number of established, optimized connections plus the half-open connections and half-closed connections (where the half-open and half-closed connections are TCP connection states). Displays the total number of optimized connections with traffic in the last 60 seconds. Displays the total connections passed through, unoptimized. Displays the total number of forwarded connections. Displays the total established active connections. Displays the total half-opened active connections. A half-opened connection is a TCP connection which has not been fully established. Half-opened connections count toward the connection count limit on the Steelhead appliance because, at any time, they might become a fully-opened connection. If you are experiencing a large number of half-opened connections, consider a more appropriately sized Steelhead appliance. Displays the total half-closed active connections. Half-closed connections are connections which the Steelhead appliance has intercepted and optimized but are in the process of becoming inactive. These connections are counted toward the connection count limit on the Steelhead appliance. (Half closed connections might remain if the client or server does not close their connections cleanly.) If you are experiencing a large number of half-closed connections, consider a more appropriately sized Steelhead appliance. Riverbed Central Management Console User s Guide 201

210 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs The connection counts for the specified time period are displayed in the following columns: Group Average - Displays the average of the sum for all of the appliances in the group. Per Appliance Average - Displays the per appliance average for all of the appliances in the group. Single Appliance Peak - Displays the peak number of connections for a single appliance in the group. Peak Time - Displays the timestamp for when the peak number was reached. What This Report Tells You The Connection History report answers the following questions: How many connections were optimized? How many connections were passed through, unoptimized? How many connections were half-opened? How many connections were half-closed? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 202 Riverbed Central Management Console User s Guide

211 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports To view the Connection History report 1. Choose Reports > WAN Optimization > Connection History to display the Connection History page. Figure 4-5. Connection History Page Riverbed Central Management Console User s Guide 203

212 . Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Specify the appliance group whose connection history you want to view. The default value is Global. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. The refresh rate does not affect polling. Polling occurs every 5 minutes. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. 204 Riverbed Central Management Console User s Guide

213 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports Viewing Connection Forwarding Reports The Connection Forwarding report summarizes the number of bytes or packets transferred between the Steelhead appliance and a specified neighbor. Field Total Data Sent Specifies the number of bytes or packets transferred. What This Report Tells You The Connection Forwarding report answers the following questions: How many bytes were transferred between a Steelhead appliance and a specified neighbor? How many packets were transferred between a Steelhead appliance and a specified neighbor? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 205

214 . Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs To view the Connection Forwarding report 1. Choose Reports > WAN Optimization > Connection Forwarding to display the Connection Forwarding page. Figure 4-6. Connection Forwarding Page 2. Use the controls to customize the report, as described in the following table. Period Group Statistic Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Specify the appliance group whose connection history you want to view. The default value is Global. Select either Byte Counts or Packet Counts from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Note: The refresh rate does not affect polling. Polling occurs every 5 minutes. Displays the report. 206 Riverbed Central Management Console User s Guide

215 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Connection Pooling Reports The Connection Pooling report summarizes the current pool of connections to peer appliances.it contains the following table of statistics that summarize connection pooling activity. Field Total Requests Total Hits Peak Hits At <time> on <date> Specifies the total number of requests for connections to peer appliances. Specifies the total number of successful connections and connections that are serviced by already existing inner channel connections. Specifies the date and time of the peak number of successful connections and connections that are serviced by already existing inner channel connections. The connection pool holds many idle TCP connections up to the maximum pool size. When a client requests a new connection to a previously visited server, the pool manager checks the pool for unused connections, returns one if available, and then replenishes the pool with another idle connection. Note: A slight delay might occur during the time it takes the pool manager to check for an unused connection, pull the connection out of the pool, and then refill it. In a Steelhead appliance with a very active connection count, this report might indicate a high amount of requests before the pool manager has time to establish new connections and refill the pool. On a very busy link, the entire pool could drain before the pool manager refills it. In addition, the pool manager refills the pool one connection at a time, so when the appliance receives bursty connection requests, it might take some time to refill the pool. A couple of bursts in succession can drain the pool. Network congestion can also lengthen the pool refill time. What This Report Tells You The Connection Pooling report answers the following questions: How large is the pool of connections? How many connections occurred? Riverbed Central Management Console User s Guide 207

216 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. To view the Connection Pooling report 1. Choose Reports > WAN Optimization > Connection Pooling to display the Connection Pooling page. Figure 4-7. Connection Pooling Page 208 Riverbed Central Management Console User s Guide

217 . Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Specify the appliance group whose connection history you want to view. The default value is Global. Select Refresh to refresh the list. Note: The refresh rate does not affect polling. Polling occurs every 5 minutes. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Outbound QoS (Dropped) Reports The Outbound QoS (Dropped) report contains the following graphs: Outbound QoS Pre-Enforcement (bps) - Displays the total number of bits dropped before enforcement of the QoS parameters for the time period specified. Outbound QoS Class-Enforced (bps) - Displays the total number of bits dropped after QoS enforcement parameters have been set for the time period specified. The QoS Stats Dropped report contains the following table of statistics that summarize QoS activity. What This Report Tells You The Outbound QoS (Dropped) report answers the following questions: How many bits transmitted over the WAN for the QoS class? How many data packets were dropped for the QoS class? When did the peak data transmission occur for the QoS class? Riverbed Central Management Console User s Guide 209

218 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 210 Riverbed Central Management Console User s Guide

219 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports To view the Outbound QoS (Dropped) report 1. Choose Reports > WAN Optimization > Outbound QoS (Dropped) to display the Outbound QoS (Dropped) page. Figure 4-8. Outbound QoS (Dropped) Page 2. Use the controls to customize the report, as described in the following table. Period Appliance Classes Statistic Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down menu. Select the class from the drop-down menu. Select either Byte Counts or Packet Counts from the drop-down list. Displays the report. Riverbed Central Management Console User s Guide 211

220 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Outbound QoS (Sent) Reports The Outbound QoS (Sent) report summarizes the number of bytes and packets transmitted for the QoS class or an aggregate of all classes for the time period specified. The Outbound QoS (Sent) report contains the following graphs: Outbound QoS Pre-Enforcement (bps) - Displays the total number of bits sent before enforcement of the QoS parameters for the time period specified. Outbound QoS Class-Enforced (bps) - Displays the total number of bits sent after QoS enforcement parameters have been set for the time period specified. The QoS Stats Sent report contains the following table of statistics that summarize QoS activity during peak pre-enforcement and peak post-enforcement time periods. Field Peak All Throughput At <time> on <date> Displays the date and time of the peak QoS throughput of the specified classes. What This Report Tells You The Outbound QoS (Sent) report answers the following questions: How many bits were transmitted over the WAN for the QoS class? How many data packets were sent for the QoS class? When did the peak data transmission occur for the QoS class? 212 Riverbed Central Management Console User s Guide

221 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 213

222 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs To view the Outbound QoS (Sent) report 1. Choose Reports > WAN Optimization > Outbound QoS (Sent) to display the Outbound QoS (Sent) page. Figure 4-9. Outbound QoS (Sent) Page 2. Use the controls to customize the report, as described in the following table. Period Appliance Classes Statistic Go Select Past Hour, Past 24 Hours, Past 7 Days, Past 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down menu. Select the class from the drop-down menu. Select either Byte Counts or Packet Counts from the drop-down list. Displays the report. 214 Riverbed Central Management Console User s Guide

223 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Inbound QoS (Dropped) Reports The Inbound QoS (Dropped) report summarizes the number of bits and packets transmitted for the QoS class or an aggregate of all classes for the time period specified. The Inbound QoS (Dropped) report contains the following graphs: Inbound QoS Pre-Enforcement (bps) - Displays the total number of bits sent before enforcement of the QoS parameters for the time period specified. Inbound QoS Class-Enforced (bps) - Displays the total number of bits dropped after QoS enforcement parameters have been set for the time period specified. The Inbound QoS (Dropped) report contains the following table of statistics that summarize QoS activity during peak pre-enforcement and peak post-enforcement time periods. Field Maximum All Throughput At <time> on <date> Specifies the date and time of the peak QoS throughput. What This Report Tells You The Inbound QoS (Dropped) report answers the following questions: How many bits were transmitted over the WAN for the QoS class? How many data packets were dropped for the QoS class? When did the peak data transmission occur for the QoS class? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Riverbed Central Management Console User s Guide 215

224 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed system polls bandwidth and connection metrics every second and reports on performance for periods up to one month. However, due to performance and disk space considerations, data representation in reports for periods longer than the Last 5 Minutes are interpolated from aggregate data points. Some report graphs have peak lines for these aggregated samples. Each sample in this peak line represents the highest sample of all the aggregated samples. For the most recent five minutes (before aggregation takes place), the peak and average lines are identical. To view the Inbound QoS (Dropped) report 1. Choose Reports > WAN Optimization > Inbound QoS (Dropped) to display the Inbound QoS (Dropped) page. Figure Inbound QoS (Dropped) Page 216 Riverbed Central Management Console User s Guide

225 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports 2. Use the controls to customize the report as described in the following table. Period Appliance Classes Statistic Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select All, a class, or Custom from the drop-down list. Selecting a parent class displays its child classes. For example, the report for an HTTP class with two child classes named WebApp1 and WebApp2 displays statistics for HTTP, WebApp1, and WebApp2. Selecting Custom displays a drop-down list of all the custom classes. Select either Byte Counts or Packet Counts from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing Inbound QoS (Sent) Reports The Inbound QoS (Sent) report includes a graph which summarizes the number of bits and packets transmitted for the QoS class or an aggregate of all classes for the time period specified. The Inbound QoS (Sent) report contains the following graphs: Inbound QoS Pre-Enforcement (bps) - Displays the total number of bits sent before enforcement of the QoS parameters for the time period specified. Inbound QoS Class-Enforced (bps) - Displays the total number of bits sent after QoS enforcement parameters have been set for the time period specified. Riverbed Central Management Console User s Guide 217

226 Displaying and Customizing Reports Displaying WAN Optimization Reports and Logs The Inbound QoS (Sent) report contains the following table of statistics that summarize QoS activity during peak pre-enforcement and peak post-enforcement time periods. Field Maximum All Throughput At <time> on <date> Specifies the date and time of the peak QoS throughput. What This Report Tells You The Inbound QoS (Sent) report answers the following questions: How many bits were transmitted over the WAN for the QoS class? How many data packets were sent for the QoS class? When did the peak data transmission occur for the QoS class? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed system polls bandwidth and connection metrics every second and reports on performance for periods up to one month. However, due to performance and disk space considerations, data representation reports for periods longer than the Last 5 Minutes are interpolated from aggregate data points. Some report graphs have peak lines for these aggregated samples. Each sample in this peak line represents the highest sample of all the aggregated samples. For the most recent five minutes (before aggregation takes place), the peak and average lines are identical. 218 Riverbed Central Management Console User s Guide

227 Displaying WAN Optimization Reports and Logs Displaying and Customizing Reports To view the Inbound QoS (Sent) report 1. Choose Reports > WAN Optimization > Inbound QoS (Sent) to display the Inbound QoS (Sent) page. Figure Inbound QoS (Sent) Page 2. Use the controls to customize the report as described in the following table. Period Appliance Classes Statistic Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select an appliance from the drop-down list. Select All, a class, or Custom from the drop-down list. Selecting a parent class displays its child classes: for example, the report for an HTTP class with two child classes named WebApp1 and WebApp2 displays statistics for HTTP, WebApp1, and WebApp2. Selecting Custom displays a drop-down list of all the custom classes. Select either Byte Counts or Packet Counts from the drop-down list. Displays the report. Riverbed Central Management Console User s Guide 219

228 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Displaying Application Optimization Reports and Logs This section describes how to create managed Steelhead reports and logs. This section includes the following topics: Viewing HTTP Reports on page 220 Viewing NFS Reports on page 224 Viewing SRDF Reports on page 227 Viewing SSL Servers Reports on page 230 Viewing DNS Cache Hits Reports on page 234 Viewing DNS Cache Utilization Reports on page 237 Viewing HTTP Reports The HTTP report summarizes HTTP optimization statistics for the time period specified. The HTTP report contains the HTTP (%) Hits graph, which displays the following statistics that summarize HTTP data activity. Field Total Hit % Parse and Prefetch Hit % URL Learning Hit % Displays the total percentage of HTTP objects requested by all three schemes: URL Learning, Parse and Prefetch, and Metadata Response. Displays the percentage of objects that were successfully prefetched. Displays the percentage of URL learning hits. 220 Riverbed Central Management Console User s Guide

229 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports Field Object Prefetch Table Hit % Objects Requested Total Objects Hit Parse and Prefetch Hits URL Learning Hits Object Prefetch Table Hit Misses Displays the percentage of prefetch table hits. Displays the number of HTTP objects requested. Displays the total number of HTTP object hits. Displays the number of embedded objects that were successfully prefetched. Displays the number of URL learning hits. Displays the number of prefetch table hits. Displays the total number of prefetch misses. Riverbed Central Management Console User s Guide 221

230 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs What This Report Tells You The HTTP Stats report answers the following questions: What was the overall percent increase in HTTP data transmitted over the WAN? How many HTTP objects were requested? How many HTTP objects were successfully obtained and transmitted over the WAN? How many metadata responses and prefetch hits occurred per HTTP object? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 222 Riverbed Central Management Console User s Guide

231 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports To view the HTTP report 1. Choose Reports > Application Optimization > HTTP to display the HTTP page. Figure HTTP Page 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. Riverbed Central Management Console User s Guide 223

232 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing NFS Reports The NFS report summarizes NFS optimization statistics for the time period specified. The NFS report contains the following table of statistics that summarize NFS activity: Field Local Responses Remote Responses Total Delayed Total Reduction % Peak Reduction % At <time> on <date> Capacity Increase Specifies the number of NFS calls that were responded to locally. Specifies the number of NFS calls that were responded to remotely (that is, calls that traversed the WAN to the NFS server). Specifies the delayed calls which were responded to locally but not immediately (for example, reads which were delayed while a read ahead was occurring and were responded to from the data in the read ahead). Specifies the percentage decrease of NFS calls over the WAN. For example, you might see an 85 percent reduction in NFS data (see the Data Reduction or the Traffic Summary report) and a 55 percent reduction in the number of NFS calls over the WAN (NFS Statistics report). Specifies the peak reduction and date and time at which it occurred. Specifies the increase in the number of NFS calls that can be transmitted over the WAN. What This Report Tells You The NFS report answers the following questions: How many NFS calls were answered locally and remotely? How many delayed calls occurred for NFS activity? What is the reduction in the number of NFS calls that went to the server? What was the overall decrease in NFS calls transmitted over the WAN? 224 Riverbed Central Management Console User s Guide

233 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. Riverbed Central Management Console User s Guide 225

234 . Displaying and Customizing Reports Displaying Application Optimization Reports and Logs To view the NFS report 1. Choose Reports > Application Optimization > NFS to display the NFS page. Figure NFS Page 2. Use the controls to customize the report, as described in the following table. Period Group Responses Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the response option from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 226 Riverbed Central Management Console User s Guide

235 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing SRDF Reports The SRDF report presents information regarding optimized throughput and data reduction for EMC's Symmetrix Remote Data Facility (SRDF) protocol. The report measures only LAN-side traffic on an encoding Steelhead. You can view a summary of performance statistics for all optimized SRDF traffic, as well as drill into metrics for a specific EMC Symmetrix array or an individual remote data facility (RDF) group within an array. SRDF reports contain the following information. Field Symmetrix Identifies the Symmetrix server ID. Use the protocol srdf CLI command to map a logical Symmetrix ID to its set of network IP addresses. The following commands create a Symmetrix ID, Sym1, and associate it with traffic originating from IP addresses and : protocol srdf symm id Sym1 address protocol srdf symm id Sym1 address RiOS maps SRDF traffic originating from IP addresses that have not been mapped to a Symmetrix ID to the default Symmetrix ID, represented by DefaultSymm for this field. RDF Group LAN Data Average LAN WAN Data Identifies the RDF group number. The Steelhead appliance automatically identifies and summarizes information by RDF group based on the SRDF traffic seen by the Steelhead appliance. Displays the amount of data transmitted over the LAN during the selected time period. Displays the average amount of data transmitted over the LAN during the selected time period. Displays the amount of data transmitted over the WAN during the selected time period. Riverbed Central Management Console User s Guide 227

236 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs Field Average WAN Data Reduction Displays the average amount of data transmitted over the WAN during the selected time period. Displays the decrease in the amount of data transmitted over the WAN. You can also check the total optimized SRDF traffic throughput by viewing the Reports > WAN Optimization > Optimized Throughput report. What This Report Tells You The SRDF report answers the following questions: How much total SRDF traffic is processing over time? How much data reduction is being delivered overall? How much data reduction is being delivered for individual RDF groups? Which Symmetrix array is generating the most SRDF traffic? How are SRDF traffic patterns changing over time? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 228 Riverbed Central Management Console User s Guide

237 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports To view the SRDF report 1. Choose Reports > Application Optimization > SRDF to display the SRDF page. Figure SRDF Page Riverbed Central Management Console User s Guide 229

238 . Displaying and Customizing Reports Displaying Application Optimization Reports and Logs 2. Use the controls to customize the report as described in the following table. Period Appliance Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. The refresh rate does not affect polling. Polling occurs every 5 minutes. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML or PDF from the drop-down list. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing SSL Servers Reports The SSL Servers report summarizes the SSL server connection requests and connection rate for the time period specified. The SSL Servers report contains the following graphs: SSL Connection Requests (Connections) - Summarizes the connection requests for the time period specified. The Connection Requests graph includes the following table of statistics that describe data activity for the application and the time period you specify Field Number of Established Sessions Number of Requests Number of Failed Connections Displays the number of established SSL connections. Displays the number of SSL requests. Displays the number of failed SSL connections. 230 Riverbed Central Management Console User s Guide

239 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports SSL Connection Rate (Connections Per Second) - Summarizes the average number of successfully completed SSL connections in one second. The SSL connection rate is also called SSL TPS (SSL Transactions per Second). The SSL Connection Rate graph includes the following table of statistics that describe data activity for the application and the time period you specify. Field Average Connection Rate Peak Connection Rate At <time> on <date> Displays the average connection rate and the date and time at which it occurred. Displays the peak connection rate for SSL connections for the date and time. Riverbed Central Management Console User s Guide 231

240 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs What This Report Tells You The SSL Servers report answers the following questions: What is the number of established SSL connections? What is the number of SSL requests during specified period of time? What is the number of failed connections during a specified period of time? What is the number of concurrent connections open at the current time? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 232 Riverbed Central Management Console User s Guide

241 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports To view the SSL Servers report 1. Choose Reports > Application Optimization > SSL Servers to display the SSL Servers page. Figure SSL Servers Page 2. Use the controls to customize the report, as described in the following table. Period Group Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Riverbed Central Management Console User s Guide 233

242 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs Refresh Go Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing DNS Cache Hits Reports The DNS Cache Hits report provides a DNS cache hits graph for the time period specified. It contains the following table of statistics that summarize DNS activity. Total Requests Total Hits Hit % Specifies the total number of DNS requests. Specifies the total number of cache hits. Specifies the percentage of cache hits. What This Report Tells You? The DNS Cache Hits report answers the following questions: How many DNS requests occurred? How many DNS entries were retrieved from the cache? What percentage of DNS requests were cached? What is the average number of cached entries? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. 234 Riverbed Central Management Console User s Guide

243 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. To view DNS cache hits report 1. Choose Reports > Application Optimization > DNS Cache Hits to display the DNS Cache Hits page. Figure DNS Cache Hits Page Riverbed Central Management Console User s Guide 235

244 . Displaying and Customizing Reports Displaying Application Optimization Reports and Logs 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. 236 Riverbed Central Management Console User s Guide

245 Displaying Application Optimization Reports and Logs Displaying and Customizing Reports Viewing DNS Cache Utilization Reports The DNS Cache Utilization report provides a DNS cache utilization graph for the time period specified. It contains the following table of statistics that summarize DNS cache activity. Field Average Cache Memory Utilization (B) Average Cache Entries Specifies the average cache memory used. Specifies the average number of entries in the cache. What This Report Tells You The DNS Cache Utilization report answers the following questions: How much cache memory is used? What is the average cache memory used? How many DNS entries are in the cache? What is the average number of DNS entries in the cache? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 237

246 Displaying and Customizing Reports Displaying Application Optimization Reports and Logs To view DNS cache utilization report 1. Choose Reports > Application Optimization > DNS Cache Utilization to display the DNS Cache Utilization page. Figure DNS Cache Utilization Page 238 Riverbed Central Management Console User s Guide

247 . Displaying Application Optimization Reports and Logs Displaying and Customizing Reports 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Riverbed Central Management Console User s Guide 239

248 Displaying and Customizing Reports Data Store Statistics Reports Data Store Statistics Reports This section describes how to create managed Data Store Statistics reports and logs. This section includes the following topics: Viewing Data Store Status Reports on page 240 Viewing Data Store SDR-Adaptive Reports on page 241 Viewing Data Store Disk Load Reports on page 244 Viewing Data Store Hit Rate Reports on page 246 Viewing Data Store IO Reports on page 248 Viewing Data Store Read Efficiency Reports on page 252 Viewing Data Store Status Reports The Data Store Status report summarizes the current status and state of the RiOS data store synchronization process. If you have enabled RiOS data store synchronization, it summarizes the state of the replication process. This information is only available for Steelhead appliances. For details, see the Steelhead Management Console User s Guide The Data Store Status report contains the following table of statistics that summarizes RiOS data store activity. Field Synchronization Connection Synchronization Catch-Up Synchronization Keep-Up Data Store Percentage Used (Since Last Clear) Indicates the status of the connection between the synched Steelheads. Indicates the status of transferring data between the synched Steelheads. Catch-Up is used for synching data that was not synched during the Keep- Up phase. Indicates the status of transferring new incoming data between the synched Steelheads. Specifies the percentage of the RiOS data store that is used. What This Report Tells You The Data Store Status report answers the following questions: Is the synchronization connection active? Is the Steelhead appliance in the Catch-up or Keep-up phase of RiOS data store synchronization? What percentage of the RiOS data store is unused? 240 Riverbed Central Management Console User s Guide

249 Data Store Statistics Reports Displaying and Customizing Reports To view the Data Store Status report Choose Reports > Data Store Statistics > Data Store Status to display the Data Store Status page. Figure Data Store Status Page Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing Data Store SDR-Adaptive Reports The Data Store SDR-Adaptive report summarizes: how much adaptive compression is occurring in the RiOS data store using legacy mode. The report combines both the percentage due to local and remote adaptive compression (as signalled by the peers). the percentage of the traffic, in bytes, which is adapted to in-memory-only (or transient), compared to the total SDR traffic (SDR-adaptive mode). The Data Store SDR-Adaptive reports are applicable to a single Steelhead and cannot be viewed on a pergroup basis. The report contains the following table of statistics that summarizes RiOS data store adaptive compression activity, shown as a percent of total SDR data. Field Maximum Compression Due To Disk Pressure at <time> on <date> Minimum Compression Due To Disk Pressure at <time> on <date> Average Compression Due To Disk Pressure Maximum Compression Due To In-Path Rule at <time> on <date> Minimum Compression Due To In-Path Rule at <time> on <date> Average Compression Due To In-Path Rule Maximum In-Memory SDR Due To Disk Pressure at <time> on <date> Minimum In-Memory SDR Due To Disk Pressure at <time> on <date> Average In-Memory SDR Due To Disk Pressure Maximum In-Memory SDR Due To In-Path Rule at <time> on <date> Specifies the maximum compression due to disk pressure for the date and time. Specifies the minimum compression due to disk pressure for the date and time. Specifies the average compression due to disk pressure for the date and time. Specifies the maximum compression due to in-path rule for the date and time. Specifies the minimum compression due to in-path rule for the date and time. Specifies the average compression due to in-path rule for the date and time. Specifies the maximum in-memory SDR due to disk pressure for the date and time. Specifies the minimum in-memory SDR due to disk pressure for the date and time. Specifies the average in-memory SDR due to disk pressure for the date and time. Specifies the maximum in-memory SDR due to in-path rule for the date and time. Riverbed Central Management Console User s Guide 241

250 Displaying and Customizing Reports Data Store Statistics Reports Field Minimum In-Memory SDR Due To In-Path Rule at <time> on <date> Average In-Memory SDR Due To In-Path Rule Specifies the minimum in-memory SDR due to in-path rule for the date and time. Specifies the average in-memory SDR due to in-path rule for the date and time. What This Report Tells You The Data Store SDR-Adaptive report answers the following question: What is relative adaptive compression when SDR-Adaptive is enabled at various times of the day? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 242 Riverbed Central Management Console User s Guide

251 Data Store Statistics Reports Displaying and Customizing Reports To view the Data Store SDR-Adaptive report 1. Choose Reports > Data Store Statistics > Data Store SDR-Adaptive to display the Data Store SDR- Adaptive page. Figure Data Store SDR-Adaptive Page 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. Riverbed Central Management Console User s Guide 243

252 Displaying and Customizing Reports Data Store Statistics Reports 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Data Store Disk Load Reports The Data Store Disk Load report summarizes the RiOS data store disk load due to SDR-only as related to the benchmarked capacity of the RiOS data store. Consider any value under 100 as healthy. Any value higher than 100 might indicate disk pressure. When a value is consistently higher than 100, contact Riverbed Professional Services for guidance on reconfiguring the RiOS data store to alleviate disk pressure. The report contains the following table of statistics that summarizes the RiOS data store disk load. Field Maximum Disk Load at <time> on <date> Average Disk Load Minimum Disk Load at <time> on <date> Specifies the number of maximum disk load for the date and time. Specifies the average disk load. Specifies the number of maximum disk load for the date and time. What This Report Tells You The Data Store Disk Load report answers the following questions: Is there any indication of disk pressure? What is the disk load at different times of the day? About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. 244 Riverbed Central Management Console User s Guide

253 . Data Store Statistics Reports Displaying and Customizing Reports To view the Data Store Disk Load report 1. Choose Reports > Data Store Statistics > Data Store Disk Load to display the Data Store Disk Load page. Figure Data Store Disk Load Page 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Riverbed Central Management Console User s Guide 245

254 Displaying and Customizing Reports Data Store Statistics Reports Format Per Appliance Report Export Now Schedule Export Export Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Data Store Hit Rate Reports The Data Store Hit Rate report summarizes how many times the data-store disk and memory have seen a data segment. A hit is a data segment that has been seen before by the RiOS data store in the system. When a hit occurs, the system sends the reference to the data segment rather than the actual data over the WAN. The Data Store Hit Rate report contains the following table of statistics that summarize RiOS data store activity. Total Hits Total Misses Maximum Hits at <time> on <date> Maximum Misses at <time> on <date> Specifies the total number of hits against the RiOS data store. A hit is a data segment that has been seen before by the RiOS data store in the system. If a hit has occurred, the system sends the reference to the data rather than the actual data over the WAN. Specifies the number of misses that occurred. A miss is an unmatched data segment the RiOS data store has not seen the data segment before and must send all the data across the WAN. The data is LZ compressed, if LZ compression is enabled. Specify the date and time of the maximum hits. Specify the date and time of the maximum misses. What This Report Tells You The Data Store Hit Rate report answers the following questions: How much optimization is occurring? How much optimization occurred through SDR hits? How much data traversed the WAN without optimization? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. 246 Riverbed Central Management Console User s Guide

255 Data Store Statistics Reports Displaying and Customizing Reports The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. To view the Data Store Hit Rate report 1. Choose Reports > Data Store Statistics > Data Store Hit Rate to display the Data Store Hit Rate page. Figure Data Store Hit Rate Page Riverbed Central Management Console User s Guide 247

256 . Displaying and Customizing Reports Data Store Statistics Reports 2. Use the controls to customize the report, as described in the following table. Period Group Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the group from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Data Store IO Reports The Data Store I/O report summarizes how the RiOS data store disk I/O is performing for the time period specified. It measures how many random reads and writes are occurring, where a low value indicates the most random I/O and larger values indicate more sequential I/O. This report displays the following graphs: Data Store Cluster Average Reads Per Second -Plots the read cluster sizes for the time period you specify. Data Store Cluster Average Writes Per Second - Plots the write cluster sizes for the time period you specify. The Data Store I/O report cluster graphs include the following statistics: Field Average Cluster Reads Per Second Average Cluster Writes Per Second Specifies the average cluster read size per second. Specifies the average cluster write size per second. 248 Riverbed Central Management Console User s Guide

257 Data Store Statistics Reports Displaying and Customizing Reports Field Maximum Cluster Reads Per Second at <time> on <date> Maximum Cluster Writes Per Second at <time> on <date> Specifies the number of maximum cluster reads per second for the time and date. Specifies the number of maximum cluster writes per second for the time and date. The Data Store I/O report also displays the following page graphs: Data Store Page Reads Per Second - Plots the page reads for the time period you specify. Data Store Page Writes Per Second- Plots the page writes for the time period you specify. The Data Store I/O report page graphs include the following statistics: Field Total Page Reads Total Page Writes Specifies the total page read counts. Specifies the total page write counts. What This Report Tells You The Data Store I/O report answers the following questions: Is there any indication of disk pressure? What was the average cluster read and write size for the time period? What was the peak cluster read and write sizes for the time period? What was the average page read and write count for the time period? What was the peak page read and write count for the time period? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 249

258 Displaying and Customizing Reports Data Store Statistics Reports To view the Data Store IO report 1. Choose Reports > Data Store Statistics > Data Store IO to display the Data Store IO page. 250 Riverbed Central Management Console User s Guide

259 Data Store Statistics Reports Displaying and Customizing Reports Figure Data Store IO Page Riverbed Central Management Console User s Guide 251

260 Displaying and Customizing Reports Data Store Statistics Reports 2. Use the controls to customize the report, as described in the following table. Period Appliance Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Data Store Read Efficiency Reports The Data Store Read Efficiency report summarizes how efficiently the RiOS data store disk is performing for the time period specified. The Data Store Read Efficiency report includes a graph which displays a percentage breakdown of how much of each segment page has data in it for the time period you specify. This graph indicates how efficiently the RiOS data store is using a page after a disk read operation. Field Maximum Read Efficiency at <time> on <date> Minimum Read Efficiency at <time> on <date> Average Read Efficiency Specifies the maximum disk segment page utilization range as a percent of bytes used after reading a page. Specifies the minimum disk segment page utilization range as a percent of bytes used after reading a page. Specifies the average disk segment page utilization range as a percent of bytes used after reading a page. What This Report Tells You The Data Store Read Efficiency report answers the following question: 252 Riverbed Central Management Console User s Guide

261 Data Store Statistics Reports Displaying and Customizing Reports What percent of the disk data that is read from the RiOS data store is actually used for active connections? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. Riverbed Central Management Console User s Guide 253

262 Displaying and Customizing Reports Data Store Statistics Reports To view the Data Store Read Efficiency report 1. Choose Reports > Data Store Statistics > Data Store Read Efficiency to display the Data Store Read Efficiency page. Figure Data Store Read Efficiency Page 2. Use the controls to customize the report, as described in the following table. Period Appliance Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. 254 Riverbed Central Management Console User s Guide

263 Displaying Branch Storage Reports Displaying and Customizing Reports Per Appliance Report Export Now Schedule Export Export For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Displaying Branch Storage Reports This section describes how to create managed Branch Storage reports and logs. This section includes the following topics: Viewing the Granite LUN I/O Report on page 255 Viewing the Granite Initiator I/O Report on page 258 Viewing the Granite Network I/O Report on page 262 Viewing the Granite Blockstore Metrics Report on page 264 Viewing the Granite LUN I/O Report The Granite LUN I/O report summarizes the standard I/O data traffic read from and written to the selected LUN for the specified period of time. The Granite LUN I/O report contains the following table of statistics that summarize the activity. Total Bytes Read Average Read Throughput Total Bytes Written Average Write Throughput Average Read IOPS Average Write IOPS Average Read Latency Average Write Latency Specifies the total number of bytes read over the WAN. Specifies the average read throughput. Specifies the total number of bytes written over the WAN. Specifies the average write throughput. Specifies the average read IOPS. Specifies the average write IOPS. Specifies the average read latency. Specifies the average write latency. What This Report Tells You The Granite LUN I/O report answers the following questions: How many megabytes have been written to and read from the selected LUN for the specified period? How many operations have been written to and read from the selected LUN for the specified period? What are the average read and write latencies for the selected LUN for the specified period? Riverbed Central Management Console User s Guide 255

264 Displaying and Customizing Reports Displaying Branch Storage Reports How many read hits and misses, in megabytes, were recorded for the selected LUN for the specified period? How many uncommitted bytes were recorded for the selected LUN for the specified period? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. 256 Riverbed Central Management Console User s Guide

265 Displaying Branch Storage Reports Displaying and Customizing Reports To view the Granite LUN I/O report 1. Choose Reports > Branch Storage > Granite LUN I/O to display the Granite LUN I/O page. Figure Granite LUN I/O Page Riverbed Central Management Console User s Guide 257

266 Displaying and Customizing Reports Displaying Branch Storage Reports 2. Use the controls to customize the report as described in the following table. Period Appliance LUN Refresh Go Select Last Five Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select the LUN whose statistics you want to see from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing the Granite Initiator I/O Report The Granite Initiator I/O report summarizes the standard I/O data traffic read from and written to the selected initiator for the specified period of time. The Granite Initiator I/O report contains the following table of statistics that summarize the activity. Total Bytes Read Average Read Throughput Total Bytes Written Average Write Throughput Average Read IOPS Specifies the total number of bytes read over the WAN. Specifies the average read throughput. Specifies the total number of bytes written over the WAN. Specifies the average write throughput. Specifies the average read IOPS. 258 Riverbed Central Management Console User s Guide

267 Displaying Branch Storage Reports Displaying and Customizing Reports Average Write IOPS Average Read Latency Average Write Latency Specifies the average write IOPS. Specifies the average read latency. Specifies the average write latency. What This Report Tells You The Granite Initiator I/O report answers the following questions: How many bytes have been written to and read from the selected initiator for the specified period? How many operations have been written to and read from the selected initiator for the specified period? What are the average read and write latencies for the selected initiator for the specified period? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Riverbed Central Management Console User s Guide 259

268 Displaying and Customizing Reports Displaying Branch Storage Reports To view the Granite Initiator I/O report 1. Choose Reports > Branch Storage > Granite Initiator I/O to display the Granite Initiator I/O page. Figure Granite Initiator I/O Page 2. Use the controls to customize the report as described in the following table. Period Select Last Five Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS 260 Riverbed Central Management Console User s Guide

269 Displaying Branch Storage Reports Displaying and Customizing Reports Appliance Initiator LUN Refresh Go Select the appliance from the drop-down list. Select the initiator whose statistics you want to see from the drop-down list. Select the LUN from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Riverbed Central Management Console User s Guide 261

270 Displaying and Customizing Reports Displaying Branch Storage Reports Viewing the Granite Network I/O Report The Granite Network I/O report summarizes the standard IO data traffic read from and written to the selected Initiator for the specified period of time. The Granite Network I/O report contains the following table of statistics that summarize the activity. Total Bytes Read and Prefetched from Granite Core Average Read + Prefetch Throughput Total Bytes Written to Granite Core Average Write Throughput Specifies the total number of bytes read over the WAN. Specifies the average read throughput. Specifies the total number of bytes written over the WAN. Specifies the average write throughput. What This Report Tells You The Granite Network I/O report answers the following question: How many bytes have been written to and read from Granite Core? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. 262 Riverbed Central Management Console User s Guide

271 Displaying Branch Storage Reports Displaying and Customizing Reports To view the Granite Network I/O report 1. Choose Reports> Branch Storage > Granite Network I/O to display the Granite Network I/O page. Figure Granite Network I/O Page 2. Use the controls to customize the report as described in the following table. Period Appliance Refresh Go Select Last Five Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Riverbed Central Management Console User s Guide 263

272 Displaying and Customizing Reports Displaying Branch Storage Reports Schedule Export Export Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing the Granite Blockstore Metrics Report The Granite Blockstore Metrics report summarizes the standard I/O data traffic read from and written to the selected initiator for the specified period of time. The Granite Blockstore Metrics report contains the following table of statistics that summarize the activity. Hits Misses Hit Rate Bytes Written Blockstore Uncommitted Bytes at <date> <time> Bytes Committed to Granite Core Average Commit Throughput Average Commit Delay Specifies the number of hits. Specifies the number of misses. Specifies the hit rate. Specifies bytes written blockstore. Specifies uncommitted bytes at a date and time. Specifies the bytes committed to Granite Core. Specifies the average committed throughput. Specifies the average committed delay. What This Report Tells You The Granite Blockstore Metrics report answers the following questions: How many read hits and misses, in megabytes, were recorded for the blockstore for the selected LUN for the specified period? How many uncommitted bytes were recorded for the blockstore for the selected LUN for the specified period? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. 264 Riverbed Central Management Console User s Guide

273 Displaying Branch Storage Reports Displaying and Customizing Reports To view the Granite Blockstore Metrics report 1. Choose Reports > Branch Storage > Granite Blockstore Metrics to display the Granite Blockstore Metrics page. Riverbed Central Management Console User s Guide 265

274 Displaying and Customizing Reports Displaying Branch Storage Reports Figure Granite Blockstore Metrics Page 266 Riverbed Central Management Console User s Guide

275 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports 2. Use the controls to customize the report as described in the following table. Period Appliance LUN Refresh Go Select Last Five Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, type the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Select the LUN whose statistics you want to see from the drop-down list. Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Displaying Appliance Diagnostics Reports This section describes how to create managed Appliance Diagnostic reports and logs. This section includes the following topics: Viewing Appliance Details Reports on page 268 Viewing Health Check Details Reports on page 279 Viewing CPU Utilization Reports on page 280 Viewing Memory Paging Reports on page 282 Downloading Logs on page 298 Viewing Expiring Certificates on page 286 Riverbed Central Management Console User s Guide 267

276 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports Viewing Appliance Details Reports The Appliance Details report displays details about the connected appliances such as status, performance, connection counts, and peers. What This Report Tells You The Appliance Details report answers the following questions: What is the model number? What is hardware revision type? What is the serial number and the software version number currently installed on the appliance? Is the synchronization connection active? Is the Steelhead appliance in the Catch-up or Keep-up phase of RiOS data store synchronization? What percentage of the RiOS data store is unused? About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. To view the appliance details report 1. Choose Reports > Appliance Diagnostics > Appliance Details to display the Appliance Details page. Figure Appliance Details Page 2. Select the appliance from the drop-down list. 268 Riverbed Central Management Console User s Guide

277 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports 3. Under Status, you can view the following information, as described in the following table. Field Status CMC Managed Appliance Alarms Displays the status of the appliance: Appliance Reported Health - Provides the health status as reported by the managed appliance: Healthy, Healthy: Needs Attention, Degraded, and Critical. Also provides hardware model number, software version details, and links to the appliance logs. CMC Evaluated Health - Displays the CMC health status. The CMC can detect additional problems that the managed appliance cannot. Model - Displays the model number. Appliance Version - Displays the appliance version. Detailed Appliance Version - Displays detailed information about the appliance. RiOS Version - Displays the RiOS version. Granite Version - Displays the Granite version. Current ESXi Version - Displays the current ESXi version. Original ESXi Version - Displays the original ESXi version. ESXi Support Status - Displays the ESXi support status. Displays the different CMC appliance alarms. It displays the following CMC alarms: Appliance too slow to respond - It updates every five minutes. Configuration Change - It updates every five minutes. Duplex Interface - It updates every five minutes. High Appliance Usage Warning - It updates every five minutes. PFS and RSP enabled together - It updates every five minutes. Time drift - It updates every five minutes. Too Many Half Open/Closed Connections - It updates every 30 seconds. Unmanaged Appliances - It updates every 3 hours. For more details on the alarms, see Setting Alarm Parameters on page 33. Riverbed Central Management Console User s Guide 269

278 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports 4. Under Appliance Reported Alarms, you can view the following information, as described in the following table. Admission Asymmetric Routing Enables an alarm and sends an notification if the Steelhead enters admission control. When this occurs, the Steelhead optimizes traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the Steelhead continues to optimize existing connections, but new connections are passed through without optimization. Connection Limit - Indicates the system connection limit has been reached. Additional connections are passed through unoptimized. The alarm clears when the Steelhead appliance moves out of this condition. CPU - The appliance has entered admission control due to high CPU use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the CPU usage has decreased. MAPI - The total number of MAPI optimized connections have exceeded the maximum admission control threshold. By default, the maximum admission control threshold is 85% of the total maximum optimized connection count for the client-side Steelhead appliance. The Steelhead appliance reserves the remaining 15% so that the MAPI admission control does not affect the other protocols. The 85% threshold is applied only to MAPI connections. RiOS is now passing through MAPI connections from new clients but continues to intercept and optimize MAPI connections from existing clients (including new MAPI connections from these clients). RiOS continues optimizing non-mapi connections from all clients. The alarm clears automatically when the MAPI traffic has decreased; however, it can take one minute for the alarm to clear. In RiOS v7.0, RiOS pre-emptively closes MAPI sessions to reduce the connection count in an attempt to bring the Steelhead appliance out of admission control by bringing the connection count below the 85% threshold. RiOS closes the MAPI sessions in the following order: MAPI prepopulation connections MAPI sessions with the largest number of connections MAPI sessions with most idle connections Most recently optimized MAPI sessions or oldest MAPI session MAPI sessions exceeding the memory threshold Memory - The appliance has entered admission control due to memory consumption. The appliance is optimizing traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. No other action is necessary; the alarm clears automatically when the traffic has decreased. TCP - The appliance has entered admission control due to high TCP memory use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the TCP memory pressure has decreased. By default, this alarm is enabled. Enables an alarm if asymmetric routing is detected on the network. This is usually due to a failover event of an inner router or VPN. By default, this alarm is enabled. 270 Riverbed Central Management Console User s Guide

279 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports Connection Forwarding CPU Utilization Enables an alarm if the system detects a problem with a connection-forwarding neighbor. The connection-forwarding alarms are inclusive of all connection-forwarding neighbors. For example, if a Steelhead appliance has three neighbors, the alarm triggers if any one of the neighbors are in error. In the same way, the alarm clears only when all three neighbors are no longer in error. Multiple Interface - Enables an alarm and sends an notification if the connection to a Steelhead appliance in a connection forwarding cluster is lost. Single Interface - Enables an alarm and sends an notification if the connection to a Steelhead appliance connection forwarding neighbor is lost. By default, this alarm is enabled. Enables an alarm and sends an notification if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. By default, this alarm is enabled, with a rising threshold of 90% and a reset threshold of 70%. Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 90%. Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 70%. Data Store Disk Full Corruption - Enables an alarm and sends an notification if the RiOS data store is corrupt or has become incompatible with the current configuration. To clear the RiOS data store of data, restart the optimization service and click Clear the Data Store. If the alarm was caused by an unintended change to the configuration, the configuration can be changed to match the old RiOS data store settings again and then a service restart (with out clearing) will clear the alarm. Encryption Level Mismatch - Enables an alarm and sends an notification if a data store error such as an encryption, header, or format error occurs. Synchronization Error - Enables an alarm if RiOS data store synchronization has failed. The RiOS data store synchronization between two Steelheads has been disrupted and the RiOS data stores are no longer synchronized. By default, this alarm is enabled. Enables an alarm if the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var which is used to hold logs, statistics, system dumps, TCP dumps, and so on. By default, this alarm is enabled. This alarm monitors the following system partitions: /Full /boot Full /bootmgr /config Full /esxi Full /proxy Full /scratch Full /tmp/mnt/config Full /var Full Riverbed Central Management Console User s Guide 271

280 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports Domain Authentication Alert Domain Join Error Duplex Indicates that the system is either unable to communicate with the domain controller, or has detected an SMB signing error, or that delegation has failed. CIFS-signed and Encrypted-MAPI traffic is passed through without optimization. By default, this alarm is enabled. Enables an alarm if an attempt to join a Windows domain has failed. The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the Steelhead appliance. A domain join can also fail when the DNS server returns an invalid IP address for the domain controller. By default, this alarm is enabled. Enables an alarm and sends an notification if the system encounters a large number of packet errors in your network. By default, this alarm is enabled. 272 Riverbed Central Management Console User s Guide

281 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports Hardware Disk Error - Enables an alarm when one or more disks is offline. To see which disk is offline, enter the following CLI command from the system prompt: show raid diagram By default, this alarm is enabled. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and Fan Error - Enables an alarm and sends an notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled. Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled. IPMI - Enables an alarm and sends an notification if an Intelligent Platform Management Interface (IPMI) event is detected. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: Chassis intrusion (physical opening and closing of the appliance case) Memory errors (correctable or uncorrectable ECC memory errors) Hard drive faults or predictive failures Power supply status or predictive failure By default, this alarm is enabled. Memory Error - Enables an alarm and sends an notification if a memory error is detected. For example, when a system memory stick fails. Other Hardware Error - Enables an alarm if a hardware error is detected. The following issues trigger the hardware error alarm: The Steelhead appliance does not have enough disk, memory, CPU cores, or NIC cards to support the current configuration The Steelhead appliance is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified by Riverbed Other hardware issues By default, this alarm is enabled. Power Supply - Enables an alarm and sends an notification if an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled. RAID - Enables an alarm and sends an notification if the system encounters an error with the RAID array (for example, missing drives, pulled drives, drive failures, and drive rebuilds). An audible alarm might also sound. To see if a disk has failed, enter the following CLI command from the system prompt: show raid diagram For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Rebuilding a disk drive can take 4-6 hours. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and By default, this alarm is enabled. SSD Write Cycle Level Exceeded - Enables an alarm if the accumulated SSD write cycles exceed a predefined write cycle 95% level on Steelhead appliance models 7050L and 7050M. If the alarm is triggered, the administrator can swap out the disk before any problems arise.for details, see the Riverbed Command-Line Interface Reference Manual. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 273

282 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports Licensing Link State Enables an alarm and sends an notification if a license on the Steelhead is removed, is about to expire, has expired, or is invalid. This alarm triggers if the Steelhead has no MSPEC license installed for its currently configured model. Appliance Unlicensed - This alarm triggers if the Steelhead appliance has no BASE or MSPEC license installed for its currently configured model. Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired. Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1- FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. By default, this alarm is enabled. Enables an alarm and sends an notification if an Ethernet link is lost due to a network event. Depending on which link is down, the system might no longer be optimizing and a network outage could occur. This is often caused by surrounding devices, like routers or switches interface transitioning. This alarm also accompanies service or system restarts on the Steelhead. For WAN/LAN interfaces, the alarm triggers if in-path support is enabled for that WAN/ LAN pair. By default, this alarm is disabled. Memory Paging Enables an alarm and sends an notification if memory paging is detected. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at By default, this alarm is enabled. Neighbor Incompatibility Network Bypass NFS V2/V4 Alarm Enables an alarm if the system has encountered an error in reaching a Steelhead configured for connection forwarding. By default, this alarm is enabled. Enables an alarm and sends an notification if the system is in bypass failover mode. By default, this alarm is enabled. Enables an alarm and sends an notification if the Steelhead detects that either NFSv2 or NFSv4 is in use. The Steelhead only supports NFSv3 and passes through all other versions. By default, this alarm is enabled. 274 Riverbed Central Management Console User s Guide

283 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports Optimization Service Process Dump Creation Error Riverbed Service Platform Secure Vault Software Version Mismatch Internal Error - Enables an alarm and sends an notification if the RiOS optimization service encounters a condition that might degrade optimization performance. By default, this alarm is enabled. Go to the Configure > Maintenance > Services page and restart the optimization service. Service Status - Enables an alarm and sends an notification if the RiOS optimization service encounters a service condition. By default, this alarm is enabled. The message indicates the reason for the condition. The following conditions trigger this alarm: Configuration errors. A Steelhead appliance reboot. A system crash. An optimization service restart. A user enters the CLI command no service enable or shuts down the optimization service from the Management Console. A user restarts the optimization service from either the Management Console or CLI. Unexpected Halt - Enables an alarm and sends an notification if the RiOS optimization service halts due to a serious software error. By default, this alarm is enabled. Enables an alarm and sends an notification if the system detects an error while trying to create a process dump. This alarm indicates an abnormal condition where RiOS cannot collect the core file after three retries. It can be caused when the /var directory is reaching capacity or other conditions. When the alarm is raised, the directory is blacklisted. By default, this alarm is enabled. Enables an alarm for Riverbed Service Platform. Enables an alarm and sends an notification if the system encounters a problem with the secure vault: Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Go to Configure > Security > Secure Vault and unlock the secure vault. Secure Vault New Password Recommended - Indicates that the secure vault requires a new, nondefault password. Re-enter the password. Secure Vault Not Initialized - Indicates that an error has occurred while initializing the secure vault. When the vault is locked, SSL traffic is not optimized and you cannot encrypt the RiOS data store. Enables an alarm if there is a mismatch between software versions in the Riverbed system. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 275

284 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports SSL Enables an alarm if an error is detected in your SSL configuration. Non-443 SSL Servers - Indicates that during a RiOS upgrade (for example, from v5.5 to v6.0), the system has detected a pre-existing SSL server certificate configuration on a port other than the default SSL port 443. SSL traffic might not be optimized. To restore SSL optimization, you can add an in-path rule to the client-side Steelhead appliance to intercept the connection and optimize the SSL traffic on the nondefault SSL server port. After adding an in-path rule, you must clear this alarm manually by entering the following CLI command: stats alarm non_443_ssl_servers_detected_on_upgrade clear SSL Certificates Error (SSL CAs) - Indicates that an SSL peering certificate has failed to re-enroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Certificates Error (SSL Peering CAs) - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Certificates Expiring - Indicates that an SSL certificate is about to expire. SSL Certificates SCEP - Indicates that an SSL certificate has failed to reenroll automatically within the SCEP polling interval. By default, this alarm is enabled. Storage Profile Switch Failed System Detail Report Temperature Enables and alarm if the storage profile switch encountered a problem. Enables an alarm if a system component has encountered a problem. By default, this alarm is enabled. Critical Temperature - Enables an alarm and sends an notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. Warning Temperature - Enables an alarm and sends an notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared. 5. Under Performance, you can view the following information, as described in the following table. Field Reduction Peak Throughput Data store Usage Displays the total decrease of data transmitted over the WAN. Displays the peak data transmitted. Displays the percent of RiOS data store usage. 276 Riverbed Central Management Console User s Guide

285 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports 6. Under Connection Counts, you can view the following information, as described in the following table. Field Established (Optimized) Half Opened (Optimized) Half Closed (Optimized) Pass Through Total Displays the total established active connections. Displays the total half-opened active connections. A half-opened connection is a TCP connection in which the connection has not been fully established. Half-opened connections count toward the connection count limit on the appliance because, at any time, they might become a fully opened connection. If you are experiencing a large number of half-opened connections, you might consider a more appropriately sized appliance. Displays the total half-closed active connections. Half-closed connections are connections which the appliance has intercepted and optimized but are in the process of becoming inactive. These connections are counted toward the connection count limit on the appliance. (Half closed connections might remain if the client or server does not close their connections cleanly.) If you are experiencing a large number of half-closed connections, you might consider a more appropriately sized appliance. Displays the total connections passed through, unoptimized when the connection limit has been reached. Displays the sum of the counts described above. 7. Under Data Store Status, you can view the following information, as described in the following table. Field Synchronization Connection Synchronization Catch-Up Synchronization Keep-Up Data Store Percentage Used (Since Last Clear) Indicates the status of the connection between the synched Steelhead appliances. Indicates the status of transferring data between the synched Steelhead appliances. Catch-Up is used for synching data that was not synched during the Keep-Up phase. Indicates the status of transferring new incoming data between the synched Steelhead appliances. Specifies the percentage of the RiOS data store that is used. 8. Under Peers, you can view the IP address, name, model, version, and license information for peer appliances. 9. Click View Appliance Config to view the appliance configuration. For more details, see the Steelhead Management Console User s Guide. Riverbed Central Management Console User s Guide 277

286 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports 10. Under System Details, you can view the following information, as described in the following table. Field Module Specifies the Steelhead appliance module. Select a module name to view details. A right arrow to the left of a module indicates that the report includes detailed information about a submodule. Click the arrow to view submodule details. This report examines the following modules: CPU - Displays information on idle time, system time, and user time per CPU. Memory - Displays information on total, used, and free memory by percentage and in KBs. CIFS - Click the right arrow and the submodule name to view details for unexpected shut downs and round trip statistics. HTTP - Click the right arrow and the submodule name to view details for the URL Learning, Parse and Prefetch, and Object Prefetch Table optimization schemes. Intercept - Click the right arrow to view statistics for message queue, GRE, and WCCP. Also includes table length and watchdog status. MAPI - Click the right arrow and the submodule name to view details for: Accelerators - Displays how many accelerator objects have been created for readahead, writebehind, and cached-mode folder synchronization. One accelerator object corresponds to the optimization of one particular Outlook action: Readahead is for downloading an attachment (in non-cached Outlook mode or for public folders). Writebehind is for uploading an attachment. Cache-sync is for downloading the new contents of a folder (in cached mode). Requests and responses - Displays the number of MAPI round trips used and saved. Includes the number of responses and faults along with the fault reason. For example, access denied. MAPI decryption and encryption (RPCCR) - Displays whether MAPI decryption and encryption is enabled. Includes the number of client and server-side Steelhead appliance encrypted MAPI sessions, along with details on how many sessions were not encrypted, how many sessions were successfully decrypted and encrypted, how many sessions were passed-through, and how many experienced an authentication failure. Connection sessions - Displays the number of client and server-side Steelhead appliance MAPI sessions, counting the number of MAPI 2000, 2003, 2007, and pass-through sessions. MS-SQL - Displays whether MS-SQL optimization is enabled. Oracle Forms - Click the right arrow and submodule name to view details for native and HTTP mode key Secure Peering - Click the right arrow and submodule name to view details for secure inner channels, including information on certificate and private key validity, peer Steelhead appliance trust, and blacklisted servers. SSL - Displays whether SSL optimization is enabled and details about the SSL configuration such as which advanced settings are in use. Click the right arrow and the submodule name to view details for the SSL outer and inner channels. 278 Riverbed Central Management Console User s Guide

287 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports Field Status Displays one of the following results: OK (Green) Warning (Yellow) Error (Red) Disabled (Gray). Appears when you manually disable the module. Viewing Health Check Details Reports The Health Check report displays details about the health of the Steelhead and Steelhead EX appliances. The Steelhead must be running v6.0 or greater to view this page. The Health Check details report provides the following health checks for an appliance. Field Gateway Test Cable Swap Test Duplex Test Peer Reachability Test IP-Port Reachability Test Pings each configured gateway. Tests if LAN and WAN ports are correctly facing their respective networks. Tests a given interface for correct duplex settings. Sends a test probe to a specified peer. Tests if a specified IP address and optional port are connected. What This Report Tells You The Health Check report answers the following question: If LAN or WAN are correctly facing the networks? About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. Riverbed Central Management Console User s Guide 279

288 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports To view health check details report 1. Choose Reports > Appliance Diagnostics > Health Check to display the Health Check page. 2. Select the appliance you want to view from the drop-down list to display the Health Check Details page. Figure Health Check Page 3. Select the check box next to the test, and click Run Selected to run the test. 4. Click View Test Output to display the test results. Viewing CPU Utilization Reports The CPU Utilization report summarizes the percentage of the CPU used on the CMC machine within the time period specified. Typically, a Steelhead appliance operates on approximately percent CPU capacity during non-peak hours and approximately percent capacity during peak hours. No single Steelhead appliance CPU usage should exceed 90 percent. The CMC cannot display memory and CPU stats for the SMC. What This Report Tells You The CPU Utilization report answers the following questions: How much of the CPU is being used? 280 Riverbed Central Management Console User s Guide

289 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports What is the average and peak percentage of the CPU being used? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as gigabytes of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. To view the CPU Utilization report 1. Choose Reports > Appliance Diagnostics > CPU Utilization to display the CPU Utilization page. Figure CPU Utilization Page 2. Use the controls to customize the report, as described in the following table. Period Appliance Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Riverbed Central Management Console User s Guide 281

290 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports Refresh Go Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Memory Paging Reports The Memory Paging report provides the total number of memory pages, per second, utilized by the CMC in the time period specified. The CMC cannot display memory and CPU stats for the SMC. The Memory Paging report includes the following table of statistics that describe memory paging activity for the time period you specify. Field Total Pages Swapped Out Average Pages Swapped Out Maximum Pages Swapped out at <time> on <date> Displays the total number of pages swapped. If 100 pages are swapped approximately every two hours the CMC is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at Displays the average number of pages swapped. If 100 pages are swapped every couple of hours the CMC is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at Specifies the number of maximum pages swapped out for the date and time. What This Report Tells You The Memory Paging report answers the following questions: How much memory is being used? What is the average and peak amount of memory pages swapped? 282 Riverbed Central Management Console User s Guide

291 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as gigabytes of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. To view the Memory Paging report 1. Choose Reports > Appliance Diagnostics > Memory Paging to display the Memory Paging page. Figure Memory Paging Page 2. Use the controls to customize the report, as described in the following table. Period Appliance Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the appliance from the drop-down list. Riverbed Central Management Console User s Guide 283

292 Displaying and Customizing Reports Displaying Appliance Diagnostics Reports Refresh Go Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Downloading Logs You can download all the messages, user messages, web access logs, and web error log in the tar.gz format from an appliance or group appliances in the Download Logs page. The name of the tar files includes a serial number to distinguish between the different appliances. The Transfer Appliance Logs option enables you to collect individual appliance logs. The Transfer Appliance Group Logs option enables you to collect logs for several appliances at once as a group. About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data 284 Riverbed Central Management Console User s Guide

293 Displaying Appliance Diagnostics Reports Displaying and Customizing Reports accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. To transfer appliance log files report 1. Choose Reports > Appliance Diagnostics > Download Logs to display the Download Logs page. 2. Under Transfer Appliance Logs, select the appliance from the drop-down list. Figure Transfer Appliance Logs Section 3. Select Transfer to a remote path to upload logs to a SCP or FTP server, and enter the URL. OR Select Download in Browser to download files locally, and click Transfer Logs. The logs are now available as a tar file. To transfer group log files report 1. Choose Reports > Appliance Diagnostics > Download Logs to display the Download Logs page. 2. Under Transfer Group Logs, select the group you want to transfer from the drop-down list. Figure Transfer Group Logs Section 3. Type the URL in the Select Destination for logs to upload logs to a HTTP or FTP server. 4. Click Transfer Logs. The logs are now available as a tar file. Riverbed Central Management Console User s Guide 285

294 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs Viewing Expiring Certificates The Expiring Certificates report displays the SSL certificates that have expired or will expire within sixty days. The report displays certificate location, policy or appliance to which it is applied, and the certificate name. Certificate Location Policy/Appliance Certificate Expiration Date Displays the certificate location. Displays the policy and appliance. Displays the certificates. Displays the expiration date of the certificate. What This Report Tells You The Expiring Certificates report answers the following questions: What certificates are expired or within sixty days of expiring? Where are the certificates applied? What is the certificate location? About Report Data The Riverbed reporting functionality polls bandwidth and connection metrics every 15 seconds and reports on performance for periods up to one month. Every 15-second sample is used for calculating its average and peak value. However, due to performance and disk space considerations, data representation in reports for periods longer than the latest five minutes are interpolated between data points obtained by aggregating more than one 15-second sample. The display granularity decreases with time passed since data was sampled. To view the Expiring Certificates report Choose Reports > Appliance Diagnostics > Expiring Certificates to display the Expiring Certificates page. Figure Expiring Certificates Page Displaying CMC Diagnostics Reports and Logs This section describes how to display CMC diagnostics reports and logs. This section includes the following topics: Viewing the Alarm Status Report on page Riverbed Central Management Console User s Guide

295 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Viewing CPU Utilization Report on page 291 Viewing Memory Paging Report on page 293 Viewing User Logs Report on page 295 Viewing System Logs Reports on page 296 Downloading User Logs Report on page 298 Downloading System Log Files Reports on page 298 Viewing the System Dumps List Report on page 299 Viewing Process Dump List Reports on page 299 Viewing the TCP Dumps List Reports on page 300 Viewing the Alarm Status Report The alarm status falls into one of the following states: Needs Attention - Accompanies a healthy state to indicate management-related issues not affecting the ability of the Steelhead appliance to optimize traffic. Degraded - The Steelhead appliance is optimizing traffic but the system has detected an issue. Admission - The Steelhead appliance is optimizing traffic but has reached its connection limit. Critical - The Steelhead appliance might or might not be optimizing traffic; you need to address a critical issue. Suppressed - Appears after a child alarm when its parent alarm is disabled on the Configure > System Settings > Alarms page. Disabled - Appears when a child alarm is disabled even though its parent alarm is enabled. The Alarm Status report provides the status for the CMC alarms and includes the following alarm information. Alarm CMC Appliance Configuration Backup CMC External Configuration Backup/ Restore CMC External Statistics Backup/Restore CPU Utilization Reason Indicates when the daily backup failed Indicates when the external configuration backup failed. It updates every 30 seconds. Indicates when the external statistics backup failed. It updates every 30 seconds. Indicates that the system has reached the CPU threshold for any of the CPUs in the Steelhead appliance. If the system has reached the CPU threshold, check your settings. If your alarm thresholds are correct, reboot the Steelhead appliance. If more than 100 MBs of data is moved through a Steelhead appliance while performing PFS synchronization, the CPU utilization might become high and result in a CPU alarm. This CPU alarm is not cause for concern. Riverbed Central Management Console User s Guide 287

296 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs Alarm Disk Full Hardware Licensing Link State Reason Indicates that the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var which is used to hold logs, statistics, system dumps, TCP dumps, and so on. This alarm monitors the following system partitions: Partition / Free Space Partition /boot Free Space Partition /bootmgr Free Space Partition /config Free Space Partition /flash/cfg Free Space Partition /flash/img1 Free Space Partition /flash/img2 Free Space Partition /proxy Free Space Partition /var Free Space Fan Error - Indicates a fan is failing or has failed and needs to be replaced. Flash Error - Indicates an error with the flash drive hardware. IPMI - Indicates an Intelligent Platform Management Interface (IPMI) event. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: chassis intrusion (physical opening and closing of the appliance case) memory errors (correctable or uncorrectable ECC memory errors) hard drive faults or predictive failures power supply status or predictive failure By default, this alarm is enabled. Memory Error - Indicates a memory error. For example, when a system memory stick fails. Power Supply - Indicates an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. Indicates whether your licenses are current. Insufficient Appliance Management License(s) - This alarm triggers if there are not enough licenses to manage all connected appliances. Invalid License(s) - This alarm triggers if there is any invalid license. Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired. Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. License(s) Missing - This alarm triggers if any licenses are missing. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example: if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1- FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. Indicates that the system has detected a link that is down. You are notified through SNMP traps, , and alarm status. Interface aux Link Error Interface primary Link Error 288 Riverbed Central Management Console User s Guide

297 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Alarm Memory Paging Process Dump Staging Directory Inaccessible Secure Vault SSL Reason Indicates that the system has reached the memory paging threshold. If 100 pages are swapped approximately every two hours the Steelhead appliance is functioning properly. If thousands of pages are swapped every few minutes, then reboot the Steelhead appliance.if rebooting does not solve the problem, contact Riverbed Support at Indicates that the system has detected an error while trying to create a process dump. Contact Riverbed Support to correct the issue. Indicates a problem with the secure vault. Secure Vault Locked - Needs Attention - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Go to Configure > Security > Secure Vault and unlock the secure vault. Secure Vault New Password Recommended - Degraded - Indicates that the secure vault requires a new, non-default password. Reenter the password. Secure Vault Not Initialized - Critical - Indicates that an error has occurred while initializing the secure vault. When the vault is locked, SSL traffic is not optimized and you cannot encrypt the RiOS data store. Indicates an error has been detected in your secure vault or SSL configuration. Non-443 SSL Servers - Indicates that during a RiOS upgrade (for example, from v5.5 to v6.0), the system has detected a preexisting SSL server certificate configuration on a port other than the default SSL port 443. SSL traffic might not be optimized. To restore SSL optimization, you can add an in-path rule to the clientside Steelhead appliance to intercept the connection and optimize the SSL traffic on the non-default SSL server port. After adding an in-path rule, you must clear this alarm manually by entering the following CLI command: stats alarm non_443_ssl_servers_detected_on_upgrade clear SSL Certificates Error - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Certificates Expiring - Indicates that an SSL certificate is about to expire. SSL Certificates SCEP - Indicates that an SSL certificate has failed to reenroll automatically within the SCEP polling interval. Temperature Indicates a problem with the temperature. Critical Temperature - Enables an alarm and send an notification of the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70º C; the default threshold temperature is 67º C. Warning Temperature - Enables an alarm and sends an notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the waning alarm is cleared. What This Report Tells You The Alarm Status report answers the following question: What is the current status of the CMC? Riverbed Central Management Console User s Guide 289

298 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. To view the Alarm Status report Choose Reports > CMC Diagnostics > Alarm Status to display the Alarm Status page. Figure Alarm Status Page 290 Riverbed Central Management Console User s Guide

299 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Viewing CPU Utilization Report The CPU Utilization report summarizes the percentage of the CPU used within the time period specified. Typically, a Steelhead appliance operates on approximately percent CPU capacity during non-peak hours and approximately percent capacity during peak hours. No single Steelhead appliance CPU usage should exceed 90 percent. What This Report Tells You The CPU Utilization report answers the following questions: How much of the CPU is being used? What is the average and peak percentage of the CPU being used? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. About Report Data The CMC is designed to retain statistics for up to a maximum of 3 years, based on daily statistics for 2,000 appliances monitoring TCP ports per Steelhead appliance. Factors that can influence this number include the number of monitored TCP ports, the number of active interfaces on managed appliances, and changes in types amounts of data collected in RiOS releases. The CMC polls data every five minutes. In general, the CMC retains 5 minute granularity data points for a maximum of 30 days. 1 hour granularity data points are stored for a maximum of 90 days. Beyond 90 days, CMC retains 1 day granularity data points for up to 3 years. In case of stats in excess of capacity, the CMC deletes the oldest data from each of the three granularities, while attempting to preserve as much recent data as it can. Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in the Central Management Console for the individual remote appliance. Riverbed Central Management Console User s Guide 291

300 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs To view the CPU Utilization report 1. Choose Reports > CMC Diagnostics > CPU Utilization to display the CPU Utilization page. Figure CPU Utilization Page 2. Use the controls to customize the reports, as described in the following table. Period Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. 292 Riverbed Central Management Console User s Guide

301 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Export Now Schedule Export Export Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Memory Paging Report The Memory Paging report provides the total number of memory pages, per second, utilized in the time period specified. It includes the following table of statistics that describe memory paging activity for the time period you specify. Field Total Pages Swapped Out Average Pages Swapped Out Peak Pages Swapped Out at <time> on <date> Specifies the total number of pages swapped. If 100 pages are swapped approximately every two hours the Steelhead appliance is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at Specifies the average number of pages swapped. If 100 pages are swapped every couple of hours the Steelhead appliance is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at Specifies the date and time that the peak number of pages were swapped. What This Report Tells You The Memory Paging report answers the following questions: How much memory is being used? What is the average and peak amount of memory pages swapped? About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak occurred. The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average value for the time period selected. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. Riverbed Central Management Console User s Guide 293

302 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs To view the memory paging report 1. Choose Reports > CMC Diagnostics > Memory Paging to display the Memory Paging page. Figure Memory Paging Page 2. Use the controls to customize the reports, as described in the following table. Period Refresh Go Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the refresh time in minutes from the drop-down list. Displays the report. 3. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. 294 Riverbed Central Management Console User s Guide

303 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Schedule Export Export Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Viewing Logs CMC appliance log reports provide a high-level view of network activity. You can view both user and system logs. Viewing User Logs Report on page 295 Viewing System Logs Reports on page 296 Viewing User Logs Report You can view user logs in the View User Logs page. View users logs to monitor user activity. The user log filters messages from the system log to display messages that are of immediate use to the system administrator. View user logs to monitor system activity and to troubleshoot problems. For example, you can monitor who logged in, who logged out, and who entered particular CLI commands, alarms and errors. The most recent log events are listed first. To view user logs 1. Choose Reports > CMC Diagnostics > User Logs to display the User Logs page. Figure User Logs Page Riverbed Central Management Console User s Guide 295

304 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs 2. Use the controls to customize the report, as described in the following table. Show Lines per page Jump to Filter Select Current Log or one of the archived logs from the drop-down list. Specify the number of lines you want to display on the page. Select one of the following options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the date and time (MM/DD HH:MM) of the pages you want to display. Select one of the following options from the drop-down list: Regular Expression - Specifies only those connections which match the expression used to filter the display. Use the following format in the text field: x.x.x.x[/mask][:port] Error or higher - Displays Error level logs or higher. Warning or higher - Displays Warning level logs or higher. Notice or higher - Displays Notice level logs or higher. Info or higher - Displays Info level logs or higher. 3. Click Go to apply the changes to the report display. Viewing System Logs Reports You can view system logs reports in the System Logs page. View System logs to monitor system activity and to troubleshoot problems. The most recent log events are listed first. To view system logs 1. Choose Reports > CMC Diagnostics > System Logs to display the System Logs page. Figure System Logs Page 2. Use the controls to customize the report, as described in the following table. Show Lines per page Select Current Log or one of the archived logs from the drop-down list. Specify the number of lines you want to display on the page. 296 Riverbed Central Management Console User s Guide

305 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Jump to Filter Select one of the following options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the time for the log you want to display. Select one of the following options from the drop-down list: Regular Expression - Specify only those connections which match the expression used to filter the display. Use the following format in the text field: x.x.x.x[/mask][:port] Error or higher - Displays the Error level logs or higher. Warning or higher - Displays the Warning level logs or higher. Notice or higher - Displays the Notice level logs or higher. Info or higher - Displays the Info level logs or higher. 3. Click Go to apply the changes to the report display. Riverbed Central Management Console User s Guide 297

306 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs Downloading Logs This section describes how to download user and system log files. You can download both user and system logs. Downloading System Log Files Reports on page 298 Downloading User Logs Report on page 298 Downloading System Log Files Reports You can download system logs reports in the System Logs Download page. Download system logs to monitor system activity and to troubleshoot problems. To download system logs 1. Choose Reports > CMC Diagnostics > System Logs Download to display the System Logs Download page. 2. Click the name of the log to save the log to disk. You can download both compressed and uncompressed logs. 3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so that it is empty again. Downloading User Logs Report You can download user logs in the User Logs Download page. To download user logs 1. Choose Reports > CMC Diagnostics > User Logs Download to display the User Logs Download page. Figure User Logs Download Page 2. Click the name of the log to save the log to disk. You can download both compressed and uncompressed logs. 3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so that it is empty again. 298 Riverbed Central Management Console User s Guide

307 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Viewing the System Dumps List Report You can display and download system dumps in the System Dump page. A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose problems in the system. To view system dump files 1. Choose Reports > CMC Diagnostics > System Dumps to display the System Dumps page. Figure System Dumps Page 2. Click the filename to open a file or save the file to disk. 3. Select Include statistics check box, and click Generate System Dump to generate a new system dump list. Tip: To remove an entry, select the check box next to the name and click Remove Selected. Viewing Process Dump List Reports You can display and download process dumps in the Process Dumps page. A process dump is a saved copy of memory including the contents of all memory, bytes, hardware registers, and status indicators. It is periodically taken to restore the system in the event of failure. Process dump files can help you diagnose problems in the system. To view system dump files 1. Choose Reports > CMC Diagnostics > Process Dumps to display the Process Dumps page. Figure Process Dumps Page 2. Click the filename to open a file or save the file to disk. Riverbed Central Management Console User s Guide 299

308 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs 3. To remove an entry, select the check box next to the name and click Remove Selected. Viewing the TCP Dumps List Reports You can capture, download, and upload TCP dumps in the Reports > CMC Diagnostics > TCP Dumps page. TCP trace dump files contain summary information for every Internet packet received or transmitted on the interface. TCP trace dump files can help diagnose problems in the system. RiOS provides an easy way to capture and retrieve multiple TCP trace dumps from the CMC. You can generate trace dumps from multiple interfaces at the same time, limit the size of the trace dump, and schedule a specific date and time to generate a trace dump. Scheduling and limiting a trace dump by time or size enables unattended captures. The top of the TCP Dumps page displays a list of existing TCP trace dumps and the bottom of the page displays controls to create a new trace dump. It also includes the trace dumps that are currently running. The Running Capture Name list includes TCP trace dumps running at a particular time. It includes TCP trace dumps started manually and also any dumps which were scheduled previously and are now running. To view TCP data you must run the tcpdump tool using the Riverbed CLI. For details, see the Riverbed Command-Line Interface Reference Manual. You can view the following TCP dump list reports: To view TCP dump files on page 301 To view TCP trace dump files on page 303 To stop a running TCP trace dump on page 303 To upload the trace to Riverbed Support on page Riverbed Central Management Console User s Guide

309 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports To view TCP dump files 1. Choose Reports > CMC Diagnostics > TCP Dumps to display the TCP Dumps page. Figure TCP Dumps Page Riverbed Central Management Console User s Guide 301

310 Displaying and Customizing Reports Displaying CMC Diagnostics Reports and Logs 2. Click Add a New TCP Dump and complete the configuration, as described in the following table. Add a New TCP Dump Capture Interfaces Capture Name Capture Duration (Seconds) Maximum Capture Size (MB) Buffer Size Snap Length Number of Files to Rotate Capture VLAN Packets Source IP(s) Source Port(s) Destination IP(s) Destination Port(s) Displays the controls for creating a TCP trace dump. Captures the TCP trace dump on the selected interface(s). You can select a physical, MIP, or RSP interface. The default setting is none. You must specify a capture interface. If you select several interfaces at a time, the data is automatically placed into separate capture files. Specify the name of the capture file. The default filename uses the following format: hostname_interface_timestamp.cap Where hostname is the hostname of the Steelhead appliance, interface is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and timestamp is in the YYYY-MM-DD-HH-MM-SS format. If this trace dump relates to an open Riverbed Support case, specify the capture filename case_number where number is your Riverbed Support case number. For example, case_ The.cap file extension is not included with the filename when it appears in the capture queue. Specify how long the capture runs, in seconds. The default value is 30. Leave this value blank to initiate a continuous trace. When a continuous trace reaches the maximum space allocation of 100 MB, the oldest file is overwritten. Specify the maximum capture file size in MBs. The default value is 100. The recommended maximum capture file size is 1024 MBs (1 GB). Optionally, specify the maximum number of packets allowed to queue up while awaiting processing by the TCP trace dump. The default value is 154. Optionally, specify the snap length value for the trace dump. Specify 0 for a full packet capture (recommended for CIFS, MAPI, and SSL traces). The default value is Specify how many TCP trace dump files to rotate. The default value is 5. Captures only VLAN-tagged packets within a trace dump for a trunk port (802.1Q). Enabling this setting filters the trace dump by capturing only VLAN-tagged packets. This setting applies to physical interfaces only because logical interfaces (inpath0_0, mgmt0_0) do not recognize VLAN headers. Specify the source IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses. Specify the source ports. Separate multiple ports with a comma. The default setting is all ports. Specify the destination IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses. Specify the destination ports. Separate multiple ports with a comma. The default setting is all ports. 302 Riverbed Central Management Console User s Guide

311 Displaying CMC Diagnostics Reports and Logs Displaying and Customizing Reports Custom Flags Schedule Dump Start Date and Time Add Specify custom flags to capture unidirectional traces. Examples: To capture all traffic to or from a single host host x.x.x.x To capture all traffic between a pair of hosts host x.x.x.x and host y.y.y.y To capture traffic between two hosts and two Steelhead inner channels: (host x.x.x.x and host y.y.y.y) or (host a.a.a.a and host b.b.b.b) Schedules the trace dump to run at a later date and time. Specify a date to initiate the trace dump in the following format: YYYY/MM/DD Specify a time to initiate the trace dump in the following format: HH:MM:SS Adds the TCP trace dump to the capture queue. Tip: To remove an entry, select the check box next to the name and click Remove Selected. To view TCP trace dump files 1. Choose Reports > CMC Diagnostics > TCP Dumps to display the TCP Dumps page. 2. Under Stored TCP Dumps, click the trace dump name to open the file. Tip: To print the TCP dump, select the trace dump filename under Download Link. When the file opens, choose File > Print in your Web browser to open the Print dialog box. Tip: To remove an entry, check the box next to the name in the TCP dump list and click Remove Selected. To stop a running TCP trace dump 1. Choose Reports > CMC Diagnostics > TCP Dumps to display the TCP Dumps page. 2. Click the trace dump filename in the Running Capture Name list. 3. Click Stop Selected Captures. To upload the trace to Riverbed Support In continuous mode, once you complete the capture, perform the following steps: (For timed TCP dumps, start with step 2.) 1. On the TCP Dumps page, select the running TCP Dump and click Stop Selected Captures. The trace appears as a download link in the list of TCP Dumps stored on the Steelhead appliance. Riverbed Central Management Console User s Guide 303

312 Displaying and Customizing Reports Exporting Performance Statistics Reports 2. Click the top file in the TCP Dumps list and save it locally. This file should contain the current date. 3. Compress (zip) the file and follow the upload instructions to share it with Riverbed Support: Attach the file(s) to your case at or Upload the file(s) to FTP://ftp.riverbed.com/incoming (for FTP, be sure the file is prefixed with case_number). ftp ftp.riverbed.com User: anonymous Password: ftp> cd /incoming ftp> bi ftp> put case_12345-tcpdump.zip Exporting Performance Statistics Reports The following section describes how to export appliance information and statistics reports. You can export performance statistics in CSV format in the Export report. The CSV format enables you to easily import the statistics into spreadsheets and databases. You can open the CSV file in any text editor. The CSV file contains commented lines (comments beginning with the # character) at the beginning of the file. These comments report what host generated the file, the report that was generated, time boundaries, the time the export occurred, and the version of the CMC the file was exported from. The statistical values are provided in columns: the first column is the date and time of the statistic sample, the columns that follow contain the data. 304 Riverbed Central Management Console User s Guide

313 Exporting Performance Statistics Reports Displaying and Customizing Reports To export appliance information 1. Choose Reports > Export to display the Export page. 2. Select Export Appliance Information to export the appliance information. Figure Export Option 3. Select the appliance group from the appliances drop-down. 4. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. To export appliance statistics 1. Choose Reports > Export to display the Export page. Riverbed Central Management Console User s Guide 305

314 Displaying and Customizing Reports Exporting Performance Statistics Reports 2. Select Export Appliance Statistics to export the appliance statistics. Figure Export Appliance Statistics Option 3. Select the group from the appliances drop-down list. 4. Under Report Details customize the report, as described in the following table. Period Application Type Traffic Statistic Response QoS Type Inbound QoS Classes Outbound QoS Classes Select Past Hour, Past 24 Hours, Last 7 Days, Last 30 Days, Yesterday, Last Calendar Week, Last Calendar Month, or Custom from the drop-down list. For Custom, specify the Start Time and End Time and click Go. Use the following format: YYYY/MM/DD HH:MM:SS Select the application from the drop-down list. Select the type from the drop-down list. Select the traffic from the drop-down list. Select either Byte Counts or Packet Counts from the drop-down list. Select the response from the drop-down list. Select the QoS type from the drop-down list. Select the inbound QoS classes from the drop-down list. Select the outbound QoS classes from the drop-down list. 5. Under Reports, select one or more reports. 306 Riverbed Central Management Console User s Guide

315 Exporting Performance Statistics Reports Displaying and Customizing Reports 6. Under Export, complete the configuration, as described in the following table. Export To Addresses Destination URL Format Per Appliance Report Export Now Schedule Export Export Select or URL option from the drop-down list. Specify the address of the recipient. Specify the URL. Select HTML, CSV, or PDF from the drop-down list. For HTML/PDF select the check box to generate graphs per appliance. For CSV Reports select the check box to generate one CSV per appliance. Select Export Now to start the export immediately. Specify the start date, time, and frequency of the export. Use the following format: YYYY/MM/DD HH:MM:SS Select Export to export the configuration. Riverbed Central Management Console User s Guide 307

316 Displaying and Customizing Reports Exporting Performance Statistics Reports 308 Riverbed Central Management Console User s Guide

317 APPENDIX A Viewing Policy Configuration Settings This appendix describes how to configure feature sets contained in optimization, system, network, branch, and security policies. This section includes the following topics: Overview of Policy Configurations on page 309 Optimization Policy Settings on page 312 System Settings Policies on page 369 Networking Policy Settings on page 386 Security Policy Settings on page 418 Branch Services Settings on page 427 This appendix assumes you are familiar with configuring and managing CMC appliances. It does not include detailed overviews of the individual feature sets associated with the policies. For details on RiOS feature sets, see the Steelhead Management Console User s Guide. Overview of Policy Configurations This section describes how to view policy configurations and quickly navigate among policy feature sets. To view policy configurations 1. Choose Manage > Policies to display the Policies page. Figure Manage > Policies Page 2. Click the name of the policy in the Policy Name column. Riverbed Central Management Console User s Guide 309

318 Viewing Policy Configuration Settings Overview of Policy Configurations The Editing <policy type> <policy name> panel displays. The lower part of the panel lists the feature sets specific to the policy type and whether or not they are set to be inherited. Figure Sample Policy Editing Panel In this panel, you can modify the settings described in the following table. Setting CLI Commands Rename Policy New Name Include In Policy Push Add/Remove Pages Apply Specify a description to help you identify the policy. Optionally, paste or type in commands (one command per line) to be pushed to an appliance using this policy. Optionally, click and type a new name for the policy in the New Name field. Specify the new name. Select this option next to the page that you want to add in the policy push. Select this option to add or remove pages. Applies the modifications to the running configuration. 310 Riverbed Central Management Console User s Guide

319 Overview of Policy Configurations Viewing Policy Configuration Settings 3. To access policy feature sets, click the name of the feature set In the Page column to display the Editing <policy name, feature set> page. Figure Sample of Editing Policy Page 4. Modify the settings. 5. To copy the specified feature set values from another policy, select the policy containing the values you want to duplicate from the Copy Contents From Policy drop-down list and click Copy. This copies only the settings for the current page. For example, if the current page is In-Path Rules, only In-Path Rule settings are copied. 6. Click Apply to apply the settings to the running configuration. Riverbed Central Management Console User s Guide 311

320 Viewing Policy Configuration Settings Optimization Policy Settings 7. To go to other policies and feature sets, use the controls at the top of the page, as described in the following table. Editing <Policy Type> Policy Page Select the policy name from the drop-down list. Note: The policies are categorized by type: Networking, Optimization, Security, and System. Select the policy feature set to be accessed. Note: Because different policy types have different feature sets, the contents of this drop-down list are determined by the policy selected in the Editing <Policy Type> Policy drop-down list. Optimization Policy Settings The Optimization Policy optimize connections using scalable data reduction, compression, both, or none. 312 Riverbed Central Management Console User s Guide

321 Optimization Policy Settings Viewing Policy Configuration Settings The following section describes Optimization Policy feature set. This section includes the following topics: Certificate Authorities on page 313 Data Store on page 314 General Service Settings on page 315 In-Path Rules on page 316 Peering Rules on page 324 Performance on page 327 CIFS (SMB1) on page 329 CIFS Prepopulation on page 332 SMB2 on page 333 Oracle Forms on page 334 MAPI on page 335 MS-SQL on page 338 NFS on page 338 Citrix ICA on page 340 Lotus Notes on page 340 FCIP on page 341 HTTP on page 342 SRDF on page 349 Transport Settings on page 349 Windows Domain Auth on page 352 SSL Main Settings on page 357 Secure Peering (SSL) on page 358 Service Ports on page 361 CRL Management (SSL) on page 361 Advanced Settings (SSL) on page 362 Secure Peering (IPSEC) on page 366 Cloud Accelerator on page 368 The following procedures assume you have already created an Optimization Policy. Certificate Authorities SSL is a cryptographic protocol which provides secure communications between two parties over the Internet. Typically in a Web-based application, it is the client that authenticates the server. To identify itself, an SSL certificate is installed on a Web server and the client checks the credentials of the certificate to make sure it is valid and signed by a trusted third-party. Trusted third parties that sign SSL certificates are called Certificate Authorities (CA). Riverbed Central Management Console User s Guide 313

322 Viewing Policy Configuration Settings Optimization Policy Settings In this panel, you can choose certificate authorities for an optimization policy. Add a New Certificate Authority Optional Local Name - Specify the local name. Local File - Browse to the local certificate authority file. Cert Text - Paste the certificate authority into the text box and click Add. Add Remove Selected Certificate Authority Adds the certificate authority Select the check box next to the name and click Remove Selected. Select the certificate to view the certificate details. Data Store You can display and modify RiOS data store settings for the selected optimization policy on the Data Store page. The Data Store page contains the following group of settings: General Settings on page 314 General Settings In this panel, you can specify RiOS data store encryption for an optimization policy, as described in the following table. Encrypting the RiOS data store significantly limits the exposure of sensitive data in the event an appliance is compromised by loss, theft, or a security violation. The secure data is difficult for a third-party to retrieve. Encrypting the RiOS data store can have performance implications; generally, higher security means less performance. Several encryption strengths are available to provide the right amount of security while maintaining the desired performance level. When selecting an encryption type, you must evaluate the network structure, the type of data that travels over it, and how much of a performance trade-off is worth the extra security. Data Store Encryption Type Enable Automated Data Store Synchronization Current Appliance Select one of the following encryption types from the drop-down list. The encryption types are listed from the least to the most secure. None - Turns off data encryption. AES_128 - Encrypts data using the AES cryptographic key length of 128 bits. AES_192 - Encrypts data using the AES cryptographic key length of 192 bits. AES_256 - Encrypts data using the AES cryptographic key length of 256 bits. RiOS data store synchronization ensures that each RiOS data store in your network has warm data for maximum optimization. All operations occur in the background and do not disrupt operations on any of the systems. Select Master or Backup from the drop-down list. 314 Riverbed Central Management Console User s Guide

323 Optimization Policy Settings Viewing Policy Configuration Settings Peer IP Address Synchronization Port Reconnection Interval (seconds) Enable Branch Warming for Steelhead Mobile Clients Specify the IP address for the peer appliance. You must specify either the IP address for the primary or auxiliary interface (if you use the auxiliary interface in place of the primary). Specify the destination TCP port number used when establishing a connection to synchronize data. The default value is Specify the number of seconds to wait for reconnection attempts. The default value is 30. Select the check box to enable branch warming for Steelhead Mobile Clients. By default, branch warming is enabled. Important: You must clear the RiOS data store and reboot the Steelhead service on the Steelhead appliance after turning on, changing, or turning off the encryption type. After you clear the RiOS data store, the data cannot be recovered. If you do not want to clear the RiOS data store, reselect your previous encryption type and reboot the service. The Steelhead appliance uses the previous encryption type and encrypted RiOS data store. For details, see Rebooting Appliances and Appliance Groups on page 147. General Service Settings General Service Settings include controls to enable or disable in-path, out-of-path, failover support, and to set connection limits and the maximum connection pooling size. If you have a Steelhead appliance that contains multiple bypass cards, the CMC displays options to enable in-path support for these ports. The number of these interface options depends on the number of pairs of LAN and WAN ports that you have enabled in your Steelhead appliance. You can review general service settings in the General Service Settings page. For details, see the Steelhead Management Console User s Guide. In-Path Settings Out-of-Path Settings Enables in-path support. Enables out-of-path support. Riverbed Central Management Console User s Guide 315

324 Viewing Policy Configuration Settings Optimization Policy Settings Connection Settings Failover Settings Current Appliance is IP Address (peer In-Path interface) Apply Half-Open Connection Limit per Source IP - Restricts half-opened connections on a source IP address initiating connections (that is, the client machine). Set this feature to block a source IP address that is opening multiple connections to invalid hosts or ports simultaneously (for example, a virus or a port scanner). This feature does not prevent a source IP address from connecting to valid hosts at a normal rate. Thus, a source IP address could have more established connections than the limit. The default value is Maximum Connection Pooling Size - Specify the maximum number of TCP connections in a connection pool. Connection pooling enhances network performance by reusing active connections instead of creating a new connection for every request. Connection pooling is useful for protocols which create a large number of shortlived TCP connections, such as HTTP. To optimize such protocols, a connection pool manager maintains a pool of idle TCP connections, up to the maximum pool size. When a client requests a new connection to a previously visited server, the pool manager checks the pool for unused connections and returns one if available. Thus, the client and the Steelhead appliance do not have to wait for a three-way TCP handshake to finish across the WAN. If all connections currently in the pool are busy and the maximum pool size has not been reached, the new connection is created and added to the pool. When the pool reaches its maximum size, all new connection requests are queued until a connection in the pool becomes available or the connection attempt times out. The default value is 20. A value of 0 specifies no connection pool. Important: You must restart the CMC after changing this setting. Tip: Viewing the Connection Pooling report can help determine whether to modify the default setting. If the report indicates an unacceptably low ratio of pool hits per total connection requests, increase the pool size. Enables failover support. Select Master or Backup from the drop-down list. A master Steelhead appliance is the primary appliance; the backup Steelhead applianceis the appliance that automatically optimizes traffic if the master appliance fails. Specify the IP address for the master or backup Steelhead appliance. You must specify the in-path IP address (inpath0_0) for the Steelhead appliance, not the primary interface IP address. Important: You must specify the inpath0_0 interface as the other appliance s inpath IP Address. Applies your settings. In-Path Rules In-path rules are used only when a connection is initiated. Because connections are usually initiated by clients, in-path rules are configured for the initiating, or client-side Steelhead appliance. In-path rules determine Steelhead appliance behavior with SYN packets. In-path rules are an ordered list of fields a Steelhead appliance uses to match with SYN packet fields (for example, source or destination subnet, IP address, VLAN, or TCP port). Each in-path rule has an action field. When a Steelhead appliance finds a matching in-path rule for a SYN packet, the Steelhead appliance treats the packet according to the action specified in the in-path rule. You can review in-path rules, configure additional ones, and remove them, in the In-Path Rules page. 316 Riverbed Central Management Console User s Guide

325 Optimization Policy Settings Viewing Policy Configuration Settings For information on incompatibilities, see Version Incompatibilities for In-Path Rules on page 324. For details on in-path rules, see the Steelhead Management Console User s Guide. Add a New In-Path Rule Type Source Subnet Destination Subnet Displays the controls for adding a new rule. Select one of the following rule types from the drop-down list: Auto-Discover - Uses the auto-discovery process to determine if a remote Steelhead appliance is able to optimize the connection attempting to be created by this SYN packet. By default, auto-discover is applied to all IP addresses and ports that are not secure, interactive, or default Riverbed ports. Defining in-path rules modifies this default setting. Fixed-Target - Skips the auto-discovery process and uses a specified remote Steelhead appliance as an optimization peer. You must specify at least one remote target Steelhead appliance to optimize (and, optionally, which ports and backup Steelhead appliances), and add rules to specify the network of servers, ports, port labels, and out-of-path Steelhead appliances to use. Pass-Through - Enables the SYN packet to pass through the Steelhead appliance unoptimized. No optimization is performed on the TCP connection initiated by this SYN packet. You define pass-through rules to exclude subnets from optimization. Traffic is also passed through when the Steelhead appliance is in bypass mode. (Pass-through of traffic might occur because of in-path rules or because the connection was established before the Steelhead appliance was put in place or before the Steelhead service was enabled.) Discard - Drops the SYN packets silently. The Steelhead appliance filters out traffic that matches the discard rules. This process is similar to how routers and firewalls drop disallowed packets: the connection-initiating device has no knowledge of the fact that its packets were dropped until the connection times out. Deny - Drops the SYN packets, sends a message back to its source, and resets the TCP connection being attempted. Using an active reset process rather than a silent discard enables the connection initiator to know that its connection is disallowed. Specify the subnet IP address and netmask for the source network. Use the following format XXX.XXX.XXX.XXX/XX Or, you can specify all or /0 as the wildcard for all traffic. Specify the subnet IP address and netmask for the destination network. Use the following format XXX.XXX.XXX.XXX/XX Or, you can specify all or /0 as the wildcard for all traffic. Port - Specify the destination port number, port label, or all. Target Appliance IP Address Specify the target appliance address for a fixed-target rule. Port - Specify the target port number for a fixed-target rule. Backup Appliance IP Address Specify the backup appliance address for a fixed-target rule. Port - Specify the backup destination port number for a fixed-target rule. (1 of 8) Riverbed Central Management Console User s Guide 317

326 Viewing Policy Configuration Settings Optimization Policy Settings VLAN Tag ID Preoptimization Policy Latency Optimization Policy Select the VLAN identification number from the drop-down list to set the VLAN tag identification number. All specifies the rule applies to all VLANs; Untagged specifies the rule applies to non-tagged connections. RiOS supports VLAN v802.1q. To configure VLAN tagging, configure in-path rules to apply to all VLANs or to a specific VLAN. By default, rules apply to all VLAN values unless you specify a particular VLAN ID. Pass-through traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. Select a traffic type from the drop-down list: None - If the Oracle Forms, SSL, or Oracle Forms over SSL preoptimization policy is turned on and you want to turn it off for a port, select none. This is the default setting. Oracle Forms - Enables preoptimization processing for Oracle Forms. Oracle Forms over SSL - Enables preoptimization processing for both the Oracle Forms and SSL encrypted traffic through SSL secure ports on the client-side Steelhead appliance. You must also set the Latency Optimization Policy to HTTP. Note: If the server is running over a standard secure port. For example, port 443, the Oracle Forms over SSL in-path rule needs to be before the default secure port pass-through rule in the in-path rule list. SSL - Enables preoptimization processing for SSL encrypted traffic through SSL secure ports on the client-side Steelhead appliance. Select one of the following policies from the drop-down list: Normal - Perform all latency optimizations (HTTP is activated for ports 80 and 8080). This is the default setting. HTTP - Activate HTTP optimization on connections matching this rule. Outlook Anywhere - Activate RPC over HTTP(S) optimization for Outlook Anywhere on connections matching this rule. To auto-detect Outlook Anywhere or HTTP on a connection, select the Normal latency optimization policy and enable the Auto-Detect Outlook Anywhere Connections option. The auto-detect option in the MAPI page is best for simple Steelhead configurations with only a single Steelhead at each site and when the IIS server is also handling Web sites. If the IIS server is only used as RPC Proxy, and for configurations with asymmetric routing, connection forwarding or Interceptor installations, add in-path rules that identify the RPC Proxy server IP addresses and select this latency optimization policy. After adding the in-path rule, disable the auto-detect option. None - Do not activate latency optimization on connections matching this rule. For Oracle Forms over SSL encrypted traffic, you must set the Latency Optimization Policy to HTTP. Tip: Setting the Latency Optimization Policy to None excludes HTTP latency optimizations. (2 of 8) 318 Riverbed Central Management Console User s Guide

327 Optimization Policy Settings Viewing Policy Configuration Settings Data Reduction Policy Optionally, if you have selected Auto-Discover or Fixed Target, you can configure the following types of data reduction policies: Normal - Perform LZ compression and SDR. SDR-Only - Perform SDR; do not perform LZ compression. SDR-M - Performs data reduction entirely in memory, which prevents the Steelhead appliance from reading and writing to and from the disk. Enabling this option can yield high LAN-side throughput because it eliminates all disk latency. This data reduction policy is useful for a very small amount of data. For example, interactive traffic. point-to-point replication during off-peak hours when both the server-side and client-side Steelheads are the same (or similar) size. Both Steelhead appliances must be running RiOS v6.0.x or later. Compression-Only - Perform LZ compression; do not perform SDR. None - Do not perform SDR or LZ compression. To configure data reduction policies for the FTP data channel, define an in-path rule with the destination port 20 and set its data reduction policy. Setting QoS for port 20 on the client-side Steelhead appliance affects passive FTP, while setting the QoS for port 20 on the server-side Steelhead appliance affects active FTP. To configure optimization policies for the MAPI data channel, define an inpath rule with the destination port 7830 and set its data reduction policy. (3 of 8) Riverbed Central Management Console User s Guide 319

328 Viewing Policy Configuration Settings Optimization Policy Settings Auto Kickoff Enables kickoff, which resets pre-existing connections to force them to go through the connection creation process again. If you enable kickoff, connections that pre-exist when the optimization service is started are reestablished and optimized. Generally, connections are short-lived and kickoff is not necessary. It is suitable for certain long-lived connections, such as data replication, and very challenging remote environments. For example, in a remote branch-office with a T1 and a 35 ms round-trip time, you would want connections to migrate to optimization gracefully, rather than risk interruption with kickoff. RiOS v6.1.x provides three ways to enable kickoff: For a single pass-through or optimized connection on the Current Connections report, one connection at a time. For all existing connections that match an in-path rule and the rule has kickoff enabled. In most deployments, you do not want to set automatic kickoff globally because it disrupts all existing connections. When you enable kick off using an in-path rule, once the Steelhead detects packet flow that matches the IP and port specified in the rule, it sends an RST packet to the client and server maintaining the connection to try to close it. Next, it sets an internal flag to prevent any further kickoffs until the optimization service is once again restarted. Note: If no data is being transferred between the client and server the connection is not reset immediately. It resets the next time the client or server tries to send a message. Therefore, when the application is idle, it might take a while for the connection to reset. By default, auto kickoff per in-path rule is disabled. The service applies the first matching in-path rule for an existing connection that matches the source and destination IP and port; it does not consider a VLAN tag ID when determining whether to kick off the connection. Consequently, the service automatically kicks off connections with matching source and destination addresses and ports on different VLANs. The source and destination of a pre-existing connection cannot be determined because the Steelhead appliance did not see the initial TCP handshake whereas an in-path rule specifies the source and destination IP address to which the rule should be applied. Hence this connection for this IP address pair is matched twice, once as source to destination and the other as destination to source to find an in-path rule. For example, the following in-path rule will kick off connections from /24 to /24 and /24 to /24. Src /24 Dst /24 Auto Kickoff enabled The first matching in-path rule will be considered during the kickoff check for a pre-existing connection. If the first matching in-path rule has kickoff enabled, then that pre-existing connection will be reset. Note: This feature pertains only to auto-discover and fixed-target rule types and is dimmed and unavailable for the other rule types. (4 of 8) 320 Riverbed Central Management Console User s Guide

329 Optimization Policy Settings Viewing Policy Configuration Settings Neural Framing Mode Optionally, if you have selected Auto-Discover or Fixed Target, you can select a neural framing mode for the in-path rule. Neural framing enables the system to select the optimal packet framing boundaries for SDR. Neural framing creates a set of heuristics to intelligently determine the optimal moment to flush TCP buffers. The system continuously evaluates these heuristics and uses the optimal heuristic to maximize the amount of buffered data transmitted in each flush, while minimizing the amount of idle time that the data sits in the buffer. You can specify the following neural framing settings: Never - Never use the Nagle algorithm. All the data is immediately encoded without waiting for timers to fire or application buffers to fill past a specified threshold. Neural heuristics are computed in this mode but are not used. In general, this setting works well with time-sensitive and chatty or real-time traffic. Always - Always use the Nagle algorithm. This is the default setting. All data is passed to the codec which attempts to coalesce consume calls (if needed) to achieve better fingerprinting. A timer (6 ms) backs up the codec and causes leftover data to be consumed. Neural heuristics are computed in this mode but are not used. TCP Hints - If data is received from a partial frame packet or a packet with the TCP PUSH flag set, the encoder encodes the data instead of immediately coalescing it. Neural heuristics are computed in this mode but are not used. Dynamic - Dynamically adjust the Nagle parameters. In this option, the system discerns the optimum algorithm for a particular type of traffic and switches to the best algorithm based on traffic characteristic changes. For different types of traffic, one algorithm might be better than others. The considerations include: latency added to the connection, compression, and SDR performance. To configure neural framing for an FTP data channel, define an in-path rule with the destination port 20 and set its optimization policy. To configure neural framing for a MAPI data channel, define an in-path rule with the destination port 7830 and set its optimization policy. (5 of 8) Riverbed Central Management Console User s Guide 321

330 Viewing Policy Configuration Settings Optimization Policy Settings WAN Visibility Mode Enables WAN visibility, which pertains to how packets traversing the WAN are addressed. RiOS v5.0 or later offers three types of WAN visibility: correct addressing, port transparency, and full address transparency. Note: The Cloud Steelhead does not support the WAN visibility mode. You configure WAN visibility on the client-side Steelhead appliance (where the connection is initiated). The server-side Steelhead appliance must also support WAN visibility (RiOS v5.0 or later). Select one of the following modes from the drop-down list: Correct Addressing - Turns WAN visibility off. Correct addressing uses Steelhead appliance IP addresses and port numbers in the TCP/IP packet header fields for optimized traffic in both directions across the WAN. This is the default setting. Port Transparency - Port address transparency preserves your server port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. Traffic is optimized while the server port number in the TCP/IP header field appears to be unchanged. Routers and network monitoring devices deployed in the WAN segment between the communicating Steelhead appliances can view these preserved fields. Use port transparency if you want to manage and enforce QoS policies that are based on destination ports. If your WAN router is following traffic classification rules written in terms of client and network addresses, port transparency enables your routers to use existing rules to classify the traffic without any changes. Port transparency enables network analyzers deployed within the WAN (between the Steelhead appliances) to monitor network activity and to capture statistics for reporting by inspecting traffic according to its original TCP port number. Port transparency does not require dedicated port configurations on your Steelhead appliances. Note: Port transparency only provides server port visibility. It does not provide client and server IP address visibility, nor does it provide client port visibility. Full Transparency - Full address transparency preserves your client and server IP addresses and port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. It also preserves VLAN tags. Traffic is optimized while these TCP/IP header fields appear to be unchanged. Routers and network monitoring devices deployed in the WAN segment between the communicating Steelhead appliances can view these preserved fields. If both port transparency and full address transparency are acceptable solutions, port transparency is preferable. Port transparency avoids potential networking risks that are inherent to enabling full address transparency. For details, see the Steelhead Appliance Deployment Guide. However, if you must see your client or server IP addresses across the WAN, full transparency is your only configuration option. Important: Enabling full address transparency requires symmetrical traffic flows between the client and server. If any asymmetry exists on the network, enabling full address transparency might yield unexpected results, up to and including loss of connectivity. For details, see the Steelhead Appliance Deployment Guide. (6 of 8) 322 Riverbed Central Management Console User s Guide

331 Optimization Policy Settings Viewing Policy Configuration Settings WAN Visibility Mode (continued) Position Enable Rule Add RiOS v6.0 and later includes an option for using Full Transparency with a stateful firewall. A stateful firewall examines packet headers, stores information, and then validates subsequent packets against this information. If your system uses a stateful firewall, the following option is available: Full Transparency w/reset - Enables full address and port transparency and also sends a forward reset between receiving the probe response and sending the transparent inner channel SYN. This ensures the firewall does not block inner transparent connections because of information stored in the probe connection. The forward reset is necessary because the probe connection and inner connection use the same IP addresses and ports and both map to the same firewall connection. The reset clears the probe connection created by the Steelhead appliance and enables for the full transparent inner connection to traverse the firewall. Both the client-side and server-side Steelhead appliances must be running RiOS v6.0 and later. Notes: For details on configuring WAN visibility and its implications, see the Steelhead Appliance Deployment Guide. WAN visibility works with auto-discover in-path rules only. It does not work with fixed-target rules or server-side out-of-path Steelhead appliance configurations. To turn full transparency on globally by default, create an in-path autodiscover rule, select Full, and place it above the default in-path rule and after the Secure, Interactive, and RBT-Proto rules. You can configure a Steelhead appliance for WAN visibility even if the server-side Steelhead appliance does not support it, but the connection is not transparent. You can enable full transparency for servers in a specific IP address range and you can enable port transparency on a specific server. For details, see the Steelhead Appliance Deployment Guide. The Top Talkers report displays statistics on the most active, heaviest users of WAN bandwidth, providing some WAN visibility without enabling a WAN Visibility Mode. Select Start, End, or a rule number from the drop-down list.steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. In general, list rules in the following order: 1. Deny 2. Discard 3. Pass-through 4. Fixed-target 5. Auto-Discover Note: The default rule, Auto-Discover, which optimizes all remaining traffic that has not been selected by another rule, cannot be removed and is always listed last. Describe the rule to facilitate administration. Select to enable the in-path rule. Adds the rule to the list. The CMC redisplays the In-Path Rules table and applies your modifications to the running configuration, which is stored in memory. (7 of 8) Riverbed Central Management Console User s Guide 323

332 Viewing Policy Configuration Settings Optimization Policy Settings Remove Selected Rules Move Selected Rules Select the check box next to the name and click Remove Selected Rules. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. (8 of 8) Tip: If necessary, you can re-order your rules. In the In-Path Rules table, use the drop-down lists in the Rule column. Tip: The default rule, which optimizes all remaining traffic that has not been selected by another rule, cannot be removed and is always listed last. Version Incompatibilities for In-Path Rules In-Path Rules are incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. Peering Rules You configure peering rules for the selected optimization policy in the Peering Rules page. The peering rules allow you to define appliance peering relationships. Only the first matching rule is applied. Peering rules control Steelhead appliance behavior when it sees probe queries. Peering rules are an ordered list of fields a Steelhead appliance uses to match with incoming SYN packet fields (for example, source or destination subnet, IP address, VLAN, or TCP port) as well as the IP address of the probing Steelhead appliance. This is especially useful in complex networks. In some deployments, automatic peering can simplify configuration and make your deployments more scalable. When automatic peering is enabled, the Steelhead appliance automatically finds the furthest Steelhead appliance in a network and optimization occurs there. For example, if you had a deployment with four Steelhead appliance (A, B, C, D), where D represents the appliance that is furthest from A, the Steelhead appliance automatically finds D. This simplifies configuration and makes your deployment more scalable. 324 Riverbed Central Management Console User s Guide

333 Optimization Policy Settings Viewing Policy Configuration Settings Automatic peering is disabled by default. For details on automatic peering, see the Steelhead Management Console User s Guide. Enable Enhanced Auto-Discovery Enable Extended Peer Table Add a New Peering Rule Rule Type Insert Rule At Enables enhanced auto-discovery. With enhanced auto-discovery, the Steelhead appliance automatically finds the furthest Steelhead appliance peer in a network and optimization occurs there. By default, auto-discovery is enabled. For a detailed information about deployments that require automatic peering, see the Steelhead Appliance Deployment Guide. Enables support for up to 20,000 peers on high-end server-side Steelhead appliances (models 5520, 6020, 6050, and 6120) to accommodate large Steelhead client deployments. The RiOS data store maintains the peers in groups of 1,024 in the global peer table. Riverbed recommends enabling the extended peer table if you have more than 4,000 peers. By default, this option is disabled and it is unavailable on Steelhead appliance models that do not support it. After enabling this option you must clear the RiOS data store and stop and restart the service. Important: Before enabling this feature you should have a thorough understanding of performance and scaling issues. When deciding whether to use extended peer table support, you need to compare it with a serial cluster deployment. For more information on serial clusters, see the Steelhead Appliance Deployment Guide. Important: After enabling extended peer table support, you cannot install a RiOS software version earlier than v5.5 without first clearing the RiOS data store. Displays the controls for adding a new peering rule. Determines which action the Steelhead appliance takes on the connection. Select one of the following rule types from the drop-down list: Auto - Enables built-in functionality to determine the response for peering requests (performs the best peering possible). If the receiving Steelhead appliance is not using automatic auto-discovery, this has the same effect as the Accept peering rule action. If automatic auto-discovery is enabled, the Steelhead appliance only becomes the optimization peer if it is the last Steelhead appliance in the path to the server. Accept - Accepts peering requests that match the source-destination-port pattern. The receiving Steelhead appliance responds to the probing Steelhead appliance and becomes the remote-side Steelhead appliance (that is, the peer Steelhead appliance) for the optimized connection. Passthrough - Enables pass-through peering requests that match the source and destination port pattern. The receiving Steelhead appliance does not respond to the probing Steelhead appliance, and enables the SYN+probe packet to continue through the network. Determines the order in which the system evaluates the rule. Select Start, End, or a rule number from the drop-down list. The system evaluates rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied and the system moves on to the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Riverbed Central Management Console User s Guide 325

334 Viewing Policy Configuration Settings Optimization Policy Settings Source Subnet Destination Subnet Specify an IP address and mask for the traffic source, or you can specify all or /0 as the wildcard for all traffic. Use the following format XXX.XXX.XXX.XXX/XX Specify an IP address and mask pattern for the traffic destination, or you can specify all or /0 as the wildcard for all traffic. Use the following format XXX.XXX.XXX.XXX/XX Port - Specify the destination port number, port label, or all. Peer IP Address SSL Capability Add Remove Selected Rules Move Selected Rules Specify the in-path IP address of the probing Steelhead appliance. If more than one in-path interface is present on the probing Steelhead appliance, apply multiple peering rules, one for each in-path interface. Enables an SSL Capability flag, which specifies a criteria for matching an incoming connection with one of the rules in the peering rules table. This flag is typically set on a server-side Steelhead appliance. Select one of the following options from the drop-down list to determine how to process attempts to create secure SSL connections: No Check - The peering rule does not determine whether the server Steelhead appliance is present for the particular destination IP address and port combination. Capable - The peering rule determines that the connection is SSL-capable if the destination port is 443 (irrespective of the destination port value on the rule), and the destination IP and port do not appear on the bypassed servers list. The Steelhead appliance accepts the condition and, assuming all other proper configurations and that the peering rule is the best match for the incoming connection, optimizes SSL. Incapable - The peering rule determines that the connection is SSL-incapable if the destination IP and port appear in the bypassed servers list. The service adds a server to the bypassed servers list when there is no SSL certificate for the server or for any other SSL handshake failure. The Steelhead appliance passes the connection through unoptimized without affecting connection counts. Riverbed recommends that you use in-path rules to optimize SSL connections on non-443 destination port configurations. Specify a description to help you identify the peering relationship. Adds a peering rule to the list. The Central Management Console redisplays the Peering Rules table and applies your modifications to the running configuration, which is stored in memory. Select the check box next to the name and click Remove Selected Rules. Select the check box next to the rule and click Move Selected Rules. Click the arrow next to the desired rule position; the rule moves to the new position. Tip: To delete a rule from the Peering Rules table, click the down arrow in the Number column next to the rule and choose remove. Tip: The default rule cannot be removed and is always listed last. 326 Riverbed Central Management Console User s Guide

335 Optimization Policy Settings Viewing Policy Configuration Settings Performance You can configure service performance policy settings for the selected optimization policy in the Performance page. For details on Performance optimization, see the Steelhead Management Console User s Guide. The Performance page contains the following groups of settings: Data Store on page 327 Adaptive Data Streamlining on page 327 CPU Settings on page 329 Data Store In this panel, select the option from the drop-down list, as described in the following table. Segment Replacement Policy Riverbed LRU - Replaces the least recently used data in the RiOS data store, which improves hit rates when the data in the RiOS data store are not equally used. This is the default setting. FIFO - Replaces data in the order received (first in, first out). Adaptive Data Streamlining The adaptive data streamlining mode monitors and controls the different resources available on the Steelhead appliance and adapts the utilization of these system resources to optimize LAN throughput. Changing the default setting is optional; Riverbed recommends you select another setting only with guidance from Riverbed Support or the Riverbed Sales Team. Generally, the default setting provides the most data reduction. When choosing an adaptive streamlining mode for your network, contact Riverbed Support to help you evaluate the setting based on: the amount of data replication your Steelhead appliance is processing. the type of data being processed and its effects on disk throughput on the Steelhead appliances. your primary goal for the project, which could be maximum data reduction or maximum throughput. Even when your primary goal is maximum throughput you can still achieve high data reduction. Riverbed Central Management Console User s Guide 327

336 Viewing Policy Configuration Settings Optimization Policy Settings In this panel, enable or disable adaptive data streamlining, as described in the following table. Default SDR Adaptive SDR-M This setting is enabled by default and works for most implementations. The default setting: Provides the most data reduction. Reduces random disk seeks and improves disk throughput by discarding very small data margin segments that are no longer necessary. This Margin Segment Elimination (MSE) process provides network-based disk defragmentation. Writes large page clusters. Monitors the disk write I/O response time to provide more throughput. Legacy - Includes the default settings and also: Balances writes and reads. Monitors both read and write disk I/O response and, based on statistical trends, can employ a blend of disk-based and non-diskbased data reduction techniques to enable sustained throughput during periods of high disk-intensive workloads. Important: Use caution with the SDR-Adaptive Legacy setting, particularly when you are optimizing CIFS or NFS with prepopulation. Contact Riverbed Support for more information. Advanced - Maximizes LAN side throughput dynamically under different data work loads. This switching mechanism is governed with a throughput and bandwidth reduction goal using the available WAN bandwidth. Both Steelheads must be running RiOS v6.0.x or later. Upgrade notes: If you have enabled SDR-Adaptive prior to upgrading to RiOS v6.0 or later, the default setting is SDR-Adaptive Legacy. If you did not change the SDR-Adaptive setting prior to upgrading to RiOS v6.0 or later, the default setting is SDR-Adaptive Advanced. Performs data reduction entirely in memory, which prevents the Steelhead appliance from reading and writing to and from the disk. Enabling this option can yield high LAN side throughput because it eliminates all disk latency. This is typically the preferred configuration mode for SAN replication environments. SDR-M is most efficient when used between two identical high-end Steelhead appliance models. For example, 6050 and When used between two different Steelhead appliance models, the smaller model limits the performance. After enabling SDR-M on both the client-side and the server-side Steelhead appliances, restart both Steelheads to avoid performance degradation. Important: You cannot use peer RiOS data store synchronization with SDR-M. 328 Riverbed Central Management Console User s Guide

337 Optimization Policy Settings Viewing Policy Configuration Settings CPU Settings Use the CPU settings to balance throughput with the amount of data reduction and balance the connection load. The CPU settings are useful with high-traffic loads to scale back compression, increase throughput, and maximize Long Fat Network (LFN) utilization. In this panel, select the CPU settings for the optimization policy performance feature set, as described in the following table. Compression Level Adaptive Compression Multi-Core Balancing Specifies the relative trade-off of data compression for LAN throughput speed. Generally, a lower number provides faster throughput and slightly less data reduction. Select a RiOS data store compression value of 1 (minimum compression, uses less CPU) through 9 (maximum compression, uses more CPU) from the dropdown list. The default value corresponds to level 6. Riverbed recommends setting the compression level to 1 in high-throughput environments such as data center to data center replication. Detects LZ data compression performance for a connection dynamically and turns it off (sets the compression level to 0) momentarily if it is not achieving optimal results. Improves end-to-end throughput over the LAN by maximizing the WAN throughput. By default, this setting is disabled. Enables multicore balancing which ensures better distribution of workload across all CPUs, thereby maximizing throughput by keeping all CPUs busy. Core balancing is useful when handling a small number of high-throughput connections (approximately 25 or less). By default, this setting is disabled. CIFS (SMB1) You can display and modify CIFS optimization feature settings for the selected optimization policy in the CIFS page. The CIFS page contains the following groups of settings: Settings on page 330 Overlapping Open Optimization (Advanced) on page 331 SMB Settings on page 332 Riverbed Central Management Console User s Guide 329

338 Viewing Policy Configuration Settings Optimization Policy Settings Settings In this panel, you can select the CIFS options for an optimization policy, as described in the following table. Enable Latency Optimization Disable Write Optimization Optimize Connections with Security Signatures (that do not require signing) Enable Dynamic Write Throttling Enables latency optimization. This is the default setting. Only clear this check box if you want to disable latency optimization. Typically, you disable latency optimization to troubleshoot problems with the system. Important: Latency optimization must be enabled (or disabled) on both Steelhead appliances. Disables write optimization. Disable write optimization only if you have applications that assume and require write-through in the network. If you disable write optimization, the Steelhead appliance still provides optimization for CIFS reads and for other protocols, but you might experience a slight decrease in overall optimization. Most applications operate safely with write optimization because CIFS enables you to explicitly specify write-through on each write operation. However, if you have an application that does not support explicit write-through operations, you must disable it in the Steelhead appliance. If you do not disable write-through, the Steelhead appliance acknowledges writes before they are fully committed to disk, to speed up the write operation. The Steelhead appliance does not acknowledge the file close until the file is safely written. Prevents Windows SMB signing. This is the default setting. This feature automatically stops Windows SMB signing. SMB signing prevents the Steelhead appliance from applying full optimization on CIFS connections and significantly reduces the performance gain from a Steelhead deployment. Because many enterprises already take additional security precautions (such as firewalls, internal-only reachable servers, and so forth), SMB signing adds little additional security, at a significant performance cost (even without Steelhead appliances). Before you enable this feature, consider the following factors: If the client-side machine has Required signing, enabling this feature prevents the client from connecting to the server. If the server-side machine has Required signing, the client and the server connect but you cannot perform full latency optimization with the Steelhead appliance. Domain controllers default to Required. Important: If your deployment requires SMB signing, you can optimize signed CIFS messages using the RiOS v5.5.x Enable SMB Signing feature. For detailed information about SMB signing and the performance cost associated with it, see the Steelhead Appliance Installation and Configuration Guide. Enables CIFS dynamic throttling mechanism which replaces the current static buffer scheme. If you enable CIFS dynamic throttling, it is activated only when there are suboptimal conditions on the server-side causing a backlog of write messages; it does not have a negative effect under normal network conditions. 330 Riverbed Central Management Console User s Guide

339 Optimization Policy Settings Viewing Policy Configuration Settings Enable Applock Optimization Enable Print Optimization Enables CIFS latency optimizations to improve read and write performance for Microsoft Word and Excel documents when multiple users have the file open. By default, this setting is disabled. This feature enhances the Enable Overlapping Open Optimization feature by identifying and obtaining locks on read write access at the application level. The overlapping open optimization feature handles locks at the file level. Note: Enable the applock optimization feature on the client-side Steelhead appliance. The client-side Steelhead appliance must be running RiOS v5.5 or later. Improves centralized print traffic performance. For example, when the print server is located in the data center and the printer is located in the branch office, enabling this option speeds the transfer of a print job spooled across the WAN to the server and back again to the printer. By default, this setting is disabled. Enabling this option requires an optimization service restart. This option supports Windows XP (client), Vista (client), Windows 2003 (server), and Windows 2008 (server). Both the client and server-side Steelhead appliance must be running RiOS v6.0 or later. Note: This feature does not improve optimization for a Windows Vista client printing over a Windows 2008 server, because this client and server pair uses a different print protocol. Overlapping Open Optimization (Advanced) In this panel, you can enable overlapping open optimization for an optimization policy, as described in the following table. Enable Overlapping Open Optimization Optimize only the following extensions (comma separated) Optimize all except the following extensions (comma separated) Apply Enables overlapping opens to obtain better performance with applications that perform multiple opens on the same file (for example, CAD applications). By default, this setting is disabled. Enable this setting on the client-side CMC. With overlapping opens enabled the CMC optimizes data where exclusive access is available (in other words, when locks are granted). When an oplock is not available, the CMC does not perform application level latency optimizations but still performs SDR and compression on the data as well as TCP optimizations. Note: If a remote user opens a file that is optimized using the overlapping opens feature and a second user opens the same file, they might receive an error if the file fails to go through a v3.x.x or later CMC or if it does not go through a CMC (for example, certain applications that are sent over the LAN). If this occurs, you should disable overlapping opens for those applications. Use to set either an include list or exclude list of file types subject to overlapping opens optimization Specify a list of extensions you want to include in overlapping opens optimization. Specify a list of extensions you do not want to include. For example, you should specify any file extensions that Enable Applock Optimization is being used for. Click Apply to apply your settings. Riverbed Central Management Console User s Guide 331

340 Viewing Policy Configuration Settings Optimization Policy Settings SMB Settings In this panel, you configure the settings, as described in the following table. Enable SMB Signing Apply Enables CIFS traffic optimization in transparent mode by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations even when the CIFS messages are signed. By default, this setting is disabled. You must enable this feature on the serverside CMC. Note: If you enable this feature without first joining a Windows Domain, a message tells you that the Steelhead appliance must join a domain before it can support SMB signing. Select one of the following SMB signing modes: Transparent Mode - Enables SMB signed packets with transparent authentication. Transparent mode eliminates the need to define delegation trust. This is the default setting in RiOS v6.0 or later; however, if you enabled SMB signing in RiOS v5.5 and have since upgraded to v6.0, delegation mode is enabled by default. Delegation Mode - Enables SMB signed packets with delegate user authentication. Use this mode if you have previously enabled SMB Signing with RiOS v5.5.x. Note: If you switch between transparent and delegation modes you must restart the optimization service. Click Apply to apply your settings. CIFS Prepopulation The prepopulation operation effectively performs the first CMC read of the data on the prepopulation share. Subsequently, the CMC handles read and write requests as effectively as with a warm data transfer. With warm transfers, only new or modified data is sent, dramatically increasing the rate of data transfer over the WAN. You can display and modify CIFS prepopulation feature settings for the selected optimization policy in the CIFS Prepopulation page. CIFS prepopulation enables you to warm Steelhead appliances with data from a CIFS share. Enable Prepopulation Enable Transparent Prepopulation Support Add a New Prepopulation Share Remote Path Click to prepopulate the Steelhead appliance with data from the listed CIFS shares. Click to enable the Steelhead appliance to listen for updates on the listed CIFS shares. Displays the controls for adding a new prepopulation CIFS share. Specify the path to the CIFS share. Specify the path to the data on the original server or the UNC path of a share to which you want to make available for prepopulation. Set up the prepopulation share on the remote box pointing to the actual share in the headed data center server. Important: The share and the origin-server share names must not use any characters other than letters, numbers, underscore, space, or backslash (directory separator). The names cannot contain any of the following characters: 332 Riverbed Central Management Console User s Guide

341 Optimization Policy Settings Viewing Policy Configuration Settings Account Password Password Confirm Synchronization Enable Comment Add Remove Selected Specify the account number on the CIFS share. Specify the account used to access the prepopulation share. For example: <Domain>\<username> Set the password for accessing the CIFS share. Confirm the password. Enable the following synchronization options: Sync Schedule Date, Time - Sets date (YYYY/MM/DD) and time (HH:MM:SS) for synchronizing the Steelhead appliance with the server. Sync Interval - Set number and select Minutes, Hours, Days, or Disabled from the drop-down list. Optionally, include a comment that describes the share configuration. Adds the new CIFS share configuration to the policy definition. Select the check box next to the name of the CIFS share configuration and click Remove Selected. SMB2 You can optimize SMB2 policy in the Protocols SMB2 page. RiOS v6.5 includes support for SMB2 traffic latency optimization for native SMB2 clients and servers. SMB2 enables more efficient access across disparate networks. It is the default mode of communication between Windows Vista and Windows Server Microsoft has subsequently modified SMB2 again (to SMB v2.1) for Windows 7 and Windows Server 2008 R2. SMB2 brought a number of improvements, including but not limited to: A vastly reduced set of opcodes (a total of only 18); in contrast SMBv1 has over 70 separate opcodes. Note that the use of SMB2 does not result in lost functionality (most of the SMB1 opcodes were redundant). General mechanisms for data pipelining and lease-based flow control. Request compounding which enables multiple SMB requests to be sent as a single network request. Larger reads and writes provide for more efficient use of networks with high latency. Caching of folders and file properties, where clients keep local copies of folders and files. Improved scalability for file sharing (number of users, shares, and open files per server greatly increased). Riverbed Central Management Console User s Guide 333

342 Viewing Policy Configuration Settings Optimization Policy Settings For details on Protocols SMB2, see the Steelhead Management Console User s Guide. Enable SMB2 Latency Optimization Down-Negotiate SMB2 connections to SMB1 Do Not Optimize Connections that Couldn t Down Negotiate Enable SMB2 Latency Optimization on Connections that Couldn t Down Negotiate Disable SM2 Latency Optimization Enable SMB2 Signing Perform SMB2 latency optimization in addition to the existing bandwidth optimization features. These optimizations include cross-connection caching, read-ahead, write-behind, and batch prediction among several other techniques to ensure low latency transfers. RiOS maintains the data integrity and the client always receives data directly from the servers. By default, SMB2 optimization is disabled. Important: You must enable (or disable) SMB2 latency optimization on both the client-side and server-side Steelhead appliances and both Steelheads must be running RiOS v6.5. After enabling SMB2 optimization, you must restart the optimization service. Enable on the client-side Steelhead appliance. Optimizes connections that are successfully negotiated down to SMB1 according to the settings. Down negotiation is bypassed when the client or the server is configured to only use SMB2 or the client has already established an SMB2 connection with the server. If the client already has a connection with the server, you need to restart the client. Specifies that the Steelhead appliance does not optimize the connection when it is unable to negotiate down to SMB1. Enable to use SMB1 latency optimization when possible, but use SMB2 latency optimization when the Steelhead appliance is unable to negotiate down to SMB1. Disables SMB2 latency optimization. You must enable (or disable) SMB2 latency optimization on both the client-side and server-side Steelhead appliances and both Steelheads must be running RiOS v6.5. After enabling SMB2 optimization, you must restart the optimization service. Enables SMB2 traffic optimization by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and SMB2 latency optimizations even when the SMB2 messages are signed. By default, this setting is disabled. You must enable this feature on the server-side Steelhead appliance. Important: If you are upgrading from RiOS v6.1 to v6.5, you might already have a delegate user and be joined to a domain. If so, enabling SMB2 signing will work when enabled with no additional configuration. Note: If you enable this feature without first joining a Windows Domain, a message tells you that the Steelhead appliance must join a domain before it can support SMB2 signing. Transparent Mode - Provides SMB2 signing with transparent authentication. The server-side Steelhead uses NTLM to authenticate users. Select transparent mode with Vista for the simplest configuration. Delegation Mode - Re-signs SMB2 signed packets using the Kerberos delegation facility. This setting is enabled by default when you enable SMB2 signing. Delegation mode is required for Windows 7, but works with all clients. Oracle Forms You can configure Oracle Forms support for the selected optimization policy in the Protocols Oracle Forms page. 334 Riverbed Central Management Console User s Guide

343 Optimization Policy Settings Viewing Policy Configuration Settings Oracle Forms is a platform for developing user interface applications to interact with an Oracle database. It uses a Java applet to interact wit the database in either native, HTTP, or HTTPS mode. The Steelhead appliance decrypts, optimizes, and then re-encrypts the Oracle Forms traffic. For details on the Protocols Oracle Forms feature, see the Steelhead Management Console User s Guide. Enable Oracle Forms Optimization Enable HTTP Mode Enables Oracle Forms optimization in native mode, also known as socket mode. Oracle Forms native mode optimization is enabled by default. Disable this option only to turn off Oracle Forms optimization. For example, if your network users do not use Oracle applications. Enables Oracle Forms optimization in HTTP mode. All internal messaging between the forms server and the Java client is encapsulated in HTTP packets. In RiOS v6.0 or later, HTTP mode is enabled by default. You must also select the Enable Oracle Forms Optimization check box to enable HTTP mode. If you change the Oracle Forms setting, you must restart the Steelhead service. For details, see Starting, Stopping, or Restarting Appliances and Appliance Groups on page 147. If you have not already done so, add an in-path rule for Oracle Forms traffic. The rule must have the following properties. Property Type Destination Subnet/Port Preoptimization Policy Optimization Policy Latency Optimization Policy Neural Framing Mode Apply Value Auto-discover or Fixed-target Specify the server IP address (for example, /32), and a port number: 9000 native mode, using the default forms server 8000 HTTP mode Oracle Forms or Oracle Forms over SSL Normal Normal Always Applies your settings to the running configuration. MAPI MAPI optimization does not require a separate license and is enabled by default. RiOS v6.0 and later uses the Steelhead secure inner channel to ensure all MAPI traffic sent between the client-side and the server-side Steelhead appliances are secure. Riverbed Central Management Console User s Guide 335

344 Viewing Policy Configuration Settings Optimization Policy Settings You can display and modify MAPI optimization settings for the selected optimization policy on the Protocols MAPI page. For more information on the MAPI optimization, see the Steelhead Management Console User s Guide. Enable MAPI Exchange Optimization Exchange Port Enable Outlook Anywhere Optimization Enable Encrypted Optimization Enables MAPI optimization. By default, MAPI optimization is enabled. Only clear this check box to disable MAPI optimization. Typically, you disable MAPI optimization to troubleshoot problems with the system. For example, if you are experiencing problems with Outlook clients connecting with Exchange, you can disable MAPI latency acceleration (while continuing to optimize with SDR for MAPI). Specify the MAPI Exchange port for optimization. Typically, you do not need to modify the default value, If you have changed the MEISI port in your Exchange Server environment, change port 7830 to the static port number you have configured in your Exchange environment. For further information about changing (MEISI) ports, see the Microsoft Exchange Information Store Interface at: Enables Outlook Anywhere.By default, this option is disabled. Automatically detects the RPC over HTTP(S) optimization for Outlook Anywhere on connections matching this rule. To auto-detect Outlook Anywhere or HTTP on a connection, enable the Auto- Detect Outlook Anywhere Connections option. The auto-detect option in the MAPI page is best for simple Steelhead configurations with only a single Steelhead at each site and when the IIS server is also handling Web sites. If the IIS server is only used as RPC Proxy, and for configurations with asymmetric routing, connection forwarding or Interceptor installations, add in-path rules that identify the RPC Proxy server IP addresses and select this latency optimization policy. After adding the in-path rule, disable the auto-detect option. Enables encrypted MAPI RPC traffic optimization between Outlook and Exchange. By default, this option is disabled. Note: Both the server-side and client-side Steelhead appliances must be running RiOS v5.5.x or later. When this option is enabled and Enable MAPI Exchange 2007 Acceleration is disabled on either Steelhead appliance, MAPI Exchange 2007 acceleration remains in effect for unencrypted connections. Transparent Mode - Provides encrypted MAPI with transparent NTLM authentication. By default, this setting is enabled with encrypted MAPI optimization. Transparent mode supports all Windows servers. Delegation Mode - Provides encrypted MAPI optimization using the Kerberos delegation facility. Select this mode if you are encrypting MAPI traffic for Windows 7 or earlier client versions. Both the server-side and client-side Steelhead appliances must be running RiOS v Riverbed Central Management Console User s Guide

345 Optimization Policy Settings Viewing Policy Configuration Settings Enable Transparent Prepopulation Enables Transparent Prepopulation. Provides encrypted MAPI with transparent NTLM authentication. By default, this setting is enabled with encrypted MAPI optimization. Transparent mode supports all Windows servers, including Windows 2008 R2 (assuming they are not in domains with NTLM disabled). Transparent mode does not support Windows 7 clients or Windows 2008 R2 domains with NTLM disabled. Windows 7 clients must use Delegation mode. In RiOS v6.1, transparent mode includes support for trusted domains, wherein users are joined to a different domain from the Exchange server being accessed. Max Connections - Specify the maximum number of virtual MAPI connections to the Exchange server for Outlook clients that have shut down. Setting the maximum connections limits the aggregate load on all Exchange servers through the configured Steelhead appliance. The default value varies by model. For example, on a 5520 the default is You must configure the maximum connections on both the client and server-side of the network. Poll Interval (minutes) - Sets the number of minutes you want the appliance to check the Exchange server for newly-arrived for each of its virtual connections. The default value is 20. Time Out (hours) - Specify the number of hours after which to time-out virtual MAPI connections. When this threshold is reached, the virtual MAPI connection is terminated. The time-out is enforced on a per-connection basis. Time-out prevents a build up of stale or unused virtual connections over time. The default value is 96. Enable Exchange 2003 Support Enable Exchange Support Enable MAPI NSPI Enables MAPI 2003 support. By default, this option is enabled. This feature increases optimization of traffic between Exchange 2003 and Outlook Do not disable when moving to a later version of MAPI in your network. For example, if you are running Exchange 2007 with Outlook 2007 clients, do not disable the Exchange 2003 option. Note: For out-of-path deployments, to optimize MAPI Exchange 2003, you must define fixed-target, in-path rules that specify the following ports on the clientside Steelhead appliance: the Microsoft end-point mapper port: 135; the Steelhead appliance port for Exchange traffic: 7830; the Steelhead appliance port for Exchange Directory NSPI traffic: Enables native MAPI 2007 support. By default, this option is enabled. If you have Outlook 2007 and Exchange 2003 or 2007 in your environment, this option increases optimization of traffic between Exchange and Outlook Sharing calendars between Outlook 2007 and Exchange 2007 increases the number of connections (anywhere from 1 to 2 extra connections per each user sharing calendars). The connections are persistent and remain even when users are not actively checking other user s calendars. Enabling this option helps keep connection counts at sustained, low levels, thereby increasing optimization. Enables MAPI Name Service Provider Interface (NSPI) optimization. By default, NSPI optimization is disabled. NSPI is the address book subcomponent of the Exchange protocol. Enable this feature to perform latency optimization for the connection when using the Exchange 2000 Server or when the client is not using Cached Exchange mode. NSPI Port Specify the NSPI port. The default value is Riverbed Central Management Console User s Guide 337

346 Viewing Policy Configuration Settings Optimization Policy Settings MS-SQL You can configure MS-SQL support in the Protocols MS- SQL page. Enabling MS-SQL optimization applies default rules to increase optimization for Microsoft Project (MS Project). By default, Riverbed provides MS-SQL optimizations only for Microsoft Project Enterprise Each application interacts with the database differently and customizations are needed before the MS-SQL feature can be used for any other application. To optimize all other SQL applications with the MS-SQL Application acceleration module, contact Riverbed Professional Services. For more information on the MS-SQL feature, see the Steelhead Management Console User s Guide. Enable MS-SQL Optimization MS-SQL Prefetch Fetch-Next Max Number of Pre- Acknowledgements MS-SQL Ports Increases optimization for Microsoft Project. The MS-SQL feature also optimizes other database applications, but you must define SQL rules to obtain maximum optimization. If you are interested in enabling the MS-SQL feature for other database applications, contact Riverbed Professional Services. Enables prefetching requests to request the next row in MS Project. This feature is enabled by default. The server-side Steelhead appliance prefetches sequential row results and the client-side Steelhead appliance caches them. Specify the number of requests to pre-acknowledge before waiting for a server response to be returned. The default value is 30. Specify a comma-separated list of port numbers for MS-SQL servers. By default, 1433 is optimized; if you specify other ports they are optimized instead. NFS You can display and modify NFS optimization settings for the selected optimization policy on the Protocols NFS page. NFS optimization provides latency optimization improvements for NFS operations by prefetching data, storing it on the client Steelhead appliance for a short amount of time, and using it to respond to client requests. You enable NFS optimization in high-latency environments. You can configure NFS settings globally for all servers and volumes or you can configure NFS settings that are specific to particular servers or volumes. When you configure NFS settings for a server, the settings are applied to all volumes on that server unless you override settings for specific volumes. Important: NFS optimization is not supported in an out-of-path deployment. NFS optimization is supported only for NFS v3. When a transaction using NFS version 2 or 4 is optimized, the NFS latency module cannot be used and an alarm is triggered. Bandwidth optimization, SDR and LZ compression will still apply. For more information on the NFS optimization, see the Steelhead Management Console User s Guide. The NFS page contains the following groups of settings: Settings on page 339 Override NFS Protocol Settings on page Riverbed Central Management Console User s Guide

347 Optimization Policy Settings Viewing Policy Configuration Settings Settings In this panel, you can display and modify NFS protocol settings for an optimization policy, as described in the following table. Enable NFS Optimization NFS v2 and v4 Alarms Default Server Policy Default Volume Policy Enables NFS optimization. You enable NFS optimization where NFS performance over the WAN is impacted by a high-latency environment. By default, this feature is enabled. Enables alarm notification when NFS v2 and NFS v4 traffic is detected. When triggered, the alarm provides a link to this page and a button to reset the alarm. Select one of the following server policies for NFS servers: Global Read-Write - Specifies a policy that provides data consistency rather than performance. All of the data can be accessed from any client, including LAN-based NFS clients (which do not go through the Steelhead appliances) and clients using other file protocols such as CIFS. This option severely restricts the optimization that can be applied without introducing consistency problems. This is the default configuration. Custom - Specifies a custom policy for the NFS server. Read Only - Specifies that the clients can read the data from the NFS server or volume but cannot make changes. The default server policy is used to configure any connection to a server which does not have a policy. Select one of the following volume policies for NFS volumes: Global Read-Write - Specifies a policy that provides data consistency rather than performance. All of the data can be accessed from any client, including LAN-based NFS clients (which do not go through the Steelhead appliances) and clients using other file protocols such as CIFS. This option severely restricts the optimization that can be applied without introducing consistency problems. This is the default configuration. Custom - Specifies a custom policy for the NFS volume. Read Only - Specifies that the clients can read the data from the NFS server or volume but cannot make changes. The default volume policy is used to configure a volume that does not have a policy. Override NFS Protocol Settings You can add server configurations to override your default settings. You can also modify or remove these configuration overrides. If you do not override settings for a server or volume, the Steelhead appliance uses the global NFS settings. In this panel, you can manage NFS server configurations for an optimization policy, as described in the following table. Add a New NFS Server Server Name Server IP Addresses Displays the controls to add an NFS server configuration. Specify the name of the server. Specify the IP addresses of the servers, separated by commas, and click Add Server. Riverbed Central Management Console User s Guide 339

348 Viewing Policy Configuration Settings Optimization Policy Settings Add Remove Selected Adds the configuration to the NFS Servers list. Select the check box next to the name and click Remove Selected. Tip: To modify server properties, in the table row for the server, click the NFS Server Name to display controls you can use to modify server properties. Complete the configuration as above. Lotus Notes Lotus Notes is a client-server collaborative application that provides , instant messaging, calendar, resources, and file sharing. RiOS provides latency and bandwidth optimization for Lotus Notes v6.0 and later traffic across the WAN, accelerating attachment transfers and server-to-server or client-to-server replications. To use this feature both the client-side and server-side Steelhead appliances must be running RiOS v5.5.x or later. Enabling Lotus Notes provides latency optimization regardless of the compression type (Huffman, LZ, or none). Before enabling Lotus Notes optimization: Be aware that Riverbed cannot optimize encrypted Lotus Notes connections. Lotus Notes Optimization automatically disables socket level compression for connections going through Steelheads that have this feature enabled. You can display and modify Lotus Notes optimization settings for the selected optimization policy on the Protocols Lotus Notes page. Enable Lotus Notes Optimization Lotus Notes Port Enables Lotus Notes optimization. By default, Lotus Notes optimization is disabled. Specify the Lotus Notes port for optimization. Citrix ICA To consolidate operations, some organizations install this clients in their branch offices and install a Citrix Presentation Server in the data center to front-end the applications. The proprietary protocol that Citrix uses to move updates between the client and the server is called ICA (Independent Computing Architecture). The thin clients at the branch offices have a Citrix ICA client accessing the services at the data center which are front-ended by a Citrix Presentation Server (also called Citrix Metaframe Server in earlier versions). 340 Riverbed Central Management Console User s Guide

349 Optimization Policy Settings Viewing Policy Configuration Settings You can display and modify Citrix ICA optimization settings for the selected optimization policy on the Protocols Citrix ICA page. For more detail, see the Steelhead Management Console User s Guide. Enable Citrix ICA Optimization ICA Port Session Reliability (CGP) Port Enable Secure ICA Encryption Apply Enables Citrix ICA optimization. By default, Citrix ICA optimization is disabled. Specify the port on the Presentation Server for inbound traffic. The default port is Specify the port number for Common Gateway Protocol (CGP) connections. CGP uses the session reliability port to keep the session window open even if there is an interruption on the network connection to the server. By default, this setting is Uses the RC5 algorithm to encrypt the ICA protocol, securing communication sent between a MetaFrame Presentation Server and a client. Click Apply to apply your settings to the running configuration. FCIP You can enable and modify FCIP storage optimization module settings. For details, see the Steelhead Management Console User s Guide. Fibre Channel over TCP/IP (FCIP) is a transparent Fibre Channel (FC) tunneling protocol that transmits FC information between FC storage facilities over IP networks. FCIP is designed to overcome the distance limitations of FC. RiOS v6.1 FCIP storage optimization provides support for environments using storage technology that originates traffic as FC and then uses either a Cisco MDS or a Brocade 7500 FCIP gateway to convert the FC traffic to TCP for WAN transport. To increase the data reduction LAN-to-WAN ratio with either equal or greater data throughput in environments with FCIP traffic, RiOS separates the FCIP headers from the application data workload written to storage. The FCIP headers contain changing protocol state information, such as sequence numbers. These headers interrupt the network stream and reduce the ability of SDR to match large, contiguous data patterns. After isolating the header data, the CMC performs SDR network deduplication on the larger, uninterrupted storage data workload and LZ compression on the headers. RiOS then optimizes, reassembles, and delivers the data to the TCP consumer without compromising data integrity. In this panel, you can modify the FCIP protocols, as described in the following table. Enable FCIP FCIP Ports Add a New Rule Source IP Destination IP Enable DIF Enables FCIP protocol. By default, FCIP is disabled. Specify the FCIP ports. Optionally, you can add FCIP port numbers separated by commas or remove a port number. Do not specify a port range. Note: The FCIP ports field must always contain at least one FCIP port. Displays the controls for adding a new rule. Specify the connection source IP address of the FCIP gateway tunnel endpoints. Note: The source IP address cannot be the same as the destination IP address. Specify the connection destination IP address of the FCIP gateway tunnel endpoints. Isolates and optimizes the DIFs embedded within the FCIP data workload. Riverbed Central Management Console User s Guide 341

350 Viewing Policy Configuration Settings Optimization Policy Settings DIF Data Block Size (bytes) Add Remove Selected Rule Specify the size of a standard block of storage data, in bytes, after which a DIF header begins. The valid range is from 1 and 2048 bytes. The default value is 512, which is a standard block size for Open System environments. When you enable DIF, RiOS FCIP optimization looks for a DIF header after every 512 bytes of storage data unless you change the default setting. Open System environments (such as Windows, UNIX, and Linux) inject the DIF header into the data stream after every 512 bytes of storage data. AS/400 host environments inject the DIF header into the data stream after every 520 bytes. This field is required when you enable DIF. Adds the rule to the list. Select the check box next to the name and click Remove Selected Rule. HTTP For more information on HTTP optimization, see the Steelhead Management Console User s Guide. This section describes how HTTP optimization works for most HTTP and HTTPS applications, including SAP, customer relationship management, enterprise resource planning, financial, document management, and Intranet portals. Configuring HTTP optimization can be a complex task. There are many different options and it is not always easy to determine what settings are required for a particular application without extensive testing. RiOS v7.0 and later includes HTTP automatic configuration, which creates an ideal HTTP optimization scheme based on a collection of comprehensive statistics per host. The host statistics create an application profile, used to configure HTTP automatically and assist with any troubleshooting. You can easily change an automatically configured server subnet to override settings. For information on version incompatibility, see Version Incompatibilities for HTTP on page 348. This section includes the following topics: The HTTP page contains the following groups of settings: HTTP Settings on page 343 HTML Tags to Prefetch on page 345 Server Subnet Setting on page 346 HTTP optimization has been tested on Internet Explorer v6.0 or later and Firefox v2 or later. HTTP optimization has been tested on Apache v1.3, Apache v2.2, Microsoft IIS v5.0 and v6.0, Microsoft SharePoint, ASP.net, and Microsoft Internet Security and Acceleration Server (ISA). All of the HTTP optimization features operate on the client-side Steelhead appliance. As long as the serverside Steelhead appliance is running v4.0.x or later, you configure HTTP optimizations only on the clientside Steelhead appliance. 342 Riverbed Central Management Console User s Guide

351 Optimization Policy Settings Viewing Policy Configuration Settings HTTP Settings In this panel, you can set general HTTP settings for an optimization policy, as described in the following table. Enable HTTP Optimization Store All Allowable Objects Store Objects With The Following Extensions Disable The Object Prefetch Table Minimum Object Prefetch Table Time Maximum Object Prefetch Table Time Extensions to Prefetch Enable this feature to prefetch and store objects embedded in Web pages to improve HTTP traffic performance. By default, HTTP optimization is enabled. Stores all allowable objects. Examines the control header to determine which objects to store. By default, Store All Allowable Objects is enabled. Stores nothing. Sets the minimum number of seconds the objects are stored in the local object prefetch table. The default is 60 seconds. This setting specifies the minimum lifetime of the stored object. During this lifetime, any qualified If-Modified-Since (IMS) request or regular request from the client receives an HTTP 304 response, indicating that the resource for the requested object has not changed since stored. Sets the maximum number of seconds the objects are stored in the local object prefetch table. The default is 86,400 seconds. This setting specifies the maximum lifetime of the stored object. During this lifetime, any qualified If-Modified-Since (IMS) request or regular request from the client receives an HTTP 304 response, indicating that the resource for the requested object has not changed since stored. Specify object extensions to prefetch, separated by commas. By default the Steelhead appliance prefetches.jpg,.gif,.js,.png, and.css object extensions. These extensions are only for URL Learning and do not affect other prefetch types. Riverbed Central Management Console User s Guide 343

352 Viewing Policy Configuration Settings Optimization Policy Settings Enable HTTP Stream Splitting Enable this feature on the client-side to split Silverlight smooth streaming and Adobe Flash HTTP dynamic streams. This feature includes support for Microsoft Silverlight video and Silverlight extensions support on Information Internet Server (IIS) version 7.5 installed on Windows Server 2008 R2. To split Adobe Flash streams, you must set up the video origin server before enabling this feature. For details, see the Steelhead Appliance Deployment Guide. Use this feature to support multiple branch office users from a single real-time TCP stream. The Steelhead identifies live streaming video URL fragment requests and delays any request that is already in progress. When the client receives the response, it returns the same response to all clients requesting that URL. As an example, when employees in branch offices simultaneously start clients (through browser plugins) that all request the same video fragment, the clientside Steelhead delays requests for that fragment because it is already outstanding. Since many identical requests typically are made before the first request is responded to, the result is many hits to the server and many bytes across the WAN. When you enable Microsoft Silverlight stream splitting on the client-side Steelhead, it identifies live streaming video URL fragment requests, and holds subsequent requests for that fragment because the first request for that fragment is outstanding. When the response is received, it is delivered to all clients that requested it. Thus, only one request and response pair for a video fragment transfers over the WAN. With stream splitting, the Steelhead replicates one TCP stream for each individual client. Stream splitting optimization does not change the number of sockets that are opened to the server, but it does reduce the number of requests made to the server. Without this optimization, each fragment is requested once per client. With this optimization, each fragment is requested once. By default, Microsoft Silverlight stream splitting is disabled. Enabling this option requires that HTTP optimization is enabled on the clientside and server-side Steelhead appliances. The client-side Steelhead appliance requires an optimization service restart. No other changes are necessary on the server-side Steelhead appliance. In addition to splitting the video stream, you can prepopulate video at branch office locations during off-peak periods and then retrieve them for later viewing. For information, see the protocol http prepop list url command in the Riverbed Command-Line Interface Reference Manual. To view the data reduction resulting from stream splitting, see the Data Reduction and Optimized Throughput report graphs. 344 Riverbed Central Management Console User s Guide

353 Optimization Policy Settings Viewing Policy Configuration Settings Enable Per-Host Auto Configuration Enable Kerberos Authentication Support Creates an HTTP optimization scheme automatically by evaluating HTTP traffic statistics gathered for the host or server subnet. RiOS derives the Web server hostname or server subnet from the HTTP request header and collects HTTP traffic statistics for that host or subnet. RiOS evaluates hostnames and subnets that do not match any other rules. Automatic configurations define the optimal combination of URL Learning, Parse and Prefetch, and Object Prefetch Table for the host or subnet. After RiOS evaluates the host or subnet, it appears on the subnet or host list at the bottom of the page as Auto Configured. HTTP traffic is optimized automatically. Automatic configuration is enabled by default. If you have automatically configured hostnames and then disabled Per-Host Auto Configuration, the automatically configured hosts are removed from the list when the page refreshes. They are not removed from the database. When you reenable Per- Host Auto Configuration, the hosts reappear in the list with the previous configuration settings. Riverbed recommends that both the client-side and server-side Steelhead appliances are running RiOS v7.0 or later for full statistics gathering and optimization benefits. You cannot remove an automatically configured hostname or subnet from the list, but you can reconfigure them, save them as a static host and then remove them. To allow a static host to be automatically configured, remove it from the list. Enable on the server-side Steelhead appliance to optimize HTTP connections using Kerberos authentication end to end between the client-side and serverside Steelhead appliances and the server-side Steelhead and the server. This enables RiOS to prefetch resources when the Web server employs per-request Kerberos. Both the client-side and server-side Steelhead appliances must be running RiOS v7.0. No additional configuration is needed on the client-side Steelhead appliance. HTML Tags to Prefetch In this panel, you can specify HTML tags for prefetching for an optimization policy, as described in the following table. By default, the following tags are prefetched: base/href, body/background, img/src, link/href, and script/ src. These tags are for Parse and Prefetch only and do not affect other prefetch types. Add a Prefetch Tag Tag Name Attribute Add Remove Selected Displays the controls to add an HTML tag. Specify the tag name. Specify the tag attribute. Adds the tag. Select the check box next to the name and click Remove Selected. Riverbed Central Management Console User s Guide 345

354 Viewing Policy Configuration Settings Optimization Policy Settings After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file (or Save As any filename you choose). Server Subnet Setting Under Server Subnet Settings, you can enable URL Learning, Parse and Prefetch, and Object Prefetch Table in any combination for any server subnet. You can also enable authorization optimization in RiOS v6.1 to tune a particular subnet dynamically, with no service restart required. The default setting is URL Learning only for all traffic. The default setting applies when HTTP optimization is enabled, regardless of whether there is an entry in the Server Subnet list. In the case of overlapping subnets, specific list entries override any default settings. For example, suppose the majority of your Web servers have dynamic content applications but you also have several static content application servers. You could configure your entire server subnet to disable URL Learning and enable Parse and Prefetch and Object Prefetch Table, optimizing HTTP for the majority of your Web servers. Next, you could configure your static content servers to use URL Learning only, disabling Parse and Prefetch and Object Prefetch Table. 346 Riverbed Central Management Console User s Guide

355 Optimization Policy Settings Viewing Policy Configuration Settings In this panel, you can manage HTTP server subnet configurations for an optimization policy, as described in the following table. Add a Server Subnet Server Subnet Displays the controls for adding a server subnet. The server must support keepalive. Specify an IP address and mask pattern for the server subnet on which to set up the HTTP optimization scheme. Use the format XXX.XXX.XXX.XXX/XX Basic Tuning Strip Compression Insert Cookie Insert Keep-Alive Removes the accept-encoding lines from the HTTP compression header. An accept-encoding directive compresses content rather than using raw HTML. Enabling this option improves the performance of the Steelhead appliance data reduction algorithms. By default, strip compression is enabled. Adds a cookie to HTTP applications that do not already have one. HTTP applications frequently use cookies to keep track of sessions. The Steelhead appliance uses cookies to distinguish one user session from another. If an HTTP application does not use cookies, the client Steelhead appliance inserts one so that it can track requests from the same client. By default, this setting is disabled. Uses the same TCP connection to send and receive multiple HTTP requests and responses, as opposed to opening a new one for every single request and response. Specify this option when using the URL Learning or Parse and Prefetch features with HTTP v1.0 or HTTP v1.1 applications using the Connection Close method. By default, this setting is disabled. Prefetch Schemes URL Learning Parse and Prefetch Enables URL Learning, which learns associations between a base URL request and a follow-on request. Stores information about which URLs have been requested and which URLs have generated a 200 OK response from the server. This option fetches the URLs embedded in style sheets or any JavaScript associated with the base page and located on the same host as the base URL. URL Learning works best with non-dynamic content that does not contain session-specific information. URL Learning is enabled by default. Your system must support cookies and persistent connections to benefit from URL Learning. If your system has cookies turned off and depends on URL rewriting for HTTP state management, or is using HTTP v1.0 (with no keepalives), you can force the use of cookies using the Add Cookie option and force the use of persistent connections using the Insert Keep Alive option. Enables Parse and Prefetch, which parses the base HTML page received from the server and prefetches any embedded objects to the client-side Steelhead appliance. This option complements URL Learning by handling dynamically generated pages and URLs that include state information. When the browser requests an embedded object, the Steelhead appliance serves the request from the prefetched results, eliminating the round-trip delay to the server. The prefetched objects contained in the base HTML page can be images, style sheets, or any Java scripts associated with the base page and located on the same host as the base URL. Parse and Prefetch requires cookies. If the application does not use cookies, you can insert one using the Insert Cookie option. Riverbed Central Management Console User s Guide 347

356 Viewing Policy Configuration Settings Optimization Policy Settings Object Prefetch Table Enables the Object Prefetch Table, which stores HTTP object prefetches from HTTP GET requests for cascading style sheets, static images, and Java scripts in the Object Prefetch Table. When the browser performs If-Modified-Since (IMS) checks for cached content or sends regular HTTP requests, the client-side Steelhead appliance responds to these IMS checks and HTTP requests, cutting back on round trips across the WAN. Authentication Tuning Reuse Auth Force NTLM Strip Auth Header Gratuitous 401 Add Remove Selected Enables an unauthenticated connection to serve prefetched objects, as long as the connection belongs to a session whose base connection is already authenticated. This option is most effective when the Web server is configured to use perconnection NTLM or Kerberos authentication. In the case of negotiated Kerberos and NTLM authentication, forces NTLM. Kerberos is less efficient over the WAN because the client must contact the Domain ler to answer the server authentication challenge and tends to be employed on a per-object basis. Riverbed recommends enabling Strip Auth Header along with this option. Removes all credentials from the request on an already authenticated connection. This works around Internet Explorer behavior that re-authorizes connections that have previously been authorized. This option is most effective when the Web server is configured to use perconnection NTLM authentication. Important: If the Web server is configured to use per-connection Kerberos authentication, enabling this option might cause authentication failure. Prevents a WAN round trip by issuing the first 401 containing the realm choices from the client-side Steelhead appliance. Riverbed recommends enabling Strip Auth Header along with this option. This option is most effective when the Web server is configured to use perconnection NTLM authentication or per-object Kerberos authentication. Important: If the Web server is configured to use per-object Kerberos authentication or per-connection NTLM authentication, enabling this option might cause additional delay. Adds the subnet. Select the check box next to the name and click Remove Selected. Tip: To modify subnet configuration properties, in the table row for the configuration, use the drop-down lists to modify configuration settings as described above. Version Incompatibilities for HTTP HTTP is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. 348 Riverbed Central Management Console User s Guide

357 Optimization Policy Settings Viewing Policy Configuration Settings SRDF You can enable and modify SRDF storage module optimization settings. EMC s Symmetrix Remote Data Facility/Asynchronous (SRDF/A) is a SAN replication product. It carries out the data replication over Gig- E (instead of the Fibre Channel) using gateways that implement the SRDF protocol. RiOS v6.1 SRDF storage optimization provides support for environments using storage technology that originates traffic through Symmetrix Gig-E ports to convert the FC traffic to TCP for WAN transport. For details on storage technologies that originate traffic through Gig-E RE ports, see the Steelhead Appliance Deployment Guide. For details, see the Steelhead Management Console User s Guide. In this panel, you can modify the SRDF protocols, as described in the following table. Enable SRDF SRDF Ports Add a New Rule Source IP Destination IP Enable DIF DIF Data Block Size (bytes) Add Remove Selected Enables SRDF protocol. By default, SRDF is disabled. Specify the SRDF ports. Optionally, you can add SRDF port numbers separated by commas or remove a port number. Do not specify a port range. Note: The SRDF ports field must always contain at least one SRDF port. Displays the controls for adding a new rule. Specify the connection source IP address of the Symmetrix hosts originating the replication. Note: The source IP address cannot be the same as the destination IP address. Specify the connection destination IP address of the Symmetrix hosts receiving the replication. Isolates and optimizes the Data Integrity Fields embedded within the SRDF data workload. Specify the size of a standard block of storage data, in bytes, after which a DIF header begins. The valid range is from 1 and 2048 bytes. The default value is 512, which is a standard block size for Open System environments. When you enable DIF, RiOS SRDF optimization looks for a DIF header after every 512 bytes of storage data unless you change the default setting. Open System environments (such as Windows, UNIX, and Linux) inject the DIF header into the data stream after every 512 bytes of storage data. AS/400 host environments inject the DIF header into the data stream after every 520 bytes. This field is required when you enable DIF. Adds the rule to the list. Select the check box next to the name and click Remove Selected. Transport Settings You configure the TCP settings for the selected optimization policy in the Transport Settings page. To properly configure transport settings for the you environment, you need to understand its characteristics. For information on gathering performance characteristics for your environment, see the Steelhead Appliance Deployment Guide. Riverbed Central Management Console User s Guide 349

358 Viewing Policy Configuration Settings Optimization Policy Settings This section includes the following topics: Adding Single-Ended Connection Rules on page 350 Configuring Buffer Settings on page 351 Adding Single-Ended Connection Rules You can optionally add rules to control single-ended SCPS connections. The Steelhead uses these rules to determine whether to enable or pass through SCPS connections. A Steelhead receiving a SCPS connection on the WAN evaluates only the single-ended connection rules table. To pass through a SCPS connection, Riverbed recommends setting both an in-path rule and a single-ended connection rule. In this panel, you can modify the single-ended connection rules, as described in the following table. Add New Rule Position Source Subnet Destination Subnet VLAN Tag ID SCPS Mode Add Displays the controls for adding a new rule. Select Start, End, or a rule number from the drop-down list. Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. As an example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Specify an IPv4 address and mask for the traffic source; otherwise, specify all or /0 as the wildcard for all traffic. Use the following format: XXX.XXX.XXX.XXX/XX. Specify an IPv4 address and mask pattern for the traffic destination; otherwise, specify all or /0 as the wildcard for all traffic. Use the following format: XXX.XXX.XXX.XXX/XX. Specify one of the following: a VLAN identification number from 1 to 4094; all to specify that the rule applies to all VLANs; or untagged to specify the rule applies to untagged connections. RiOS supports VLAN v802.1q. To configure VLAN tagging, configure SCPS rules to apply to all VLANs or to a specific VLAN. By default, rules apply to all VLAN values unless you specify a particular VLAN ID. Pass-through traffic maintains any preexisting VLAN tagging between the LAN and WAN interfaces. Specifies the action that the rule takes on a SCPS connection. Select one of the following actions: Enable - Enables a rule to optimize single-ended interception SCPS connections. Passthrough - Disables a rule to optimize single-ended interception SCPS connections. If you choose this option, single-ended interception SCPS connections pass through the Steelhead appliance unoptimized. Adds the rule to the list. The Management Console redisplays the SCPS Rules table and applies your modifications to the running configuration, which is stored in memory. 350 Riverbed Central Management Console User s Guide

359 Optimization Policy Settings Viewing Policy Configuration Settings Remove Selected Rules Move Selected Rules Select the check box next to the name and click Remove Selected. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Tip: After you apply your settings, you can verify whether changes have had the desired effect by viewing the Current Connections report. The report summarizes the optimized established connections for SCPS. SCPS connections appear as typical established, optimized or established, or single-ended optimized connections. Click the connection to view details. SCPS connection detail reports display SCPS Initiate or SCPS Terminate under Connection Information. Under Congestion, the report displays the congestion control method that the connection is using. Configuring Buffer Settings The buffer settings in the Transport Settings page support high-speed TCP and are also used in data protection scenarios to improve performance. For details on data protection deployments, see the Steelhead Appliance Deployment Guide. To properly configure buffer settings for a satellite environment, you need to understand its characteristics. For information on gathering performance characteristics for your environment, see the Steelhead Appliance Deployment Guide.The high-speed TCP feature provides acceleration and high throughput for highbandwidth links (also known as Long Fat Networks, or LFNs) where the WAN pipe is large but latency is high. High-speed TCP is activated for all connections that have a BDP larger than 100 packets. For details on using HS-TCP in data protection scenarios, see the Steelhead Appliance Deployment Guide. Automatic HighSpeed TCP is disabled by default. For details on HighSpeed TCP, see the Steelhead Management Console User s Guide. Enable HighSpeed TCP Use Default Steelhead TCP Optimization Buffer Settings Enables high-speed TCP for more complete use of long fat pipes (highbandwidth, high-delay networks). Riverbed recommends that you enable HS-TCP only after you have carefully evaluated whether it will benefit your network environment. For details about the trade-offs of enabling HS-TCP, see tcp highspeed enable in the Riverbed Command-Line Interface Reference Manual. Enables TCP optimization. This is the default setting. Set buffer settings. LAN Send Buffer Size - Specify the send buffer size used to send data out of the LAN. The default value is LAN Receive Buffer Size - Specify the receive buffer size used to receive data from the LAN. The default value is WAN Default Send Buffer Size - Specify the send buffer size used to send data out of the WAN. The default value is WAN Default Receive Buffer Size - Specify the receive buffer size used to receive data from the WAN. The default value is Riverbed Central Management Console User s Guide 351

360 Viewing Policy Configuration Settings Optimization Policy Settings Windows Domain Auth This section describes how to configure a Steelhead appliance to optimize in an environment where there are: Microsoft Windows file servers using signed SMB or signed SMB2 for file sharing to Microsoft Windows clients. Microsoft Exchange servers providing an encrypted MAPI communication to Microsoft Outlook clients. Microsoft Internet Information Services (IIS) Web servers running HTTP or HTTP-based Web applications such as SharePoint 2007 or BPOS-D. The procedures include how to set up a user account that is trusted to delegate for secure protocols on target servers and add delegate or replication users to a Windows domain. Follow the procedures in this section after joining a Windows domain and enabling the SMB Signing, HTTP, or MAPI optimization features. Optimization in a secure Windows environment has changed with each release of the RiOS software. If you are running a version of RiOS software earlier than v5.5, consult the appropriate documentation for that software release. RiOS v7.0 and later features a set of domain health status commands that serve as a troubleshooting tool to identify, diagnose, and report possible problems with a Steelhead appliance within a Windows domain environment. For details, see the Riverbed Command-Line Interface Reference Manual and the Steelhead Appliance Deployment Guide. For information on incompatibilities, see Version Incompatibilities for Windows Domain Auth on page 354. The following table describes authentication methods for clients with Steelheads running RiOS v6.0 and later. Client OS Authentication Method RiOS v6.0/6.5 (Delegation) RiOS v7.0 (Kerberos) RiOS v7.0 (Steelhead Joined As a BDC or RODC) XP/Vista Password authentication/ntlm Optimized Optimized Optimized Windows 7 Password authentication/ntlm Optimized in delegation mode Optimized in delegation mode Optimized XP/Vista Negotiate authentication/simple And Protected Negotiate (SPNEGO) Optimized using NTLM Optimized using Kerberos Optimized using NTLM Windows 7 Negotiate authentication/ SPNEGO Optimized using NTLM in delegation mode Optimized using Kerberos Optimized using NTLM Any client Kerberos Passthrough Optimized Passthrough 352 Riverbed Central Management Console User s Guide

361 Optimization Policy Settings Viewing Policy Configuration Settings RiOS 7.0 and later supports end-to-end Kerberos authentication for the following secure protocols: SMB signing SMB2 signing Encrypted MAPI/Outlook Anywhere HTTP RiOS v7.0 and later protects authentication credentials for delegate and replication users by storing them in the Steelhead secure vault. The secure vault contains sensitive information about your Steelhead appliance configuration. To migrate previously configured authentication credentials to the secure vault after upgrading to RiOS v7.0 or later from v6.5.x or earlier, unlock the secure vault and then enter the following CLI command at the system prompt: protocol domain-auth migrate For details, see the Riverbed Command-Line Interface Reference Manual. RiOS v6.1 and later supports constrained delegation for users that are in domains trusted by the server's domain. RiOS v6.1 and later supports Windows 7 clients, Windows 2008 R2 servers, and Windows 2008 R2 domains (in both native and mixed-mode environments). If you are upgrading from RiOS v6.1 to v6.5 or later, you might already have a delegate user and be joined to a domain. If so, enabling SMB2 signing using NTLM will work when enabled with no additional configuration. In RiOS v6.0 and later, transparent authentication replaces the delegation trust authentication for SMB signing, eliminating the need to set up delegate users. However, in RiOS v6.5 and earlier, any Windows 7 clients requiring SMB signing or encrypted MAPI optimization must use delegation trust authentication. Windows 7 clients using Kerberos authentication are supported through the RiOS Kerberos authentication feature in RiOS v7.0 and later. Any Windows 7 clients using NTLM can be optimized either through delegation trust authentication, or if the Steelhead appliance is joined as a BDC or RODC, through transparent mode authentication. The following procedures are required before enabling RiOS SMB1 signing, SMB2 signing, and Encrypted MAPI for Windows 7 clients with RiOS v6.1. Windows 7 clients with RiOS v7.0 and later can use Kerberos authentication for maximum security. Kerberos authentication does not require delegation mode configuration, but you must configure both NTLM authentication (either transparent mode or delegation mode) along with Kerberos authentication (if desired). You can display and modify Windows domain auth optimization settings for the selected optimization policy on the Windows Domain Auth page. For more detail, see the Steelhead Management Console User s Guide. Under Users with Delegation Rights, you can delegate account configuration, as described in the following table. Add a New User Active Directory Domain Name Username Password Password Confirm Displays the controls to add a new user. Specify the active directory domain name. Specify the user name. Specify the password. Confirm the password. Riverbed Central Management Console User s Guide 353

362 Viewing Policy Configuration Settings Optimization Policy Settings Under Server Rules, you can edit server rules, as described in the following table. Manual Delegation Mode Auto Delegation Mode Apply Enables transparent authentication using NTLM and provides more control to specify the exact servers to perform optimization for. When you select this mode, you need to specify each server on which to delegate and sign for each domain using the Delegate-Only and Delegate-All-Except options. Select this option for manual delegation. Allow delegated authentication to these servers (Delegate-Only) - Click to intercept the connections destined for the servers in this list. By default, this setting is enabled. Specify the file server IP addresses for SMB signed or MAPI encrypted traffic in the text box, separated by commas. Allow delegated authentication to all servers except the following (Delegate-All-Except) - Click to intercept all of the connections except those destined for the servers in this list. Specify the file server IP addresses that do not require SMB signing or MAPI encryption in the text box, separated by commas. By default, this setting is disabled. Only the file servers that do not appear in the list are signed or encrypted. Enables delegate user authentication and automatically discovers the servers on which to delegate and sign. This eliminates the need to set up the servers on which to delegate and sign for each domain. Select this option for auto delegation. Allow delegated authentication to all servers except the following (Delegate-All-Except) - Click to intercept all of the connections except those destined for the servers in this list. Specify the file server IP addresses that do not require SMB signing or MAPI encryption in the text box, separated by commas. By default, this setting is disabled. Only the file servers that do not appear in the list are signed or encrypted. Applies your settings. Version Incompatibilities for Windows Domain Auth Windows Domain Auth is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. Delegation Delegation mode in RiOS v5.5 or later requires that you manually grant the user access to delegate. A delegate user is required in each of the domains where a server is going to be optimized. For more details, see the Steelhead Management Console User s Guide. 354 Riverbed Central Management Console User s Guide

363 Optimization Policy Settings Viewing Policy Configuration Settings Under Delegation Rights, you can delegate account configuration, as described in the following table. Add a New User Active Directory Domain Name Displays the controls to add a user with trusted delegation rights to a domain. Important: You can only add one delegate user per domain. A delegate user is required in each of the domains where a server is going to be optimized. Specify the delegation domain in which you want to make the delegate user a trusted member, for example SIGNING.TEST Note: You cannot specify a single-label domain name (a name without anything after the dot), as in riverbed instead of riverbed.com. Username Password Password Confirm Add Specify the delegate user name. The maximum length is 20 characters. The username cannot contain any of the following characters: / \ [ ] : ; =, + *? < " Note: The system translates the user name into uppercase to match the registered server realm information. Specify the user account password. Confirm the user account password. Adds the user. Auto-Delegation Mode Delegation mode in RiOS v6.1 and later automatically updates the delegate user in Active Directory with delegation rights to servers. The service updates the user in real-time, eliminating the need to grant the user access to delegate on every server. Auto-delegation mode also updates the server IP address if it changes. This section describes how to grant special privileges to the delegate user so they have automatic delegation rights to servers. The first step is to create a Delegate User with a Service Principal Name (SPN). The procedure to create a delegate user with an SPN is the same for both Windows DC R and Windows DC R Next, you must grant the delegate user the right to delegate on the domain controller. Because the procedures to grant the delegate user rights on the DC is different for Windows DC R and Windows DC R2 2008, the procedures to do so are separate. Next, you must grant the user access to delegate for the CIFS or MAPI service in Windows for at least one server. For more details, see the Steelhead Management Console User s Guide. A delegate user that is an Administrator already has the correct delegation rights for auto-delegation mode. A delegate user is required in each of the domains where a server is going to be optimized. If you update the password for the delegate user in Active Directory, you must also update the account information on the Steelhead appliance. To do this, delete the old account and add a new one with the updated password. Configuring Replication Users (Kerberos) Kerberos end-to-end authentication in RiOS 7.0 and later relies on Active Directory replication to obtain machine credentials for any servers that require secure protocol optimization. The RiOS replication mechanism requires a domain user with AD replication privileges, and involves the same AD protocols used by Windows domain controllers. The following procedures explain how to configure replication to use Riverbed Central Management Console User s Guide 355

364 Viewing Policy Configuration Settings Optimization Policy Settings For more details, see the Steelhead Management Console User s Guide. Kerberos authentication for the following features: SMB signing SMB2 signing Encrypted MAPI and encrypted Outlook Anywhere HTTP or HTTP-based traffic Under Kerberos Replication Users, complete the configuration as described in the following table. Add a New User Active Directory Domain Name Displays the controls to add a user with replication privileges to a domain. You can add one replication user per forest. Specify the AD domain in which you want to make the replication user a trusted member, for example SIGNING.TEST The Steelhead appliance replicates accounts from this domain. To facilitate configuration, you can use wildcards in the domain name. For example, *.nbttech.com. You cannot specify a single-label domain name (a name without anything after the dot), as in riverbed instead of riverbed.com. User Domain Username Password Password Confirm Specify the domain the user belongs to, if different from the Active Directory domain name. Riverbed recommends that you configure the user domain as close to the root as possible. Specify the replication user name. The user must have privileges to change the replicate directory. The user name can be an administrator. A replicate user that is an administrator already has the necessary replication privileges. The maximum user name length is 20 characters. The user name cannot contain any of the following characters: / \ [ ] : ; =, + *? < " Note: The system translates the user name into uppercase to match the registered server realm information. Specify the user account password. Confirm the user account password. 356 Riverbed Central Management Console User s Guide

365 Optimization Policy Settings Viewing Policy Configuration Settings Enable RODC Password Replication Policy Support DC Name Add Optionally, allow replication of the server s account credentials when a domain controller is configured as a read-only domain controller (RODC). RODC password replication policy (PRP) is only supported in Windows 2008 and later domains. An RODC serves as a cache for user and computer accounts performing authentication locally. The PRP is essentially a set rules describing which accounts the RODC is allowed to replicate. When PRP is enabled, the Steelhead only replicates accounts that it is allowed to as determined by PRP settings for the domain. When a user account is not cached locally, the RODC forwards the authentication to a writeable domain controller which does the authentication. If you allow the users password to be cached, then the RODC pulls that through a replication request. After the user is authenticated, the RODC caches the user password and handles any subsequent logins locally. Enabling an RODC password replication policy (PRP) requires additional configuration in Windows: Configure the replication user on the DC. Check the domain functional level. Configure PRP support on the DC. Specify the Windows 2008 or later DC name, which is required when enabling RODC PRP support. Adds the user. SSL Main Settings You can display and modify SSL Main optimization settings for the selected optimization policy on the SSL Main Settings page. For more detail, see the Steelhead Management Console User s Guide. Enable SSL Optimization Add a New SSL Certificate Name Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats) Import Single File Enables SSL optimization, which accelerates applications that use SSL to encrypt traffic. By default, this option is disabled. You can choose to enable SSL optimization only on certain sessions (based on source and destination addresses, subnets, and ports), or on all SSL sessions, or on no SSL sessions at all. An SSL session that is not optimized simply passes through the Steelhead appliance unmodified. Displays the controls to add a new server certificate. Specify a name for the proxy certificate (required when generating a certificate, leave blank when importing a certificate). Imports the key and certificate. Click this option if the existing private key and CA-signed certificate are located in one file. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or a text box for copying and pasting the key and certificate. The private key is required regardless of whether you are adding or updating. Local File - Browse to the local file. Text - Paste the contents of the file Decryption Password - Specify the decryption password, if necessary. Riverbed Central Management Console User s Guide 357

366 Viewing Policy Configuration Settings Optimization Policy Settings Exportable Server List Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats) Import Private Key Select this check box to enables the certificate and server key to be exported. This is the default setting. Type the server list in the text box. Imports the key and certificate. Click this option if the existing private key and CA-signed certificate are located in two files. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or text boxes for copying and pasting the keys and certificates. Local File - Browse to the local file. Key Text - Paste the contents of the file. Decryption Password - Specify the decryption password, if necessary. Import Public Certificate Exportable Server List Generate New Private Key and Self-Signed Public Certificate Private Key Common Name Organization Name Organization Unit Name Locality State Country Address Validity Period Exportable Server List Add Local File - Browse to the local file. Certificate Text - Type the certificate text. Select the check box to allow the certificate and server key to be exported. Type the server list in the text box. Click this option to generate a new private key and self-signed public certificate. Cipher - Select the key length from the drop-down list. Cipher Bits - Select the key length from the drop-down list. Specify the common name of a certificate. To facilitate configuration, you can use wildcards in the name. For example, *.nbttech.com. If you have three origin servers using different certificates such as webmail.nbttech.com, internal.nbttech.com, and marketingweb.nbttech.com, on the server-side Steelhead appliance, all three server configurations might use the same certificate name *.nbttech.com. Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Specify the country Specify the address of the contact person. Specify how many days the certificate is valid. Select the check box to allow the certificate and server key to be exported. Type the server list in the text box. Adds the server certificate. Secure Peering (SSL) You configure SSL peers for the selected optimization policy in the Secure Peering (SSL) page. For details on SSL, see the Steelhead Management Console User s Guide. 358 Riverbed Central Management Console User s Guide

367 Optimization Policy Settings Viewing Policy Configuration Settings RiOS v6.5 provides a way to configure Certificate Revocation Lists (CRLs) for an automatically discovered CA. This is not available as a configuration option. By default, CRLs are not used in the CMC. When pushing SSL peering certificates to a group of appliances, only the peering certificates that are either configured directly on the CMC itself or from connected appliances will be pushed. Any disconnected appliances peering certificates will not be updated by the policy push, and all other appliances will not get the peering certificates from the disconnected appliances if they are not configured directly on the CMC. The Secure Peering (SSL) page contains the following groups of settings: SSL Secure Peering Settings on page 359 Trusted Peer Certificates on page 360 Mobile Trust on page 360 Trusted Peers on page 360 SSL Secure Peering Settings In this panel, you can manage SSL secure peering for an optimization policy, as described in the following table. For details, see the Steelhead Management Console User s Guide. Traffic Type Fallback to No Encryption Select one of the following traffic types from the drop-down list: SSL Only - The peer client-side Steelhead appliance and the server-side CMC authenticate each other and then encrypt and optimize all SSL traffic. For example, HTTPS traffic on port 443. This is the default setting. SSL and Secure Protocols - The peer client-side Steelhead appliance and the server-side Steelhead appliance authenticate each other and then encrypt and optimize all traffic traveling over the following secure protocols: SSL, SMB signed, and encrypted MAPI. When you select this traffic type, SMBsigning and MAPI encryption must be enabled. Enabling this option requires an optimization service restart. All - The peer client-side Steelhead appliance and the server-side Steelhead appliance authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart. Specifies that the Steelhead appliance optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart. Important: Riverbed strongly recommends enabling this setting on both the client-side and the server-side Steelhead appliances, especially in mixed deployments where one Steelhead appliance is running RiOS v6.0 or later and the other Steelhead is running an earlier RiOS version. This option applies only to non-ssl traffic and is unavailable when you select SSL Only as the traffic type. Clear the check box to pass through connections that do not have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly do not want traffic optimized between non-secure Steelhead. Consequently, configurations with this setting disabled risk the possibility of dropped connections. For example, consider a configuration with a client-side Steelhead running RiOS v5.5.x or earlier and a server-side Steelhead running RiOS v6.0 or later. When this setting is disabled on the server-side Steelhead and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and might drop it. Riverbed Central Management Console User s Guide 359

368 Viewing Policy Configuration Settings Optimization Policy Settings Trusted Peer Certificates In this panel, you can add and view the following types of entities: Certificates of trusted peers. Certificates of trusted Certificate Authorities (CAs) that may sign certificates for peers. You can manage trusted entities for an optimization policy, as described in the following table. Add a New Trusted Entity Trust Existing CA Trust New Certificate Optional Local Name Local File Cert Text Add Remove Selected Displays the controls for adding trusted entities. Select an existing CA from the drop-down list. Adds a new CA or peer certificate. The Steelhead appliance supports RSA and DSA for peering trust entities. Optionally, specify a local name for the entity (for example, the fully qualified domain name). Browse to the local file. Paste the content of the certificate text file into the text box. Adds the trusted entity (or peer) to the trusted peers list. Select the check box next to the name and click Remove Selected. Mobile Trust In this panel, you can add and view trusted Steelhead Mobile ler entities that may sign certificates for Steelhead Mobile Clients. You can manage mobile trust for an optimization policy, as described in the following table. Add a New Mobile Entity Optional Local Name Local File Cert Text Add Displays the controls for adding a trusted Steelhead Mobile ler entity. Optionally, specify a local name for the entity (for example, the fully qualified domain name). Browse to the local file. Paste the content of the certificate text file into the text box. Adds the trusted entity (or peer) to the trusted peers list. Trusted Peers The first time a client-side Steelhead appliance attempts to connect to the server, the optimization service detects peers and populates the peer entry tables. On both Steelhead appliances, an entry appears in a peering list with the information and certificate of the other peer. A peer list provides you with the option of accepting or declining the trust relationship with each Steelhead appliance requesting a secure inner channel. 360 Riverbed Central Management Console User s Guide

369 Optimization Policy Settings Viewing Policy Configuration Settings In this panel, you can manage trusted entities for an optimization policy, as described in the following table. Trust Selected Peers (only SSLcapable or disconnected appliances are shown) Trust All Peers Update Specify this option to trust only SSL-capable or disconnected appliances. Specify this option trust all peers. Updates the policy to reflect the new settings. Service Ports You can configure service port settings for the selected optimization policy in the Service Ports page. For details on the service ports, see the Steelhead Management Console User s Guide. The Service Ports page contains the following groups of settings: Service Port Settings on page 361 Service Ports on page 361 Service Port Settings In this panel, you can display and modify service port settings for an optimization policy. Service Ports Default Port Specify ports in a comma-separated list. The default service ports are 7800 and Select the default service port from the drop-down list. The default service ports are 7800 and Service Ports In this panel, you can manage service port mappings for an optimization policy, as described in the following table. Add a New Service Port Mapping Destination Port Service Port Add Remove Selected Displays the controls to add a new mapping. Specify a destination port number. Specify a port number. Adds the port numbers. Select the check box next to the name and click Remove Selected. CRL Management (SSL) RiOS v6.5 and later provides a way to configure Certificate Revocation Lists (CRLs) for an automatically discovered CA using the Management Console. CRLs allow CAs to revoke issued certificates (for example, when the private key of the certificate has been compromised). By default, CRLs are not used in the Steelhead appliance. For more details, see the Steelhead Management Console User s Guide. Riverbed Central Management Console User s Guide 361

370 Viewing Policy Configuration Settings Optimization Policy Settings A CRL is a database that contains a list of digital certificates that have been invalidated before their expiration date, including the reasons for the revocation and the names of the issuing certificate signing authorities. The CRL is issued by the CA which issues the corresponding certificates. All CRLs have a lifetime during which they are valid (often 24 hours or less). The two types of CAs issuing CRLs are: Conventional CAs, which are listed in the Certificate Authorities page. Peering CAs, which are listed in the Trusted Entities list in the Secure Peering page. You configure each type of CA separately. Currently, the Steelhead appliance only supports downloading CRLs from Lightweight Directory Access Protocol (LDAP) servers. Advanced Settings (SSL) You configure SSL advanced settings for the selected optimization policy in the SSL Advanced Settings page. For details on SSL, see the Steelhead Management Console User s Guide. The SSL Advanced Settings page contains the following groups of settings: Chain Discovery on page 362 Steelhead Mobile Security Mode on page 363 Client Side Session Reuse on page 363 Client Authentication on page 364 Proxies on page 364 Midsession SSL on page 365 Peer Ciphers on page 365 Client Ciphers on page 365 Server Ciphers on page 366 Chain Discovery In this panel, you can choose chain discovery settings for an optimization policy. Enable SSL Server Certificate Chain Discovery Synchronizes the chain certificate configuration on the server-side Steelhead appliance with the chain certificate configuration on the back-end server. The synchronization occurs after a handshake fails between the client-side and server-side Steelhead appliance. By default, this option is disabled. Enable this option when you replace an existing chain certificate on the back-end server with a new chain to ensure that the certificate chain remains in sync on both the server-side Steelhead appliance and the back-end server. Note: This option never replaces the server certificate. It updates the chain containing the intermediate certificates and the root certificate in the client context. 362 Riverbed Central Management Console User s Guide

371 Optimization Policy Settings Viewing Policy Configuration Settings Steelhead Mobile Security Mode In this panel, you can choose Steelhead Mobile Security settings for an optimization policy. High Security Mode Mixed Security Mode Click to enforce the advanced SSL protocol on the Steelhead Mobile Clients for increased security (v5.5.x or later). Click to allow Steelhead Mobile Clients to run in any SSL mode. Client Side Session Reuse In this panel, you can choose client side session reuse settings for an optimization policy. Enable Distributed SSL Termination Timeout Apply Enable on a client-side Steelhead appliance to reuse the original session when the client reconnects to an SSL server. Reusing the session provides two benefits: it lessens the CPU load because it eliminates expensive asymmetric key operations and it shortens the key negotiation process by avoiding WAN roundtrips to the server. By default, this option is disabled. Both the client-side and server-side Steelheads must be configured to optimize SSL traffic. Specify the amount of time the client can reuse a session with an SSL server after the initial connection ends. The range is 6 minutes to 24 hours. The default value is 10 hours. Enabling this option requires an optimization service restart. Applies the settings. Riverbed Central Management Console User s Guide 363

372 Viewing Policy Configuration Settings Optimization Policy Settings Client Authentication In this panel, you can enable the client certificate support for an optimization policy Enable Client Certificate Support Enables acceleration of SSL traffic to those SSL servers that authenticate SSL clients. The SSL server verifies the SSL client certificate. In the client authentication SSL handshake, each client has a unique client certificate and the SSL server, in most cases, maintains the state that is specific to each client when answering the client's requests. The SSL server must receive exactly the same certificate that is originally issued for a client on all the connections between the client and the server. Typically the client's unique certificate and private key are stored on a smart card, such as a Common Access Card (CAC), or on a similar location that is inaccessible to other devices on the network. Enabling the client authentication feature enables Steelhead appliances to compute the encryption key while the SSL server continues to authenticate the original SSL client exactly as it would without the Steelhead appliances. The server-side Steelhead appliance observes the SSL handshake messages as they go back and forth. With access to the SSL server's private key, the Steelhead appliance computes the session key exactly as the SSL server does. The SSL server continues to perform the actual verification of the client, so any dependencies on the uniqueness of the client certificate for correct operation of the application are met. Because the Steelhead appliance does not modify any of the certificates (or the handshake messages) exchanged between the client and the server, there is no change to their trust model. The client and server continue to trust the same set of Certificate Authorities as they did without the Steelhead appliances accelerating their traffic. Note: If the data center has a mixed environment with a few SSL servers that authenticate clients along with those that do not authenticate clients, Riverbed recommends enabling client authentication. Requirements Both the client-side and the server-side Steelhead appliance must be running RiOS v6.5. Enable client certificate support on the server-side Steelhead appliance. The server-side Steelhead appliance must have access to the exact private key used by the SSL server. The SSL server must be configured to ask for client certificates. The Steelhead appliance must have a compatible cipher chosen by the server. SSL sessions that reuse previous secrets that are unknown to the CMC cannot be decrypted. Client-side certificates with renegotiation handshakes are not supported. Client certificate supports the RSA key exchange only. It does not support the Diffie-Hellman key exchange. Proxies In this panel, you can choose proxies settings for an optimization policy. Enable SSL Proxy Support Enable on both the client-side and server-side Steelheads when clients are communicating with SSL to a server through one or more proxies. Proxy support enables the Steelhead to optimize traffic to a proxy server. 364 Riverbed Central Management Console User s Guide

373 Optimization Policy Settings Viewing Policy Configuration Settings Midsession SSL In this panel, you can choose midsession SSL settings for an optimization policy. Enable Midsession SSL Enable on both the client-side and server-side Steelheads when there is a delayed start to the Transport Layer Security (TLS) handshake because clients are transitioning into SSL after the initial handshake occurs. This feature optimizes connections that transition into SSL. Peer Ciphers In this panel, you can choose peer ciphers settings for an optimization policy. Add a New Peer Cipher Cipher Insert Cipher At Hint Add Show Effective Overall Cipher List Displays the controls for adding a new peer cipher. Select the cipher type for communicating with peers from the drop-down list. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT, which represents a variety of high strength ciphers that allow for compatibility with many browsers and servers Select start, end, or the cipher number from the drop-down list. The default cipher, if used, must be rule number 1. The Hint text box displays information about the cipher. Adds the cipher to the list. Displays the effective overall cipher list. Client Ciphers In this panel, you can choose client cipher settings for an optimization policy. Add a New Client Cipher Cipher Insert Cipher At Hint Add Show Effective Overall Cipher List Displays the controls for adding a new client cipher. Select the cipher type for communicating with clients from the drop-down list.you must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT which represents a variety of high strength ciphers that allow for compatibility with many browsers and servers. Select start, end, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1. The Hint text box displays information about the cipher. Adds the cipher to the list. Displays the effective overall cipher list. Riverbed Central Management Console User s Guide 365

374 Viewing Policy Configuration Settings Optimization Policy Settings Server Ciphers In this panel, you can choose server cipher settings for an optimization policy. Add a New Server Cipher Cipher Insert Cipher At Hint Add Show Effective Overall Cipher List Displays the controls for adding a new server cipher. Select the cipher type for communicating with servers from the drop-down list. You must specify at least one cipher for peers, clients, and servers for SSL to function properly. The default cipher setting is DEFAULT which represents a variety of high strength ciphers that are compatible with many browsers and servers. Select start, end, or a cipher number from the drop-down list. The default cipher, if used, must be rule number 1. The Hint text box displays information about the cipher. Adds the cipher to the list. Displays the effective overall cipher list. Secure Peering (IPSEC) You configure secure peering for the selected optimization policy in the Secure Peering (IPSEC) page. For details on secure peering, see the Steelhead Management Console User s Guide. The Secure Peering (IPSEC) page contains the following groups of settings: General Settings on page 366 Secure Peers on page 368 General Settings In this panel, you can choose general settings for an optimization policy. Enable Authentication and Encryption Enable Prefetch Forward Secrecy Enables authentication between Steelhead appliance. By default, this option is disabled. Enables additional security by renegotiating keys at specified intervals. If one key is compromised, subsequent keys are secure because they are not derived from previous keys. By default, this option is enabled. 366 Riverbed Central Management Console User s Guide

375 Optimization Policy Settings Viewing Policy Configuration Settings Encryption Policy Authentication Policy Time Between Key Renegotiations Enter the Shared Secret Confirm the Shared Secret Apply Select one of the following encryption methods from the drop-down list: DES - Encrypts data using the Data Encryption Standard algorithm. DES is the default value. NULL - Specifies the null encryption algorithm. None Does not apply an encryption policy. 3DES - Appears when a valid Enhanced Cryptography License Key is installed on the appliance. Encrypts data using the Triple Digital Encryption Standard with a 168-bit key length. This standard is supported for environments where AES has not been approved, but is both slower and less secure than AES. AES - Appears when a valid Enhanced Cryptography License Key is installed on the appliance. Encrypts data using the Advanced Encryption Standard (AES) cryptographic key length of 128 bits. AES256 - Appears when a valid Enhanced Cryptography License Key is installed. Encrypts data using the Advanced Encryption Standard (AES) cryptographic key length of 256 bits. Provides the highest security. Optionally, select an algorithm from the method 2, 3, 4, or 5 drop-down lists to create a prioritized list of encryption policies for negotiating between peers. Note: Peer Steelhead appliances must both have a valid Enhanced Cryptography License Key installed to use 3DES, AES, or AES256. When a Steelhead appliance has the valid Enhanced Cryptography License Key installed and an IPSec encryption level is set to 3DES or AES, and a peer CMC does not have a valid Enhanced Cryptography License Key installed, the appliances uses the highest encryption level set on the appliance without the key. Select one of the following authentication methods from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely-used cryptographic hash function with a 128-bit hash value. This is the default value. SHA-1 - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA-1 is considered to be the successor to MD5. Optionally, select an algorithm from the method 2 drop-down list to create a secondary policy for negotiating the authentication method to use between peers. If the first authentication policy negotiation fails, the peer Steelhead appliances use the secondary policy to negotiate authentication Specify the number of minutes between quick-mode renegotiation of keys using the Internet Key Exchange (IKE) protocol. IKE uses public key cryptography to provide the secure transmission of a secret key to a recipient so that the encrypted data can be decrypted at the other end. The default value is 240 minutes. Specify the shared secret. All the Steelhead appliances in a network for which you want to use IPsec must have the same shared secret. Confirm the shared secret. Applies your configurations. Riverbed Central Management Console User s Guide 367

376 Viewing Policy Configuration Settings Optimization Policy Settings Secure Peers In this panel, you can choose secure peers for an optimization policy. Add a New Secure Peer Peer IP Address Add Displays the controls to add a new secure peer. Specify the IP address for the peer Steelhead appliance (in-path interface) for which you want to make a secure connection. Adds the peer specified in the Peer IP Address text box. If a connection has not been established between the two Steelhead appliances that are configured to use IPsec security, the peers list does not display the peer Steelhead appliance status as mature. Note: Adding a peer causes a short service disruption (3-4 seconds) to the peer that is configured to use IPsec security. Cloud Accelerator You configure cloud acceleration service for Software as a Service (SaaS) applications such as Office365 and Salesforce.com in the Cloud Accelerator page. The Steelhead Cloud Accelerator combines the Riverbed WAN optimization technology (RiOS) with the Akamai Internet route optimization technology (SureRoute) for accelerating SaaS application performance. Before you configure the Steelhead Cloud Accelerator on the Enterprise Steelhead appliance, ensure that you configure the following: DNS (Domain Name System) - Configure and enable DNS. Ensure that the Enterprise Steelhead appliance can access the configured name server(s). NTP (Network Time Protocol) - Configure and enable NTP and ensure that the NTP server(s) is accessible. Under Registration, type the company registration key that you obtained from the Riverbed Cloud Portal and click Register. The Enterprise Steelhead appliance registers with the Riverbed Cloud Portal. For details on password policy, see the Steelhead Management Console User s Guide. For information on version incompatibility for password policy, see Version Incompatibilities for Cloud Accelerator on page 368. Version Incompatibilities for Cloud Accelerator Cloud accelerator is incompatible with: Steelhead appliance v6.1.x - is not configurable. Steelhead appliance v6.5.x - is not configurable. Steelhead appliance v7.0.x - is not configurable. Steelhead EX appliance v1.0.x - is not configurable. 368 Riverbed Central Management Console User s Guide

377 System Settings Policies Viewing Policy Configuration Settings System Settings Policies The following section describes the System Settings Policy feature set. This section includes the following topics: Alarms on page 369 Announcements on page 377 on page 377 Logging on page 377 Monitored Ports on page 381 SNMP ACLs on page 381 SNMP Basic on page 383 SNMP v3 on page 385 Alarms You can change alarm settings for the selected system settings policy in the Alarms page. Enabling alarms is optional. Riverbed Central Management Console User s Guide 369

378 Viewing Policy Configuration Settings System Settings Policies The CMC checks for alarms every 5 minutes. For details on alarms, see Setting Alarm Parameters on page 33. Admission Asymmetric Routing Enables an alarm and sends an notification if the CMC enters admission control. When this occurs, the CMC optimizes traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the Steelhead continues to optimize existing connections, but new connections are passed through without optimization. Connection Limit - Indicates the system connection limit has been reached. Additional connections are passed through unoptimized. The alarm clears when the Steelhead appliance moves out of this condition. CPU - The appliance has entered admission control due to high CPU use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the CPU usage has decreased. MAPI - The total number of MAPI optimized connections have exceeded the maximum admission control threshold. By default, the maximum admission control threshold is 85% of the total maximum optimized connection count for the client-side Steelhead appliance. The Steelhead appliance reserves the remaining 15% so that the MAPI admission control does not affect the other protocols. The 85% threshold is applied only to MAPI connections. RiOS is now passing through MAPI connections from new clients but continues to intercept and optimize MAPI connections from existing clients (including new MAPI connections from these clients). RiOS continues optimizing non-mapi connections from all clients. The alarm clears automatically when the MAPI traffic has decreased; however, it can take one minute for the alarm to clear. In RiOS v7.0 and later, RiOS pre-emptively closes MAPI sessions to reduce the connection count in an attempt to bring the Steelhead appliance out of admission control by bringing the connection count below the 85% threshold. RiOS closes the MAPI sessions in the following order: MAPI prepopulation connections MAPI sessions with the largest number of connections MAPI sessions with most idle connections Most recently optimized MAPI sessions or oldest MAPI session MAPI sessions exceeding the memory threshold Memory - The appliance has entered admission control due to memory consumption. The appliance is optimizing traffic beyond its rated capability and is unable to handle the amount of traffic passing through the WAN link. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. No other action is necessary; the alarm clears automatically when the traffic has decreased. TCP - The appliance has entered admission control due to high TCP memory use. During this event, the appliance continues to optimize existing connections, but new connections are passed through without optimization. The alarm clears automatically when the TCP memory pressure has decreased. By default, this alarm is enabled. Enables an alarm if asymmetric routing is detected on the network. This is usually due to a failover event of an inner router or VPN. By default, this alarm is enabled. 370 Riverbed Central Management Console User s Guide

379 System Settings Policies Viewing Policy Configuration Settings Connection Forwarding CPU Utilization Enables an alarm if the system detects a problem with a connection-forwarding neighbor. The connection-forwarding alarms are inclusive of all connection-forwarding neighbors. For example, if a Steelhead appliance has three neighbors, the alarm triggers if any one of the neighbors are in error. In the same way, the alarm clears only when all three neighbors are no longer in error. Multiple Interface - Enables an alarm and sends an notification if the connection to a Steelhead appliance in a connection forwarding cluster is lost. Single Interface - Enables an alarm and sends an notification if the connection to a Steelhead appliance connection forwarding neighbor is lost. By default, this alarm is enabled. Enables an alarm and sends an notification if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. By default, this alarm is enabled, with a rising threshold of 90% and a reset threshold of 70%. Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 90%. Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 70%. Data Store Corruption - Enables an alarm and sends an notification if the RiOS data store is corrupt or has become incompatible with the current configuration. To clear the RiOS data store of data, restart the optimization service and click Clear the Data Store. If the alarm was caused by an unintended change to the configuration, the configuration can be changed to match the old RiOS data store settings again and then a service restart (with out clearing) will clear the alarm. Encryption Level Mismatch - Enables an alarm and sends an notification if a data store error such as an encryption, header, or format error occurs. Synchronization Error - Enables an alarm if RiOS data store synchronization has failed. The RiOS data store synchronization between two Steelheads has been disrupted and the RiOS data stores are no longer synchronized. By default, this alarm is enabled. Disk Full Domain Authentication Alert Domain Join Error Enables an alarm if the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var which is used to hold logs, statistics, system dumps, TCP dumps, and so on. By default, this alarm is enabled. Enables an alarm when the system is either unable to communicate with the domain controller, or has detected an SMB signing error, or that delegation has failed. CIFS-signed and Encrypted-MAPI traffic is passed through without optimization. By default, this alarm is enabled. Enables an alarm if an attempt to join a Windows domain has failed. The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the Steelhead appliance. A domain join can also fail when the DNS server returns an invalid IP address for the domain controller. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 371

380 Viewing Policy Configuration Settings System Settings Policies Granite Blockstore Granite Core Granite iscsi Granite LUN Granite Snapshot Granite Uncommitted Data Enables an alarm if the system encounters any of the following issues with the Granite Edge blockstore: The blockstore is running out of space. The blockstore is out of space. The blockstore is running out of memory. The blockstore could not read data that was already replicated to the DC. The blockstore could not read data that is not yet replicated to the DC. The blockstore fails to start due to disk errors or an incorrect configuration. The Granite Edge software version is incompatible with the blockstore version on disk. The blockstore could not save data to disk due to a media error. By default, this alarm is enabled. Enables an alarm if the system encounters any of the following issues with the Granite Core: The Edge device has connected to a Granite Core that does not recognize the Edge device. The Edge does not have an active connection with the Granite Core. The data channel between Granite Core and the Edge is down. The connection between the Granite Core and the Edge has stalled. By default, this alarm is enabled. Enables an alarm if the iscsi module encounters an error. By default, this alarm is enabled. Enables an alarm if a LUN becomes unavailable. By default, this alarm is enabled. Enables an alarm if a snapshot fails to be commit to the SAN, or a snapshot has fails to complete due to Windows timing out. By default, this alarm is enabled. Enables an alarm if a large amount of data in the block store needs to be committed to Granite Core. By default, this alarm is enabled. 372 Riverbed Central Management Console User s Guide

381 System Settings Policies Viewing Policy Configuration Settings Hardware Disk Error - Enables an alarm when one or more disks is offline. To see which disk is offline, enter the following CLI command from the system prompt: show raid diagram By default, this alarm is enabled. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and Fan Error - Enables an alarm and sends an notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled. Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled. IPMI - Enables an alarm and sends an notification if an Intelligent Platform Management Interface (IPMI) event is detected. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: Chassis intrusion (physical opening and closing of the appliance case). Memory errors (correctable or uncorrectable ECC memory errors). Hard drive faults or predictive failures. Power cycle, such as turning the power switch on or off, physically unplugging and replugging the cable, or issuing a power cycle from the power switch controller. By default, this alarm is enabled. Memory Error - Enables an alarm and sends an notification if a memory error is detected. For example, when a system memory stick fails. Other Hardware Error - Enables an alarm if a hardware error is detected. The following issues trigger the hardware error alarm: The Steelhead appliance does not have enough disk, memory, CPU cores, or NIC cards to support the current configuration. The Steelhead appliance is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified by Riverbed. Other hardware issues. By default, this alarm is enabled. Power Supply - Enables an alarm and sends an notification if an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled. RAID - Enables an alarm and sends an notification if the system encounters an error with the RAID array (for example, missing drives, pulled drives, drive failures, and drive rebuilds). An audible alarm might also sound. To see if a disk has failed, enter the following CLI command from the system prompt: show raid diagram For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Rebuilding a disk drive can take 4-6 hours. This alarm applies only to the Steelhead appliance RAID Series 3000, 5000, and By default, this alarm is enabled. SSD Write Cycle Level Exceeded - Enables an alarm if the accumulated SSD write cycles exceed a predefined write cycle 95% level on Steelhead appliance models 7050L and 7050M. If the alarm is triggered, the administrator can swap out the disk before any problems arise. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 373

382 Viewing Policy Configuration Settings System Settings Policies High Availability Licensing Link Duplex Enables and alarm and sends an notification if Enables an alarm and sends an notification if a license on the CMC is removed, is about to expire, has expired, or is invalid. This alarm triggers if the CMC has no MSPEC license installed for its currently configured model. Appliance Unlicensed - This alarm triggers if the CMC has no BASE or MSPEC license installed for its currently configured model. Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired. Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example: if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1- FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. By default, this alarm is enabled. Enables an alarm and sends an notification when an interface was not configured for half-duplex negotiation but has negotiated half-duplex mode. Half-duplex significantly limits the optimization service results. The alarm displays which interface is triggering the duplex alarm. By default, this alarm is enabled. Link I/O Errors Enables an alarm and sends an notification when the link error rate exceeds 0.1% while either sending or receiving packets. This threshold is based on the observation that even a small link error rate reduces TCP throughput significantly. A properly configured LAN connection should experience very few errors. The alarm clears when the rate drops below 0.05%. You can change the default alarm thresholds by entering the alarm link_errors errthreshold xxxxx CLI command at the system prompt. For details, see the Riverbed Command-Line Interface Reference Manual. By default, this alarm is enabled. Link State Enables an alarm and sends an notification if an Ethernet link is lost due to an unplugged cable or dead switch port. Depending on which link is down, the system might no longer be optimizing and a network outage could occur. This is often caused by surrounding devices, like routers or switches, interface transitioning. This alarm also accompanies service or system restarts on the CMC. For WAN/LAN interfaces, the alarm triggers if in-path support is enabled for that WAN/ LAN pair. By default, this alarm is disabled. Memory Paging Enables an alarm and sends an notification if memory paging is detected. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at By default, this alarm is enabled. Neighbor Incompatibility Network Bypass Enables an alarm if the system has encountered an error in reaching a Steelhead configured for connection forwarding. By default, this alarm is enabled. Enables an alarm and sends an notification if the system is in bypass failover mode. By default, this alarm is enabled. 374 Riverbed Central Management Console User s Guide

383 System Settings Policies Viewing Policy Configuration Settings NFS V2/V4 Alarm Enables an alarm and sends an notification if the CMC detects that either NFSv2 or NFSv4 is in use. The Steelhead only supports NFSv3 and passes through all other versions. By default, this alarm is enabled. Optimization Service Internal Error - Enables an alarm and sends an notification if the RiOS optimization service encounters a condition that might degrade optimization performance. By default, this alarm is enabled. Service Status - Enables an alarm and sends an notification if the RiOS optimization service encounters a service condition. By default, this alarm is enabled. The message indicates the reason for the condition. Unexpected Halt - Enables an alarm and sends an notification if the RiOS optimization service halts due to a serious software error. By default, this alarm is enabled. Process Dump Creation Error Secure Vault Software Version Mismatch Enables an alarm and sends an notification if the system detects an error while trying to create a process dump. This alarm indicates an abnormal condition where RiOS cannot collect the core file after three retries. It can be caused when the /var directory is reaching capacity or other conditions. When the alarm is raised, the directory is blacklisted. By default, this alarm is enabled. Enables an alarm and sends an notification if the system encounters a problem with the secure vault: Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Secure Vault New Password Recommended - Indicates that the secure vault requires a new, nondefault password. Re-enter the password. Secure Vault Not Initialized - Indicates that an error has occurred while initializing the secure vault. When the vault is locked, SSL traffic is not optimized and you cannot encrypt the RiOS data store. Enables an alarm if there is a mismatch between software versions in the Riverbed system. By default, this alarm is enabled. Riverbed Central Management Console User s Guide 375

384 Viewing Policy Configuration Settings System Settings Policies SSL Enables an alarm if an error is detected in your SSL configuration. Non-443 SSL Servers - Indicates that during a RiOS upgrade (for example, from v5.5 to v6.0), the system has detected a pre-existing SSL server certificate configuration on a port other than the default SSL port 443. SSL traffic might not be optimized. To restore SSL optimization, you can add an in-path rule to the client-side CMC to intercept the connection and optimize the SSL traffic on the nondefault SSL server port. After adding an in-path rule, you must clear this alarm manually by entering the following CLI command: stats alarm non_443_ssl_servers_detected_on_upgrade clear SSL Certificates Error (SSL CAs) - Indicates that an SSL peering certificate has failed to re-enroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Certificates Error (SSL Peering CAs) - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Certificates Expiring - Indicates that an SSL certificate is about to expire. SSL Certificates SCEP - Indicates that an SSL certificate has failed to reenroll automatically within the SCEP polling interval. By default, this alarm is enabled. Storage Profile Switch Failed System Detail Report Enables an alarm when an error occurs while repartitioning the disk drives during a storage profile switch. A profile switch changes the disk space allocation on the drives, clears the Granite and VSP data stores, and repartitions the data stores to the appropriate sizes. By default, this alarm is enabled. Enables an alarm if a system component has encountered a problem. By default, this alarm is disabled (RiOS v7.0.3 and later). Temperature Critical Temperature - Enables an alarm and sends an notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. Warning Temperature - Enables an alarm and sends an notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared. Rising Threshold - Specifies the rising threshold. The alarm activates when the temperature exceeds the rising threshold. The default value is 70%. Reset Threshold - Specifies the reset threshold. The alarm clears when the temperature falls below the reset threshold. The default value is 67%. After the alarm triggers, it cannot trigger again until after the temperature falls below the reset threshold and then exceeds the rising threshold again. Virtual Services Platform Enables an alarm and sends an notification when any child alarm activates for general VSP problems including: VSP General Alarm - Enables an alarm when the virtualization service general alarm is not running. This is a critical alarm that is enabled by default. VSP Service Alarm - Enables an alarm when virtualization service alarm is not running. This alarm is enabled by default. 376 Riverbed Central Management Console User s Guide

385 System Settings Policies Viewing Policy Configuration Settings Announcements You can create or modify a login message or a message of the day. The login message appears in the Central Management Console Login page. The message of the day appears in the Home page and when you first log in to the CLI. You can change announcement settings for the selected system settings policy in the Announcements page. Login Message MOTD Apply Type a message in the text box to appear on the Login page. Type a message in the text box to appear on the Home page. Applies the changes to the current configuration. You can change notification settings for the selected system settings policy in the page. SMTP Server SMTP Port Report Events via Report Failures via Report Failures to Technical Support Specify the SMTP server. You must have external DNS and external access for SMTP traffic for this feature to function. Important: Make sure you provide a valid SMTP server to ensure that the users you specify receive notifications for events and failures. Specify the port number for the SMTP server. Specify this option to report events through . Specify a list of addresses to receive the notification messages. Separate addresses by commas. Specify this option to report failures through . Specify a list of addresses to receive the notification messages. Separate addresses by commas. Specify this option to report serious failures such as system crashes to Riverbed Support. Specify the addresses to which to send notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars. Riverbed recommends that you activate this feature so that problems are promptly corrected. Important: This option does not automatically report a disk drive failure. In the event of a disk drive failure, contact Riverbed Support at Logging You can configure remote logging servers, log rotation and filtering, and log viewing preferences for the selected system settings policy in the Logging page. The Logging page contains the following groups of settings: Logging Configuration on page 378 Adding a New Log Server on page 379 Adding a New Process Logging Filter on page 380 Version Incompatibilities for Logging on page 381 Riverbed Central Management Console User s Guide 377

386 Viewing Policy Configuration Settings System Settings Policies Logging Configuration In this panel, you can configure logging settings for the system policy, as described in the following table. Minimum Severity Maximum Number of Log Files Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Note: This control applies to the system log only. It does not apply to the user log. Specify the maximum number of logs to store. The default value is 10. Lines Per Log Page Specify the number of lines per log page. The default value is 100. Rotate Based On Specify one of the following rotation options: Time - Select Day, Week, or Month from the drop-down list. Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB. Note: The log size of the log file is only checked on 10-minute intervals. 378 Riverbed Central Management Console User s Guide

387 System Settings Policies Viewing Policy Configuration Settings Adding a New Log Server In this panel, you can manage log servers for the system policy, as described in the following table. Add a New Log Server Server IP Minimum Severity Add Remove Selected Displays the controls for configuring new log servers. Specify the server IP address. Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Adds the server to the list. Select the check box next to the name and click Remove Selected. Riverbed Central Management Console User s Guide 379

388 Viewing Policy Configuration Settings System Settings Policies Adding a New Process Logging Filter In this panel, you can add and manage process logging filters for the system policy, as described in the following table. Add a New Process Logging Filter Process Minimum Severity Displays the controls to add a new process logging filter. Select one of the following from the drop-down list: alarmd - Alarm manager cifs - CIFS Optimization cmcfc - CMC Auto-registration Utility rgp - CMC Connector rgpd - CMC Connection Manager cli - Command Line Interface mgmtd - Device and Management http - HTTP Optimization hald - Hardware Abstraction Daemon notes - Lotus Notes Optimization mapi - MAPI Optimization nfs - NFS Optimization pm- - Process Manager qosd - QoS scheduler sched - Process Scheduler ssl - SSL optimization. shark - Cascade Shark, which enables Cascade Pilot to perform remote packet analysis on trace files captured and stored in the CMC without having to transfer large packet capture files across the network. virt_wrapped - RSP VMware Interface rspd - RSP Watchdog statsd - Statistics Collector wdt - Watchdog Timer webasd - Web Application Process domain_auth - Windows Domain Authentication Select one of the following from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. 380 Riverbed Central Management Console User s Guide

389 System Settings Policies Viewing Policy Configuration Settings Add Remove Selected Applies your configurations. Select the check box next to the name and click Remove Selected. Version Incompatibilities for Logging Logging is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. Monitored Ports The Steelhead appliance automatically discovers all the ports in the system that have traffic. Discovered ports, with a label (if one exists), are added to the Traffic Summary report. If a label does not exist then an unknown label is added to the discovered port. To change the unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port label are preserved from the time the port was discovered. By default, traffic is monitored on ports 21 (FTP), 80 (HTTP), 135 (EPM), 139 (CIFS:NetBIOS), 443 (SSL), 445 (CIFS:TCP), 1352 (Lotus Notes), 1433 (SQL:TDS), 1748 (SRDF), 3225 (FCIP), 3226 (FCIP), 3227 (FCIP), 3228 (FCIP), 7830 (MAPI), 8777 (RCU), and (SnapMirror). You can specify monitored port for the selected system settings policy in the Monitored Ports page. Add Port Port Number Port Add Remove Selected Displays the controls to add a new port. Specify the port to be monitored. Specify a description of the type of traffic on the port. Displays the controls for adding a port. Select the check box next to the name and click Remove Selected. SNMP ACLs The SNMP ACLs page contains the following groups of settings: Security Names on page 381 Groups on page 382 Views on page 382 Access Policies on page 383 For information on incompatibilities, see Version Incompatibilities for SNMP ACLs on page 383. Security Names The security names identify an individual user (v1 or v2c only). Riverbed Central Management Console User s Guide 381

390 Viewing Policy Configuration Settings System Settings Policies In this panel, you can change security name settings policy in the SNMP ACLs page. Add a New Security Name Security Name Community String Source IP Address and Mask Add Remove Selected Displays the controls to add a security name. Specify a name to identify a requestor (allowed to issue gets and sets). The security name might make changes to the View Based Access Model (VACM) security name configuration. Note: Traps for v1 and v2c are independent of the security name. Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the Steelhead appliance. Note: If you specify a read-only community string (located on the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and enables users to access the entire MIB tree from any source host. If this is not desired, delete the readonly community string. Specify the host IP address and mask bits to which you permit access using the security name and community string. Adds the security name. Select the check box next to the name and click Remove Selected. Groups The groups identify a security-name, security model by a group, and referred to by a group-name. In this panel, you can change group settings policy in the SNMP ACLs page. Add a New Group Group Name Security Model and Name Pairs Add Remove Selected Displays the controls to add a new group. Specify a group name. Click the + button and select a security model from the drop-down list: v1 or v2c displays another drop-down menu; select a security name. usm displays another drop-down menu, select a user. To add another Security Model and Name pair, click the + button. Adds the group name and security model and name pairs. Select the check box next to the name and click Remove Selected. Views In this panel, you can change view settings policy in the SNMP ACLs page. Add a New View View Name Displays the controls to add a new view. Specify a descriptive view name to facilitate administration. 382 Riverbed Central Management Console User s Guide

391 System Settings Policies Viewing Policy Configuration Settings Includes Excludes Add Remove Selected Specify the Object Identifiers (OIDs) to include in the view, separated by commas. For example, By default, the view excludes all OIDs. You can specify.iso or any subtree or subtree branch. You can specify an OID number or use its string form. For example,.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs. Adds the view Select the check box next to the name and click Remove Selected. Access Policies The access policies defines who gets access to which type of information. An access-policy is a comprised of <group-name, security-level, read-view-name> In this panel, you can change access settings policy in the SNMP ACLs page. Add a New Access Policy Group Name Security Level Read View Add Remove Selected Displays the controls to add a new access policy. Select a group name from the drop-down list. Determines whether a single atomic message exchange is authenticated. Select one of the following from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. A security level applies to a group, not to an individual user. Select a view from the drop-down list. Adds the policy to the policy list. Select the check box next to the name and click Remove Selected. Version Incompatibilities for SNMP ACLs SNMP ACLs is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. SNMP Basic Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration does not include SNMP traps. RiOS v5.0 provides support for the following: SNMP Version 1 SNMP Version 2c Riverbed Central Management Console User s Guide 383

392 Viewing Policy Configuration Settings System Settings Policies RiOS v6.0 and later provides support for the following: SNMP Version 3, which provides authentication through the User-based Security Model (USM). View-Based Access Mechanism (VACM), which provides richer access control. Enterprise Management Information Base (MIB) ACLs (Access Lists) for users (v1 and v2c only). The SNMP page contains the following groups of settings: SNMP Server Settings on page 384 Adding a New Trap Receiver on page 384 Version Incompatibilities for SNMP Basic on page 384 SNMP Server Settings In this panel, you can enable the reporting of events to an SNMP agent, as described in the following table. Enable SNMP Traps System Contact System Location Read-Only Community String Specify this option to enable SNMP traps. Specify the user name for the SNMP contact. Specify the physical location of the router. Specify a string to identify the read-only community. For example: Read-only. Adding a New Trap Receiver In this panel, you can manage SNMP trap receivers, as described in the following table. Add New Trap Receiver Receiver IP Address Destination Port Receiver Type Community Enable Receiver Add Remove Selected Displays the controls for configuring new trap receivers. Specify the IP address for the SNMP trap. For details on SNMP traps sent to configured servers, see Setting SNMP Basic Settings on page 40. Specify the destination port. Select v1, v2c, or v3 from the drop-down list to specify the SNMP software version. Specify the SNMP community name. Enables the new trap receiver. Adds the new configuration to the Trap Receiver list. Select the check box next to the name and click Remove Selected. Version Incompatibilities for SNMP Basic SNMP Basic is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. 384 Riverbed Central Management Console User s Guide

393 System Settings Policies Viewing Policy Configuration Settings Steelhead appliance v6.5.x - is configurable with limitations. SNMP v3 SNMP v3 provides additional authentication and access control for message security. For example, you can verify the identity of the SNMP entity (manager or agent) sending the message. Using SNMP v3 is more secure than SNMP v1 or v2; however, it requires more configuration steps to provide the additional security features. You can change SNMP v3 settings policy in the SNMP v3 page. Add a New User User Name Authentication Protocol Authentication Password Password Confirm Add Remove Selected Displays the controls to add a new user. Specify the user name. Select a authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely-used cryptographic hash function with a 128-bit hash value. This is the default value. SHA-1 - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA-1 is considered to be the successor to MD5. Optionally, click either Supply a Password or Supply a Key to use while authenticating users. Specify a password. The password must have a minimum of eight characters. Confirm the password. Adds the user. Select the check box next to the name and click Remove Selected. Riverbed Central Management Console User s Guide 385

394 Viewing Policy Configuration Settings Networking Policy Settings Networking Policy Settings The following section describes the Networking Policy feature set. This section includes the following topics: Asymmetric Routing on page 399 Outbound QoS (Basic) on page 404 Outbound QoS (Advanced) on page 408 Connection Forwarding on page 400 Flow Export on page 401 Hardware Assist Rules on page 397 Host Settings on page 386 Port Labels on page 418 QoS Marking (Legacy) on page 414 Simplified Routing on page 399 WCCP on page 388 Inbound QoS on page 394 Inbound QoS Interfaces on page 396 Outbound QoS Interfaces on page 396 The following procedures assume you have already created a Networking Policy. Host Settings You can view and modify general host settings for the selected networking policy in the Host Settings page. For information on version incompatibility, see Version Incompatibilities for Host Settings on page 388. When you initially ran the installation wizard, you set required network host settings for the Steelhead appliance. Use the following groups of controls on this page only if modifications or additional configuration is required: DNS Settings - Riverbed recommends you use DNS resolution. For details, see DNS Settings on page 387. Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can create a host-ip address resolution map. For details, see Hosts on page 387. Proxies - Configure proxy addresses for Web or FTP proxy access to the Steelhead appliance. For details, see Proxies on page 387. Date and Time - Riverbed recommends you configure NTP time synchronization. For details, see Date and Time on page Riverbed Central Management Console User s Guide

395 Networking Policy Settings Viewing Policy Configuration Settings DNS Settings In this panel, you can manage DNS settings for a networking policy, as described in the following table. Primary DNS Server IP Address Secondary DNS Server IP Address Tertiary DNS Server IP Address DNS Domain List Specify the IP address for the primary name server. Optionally, specify the IP address for the secondary name server. Optionally, specify the IP address for the tertiary name server. Specify an ordered list of domain names. If you specify domains the system automatically finds the appropriate domain for each of the hosts that you specify in the system. Hosts In this panel, you can manage hostnames and addresses for a networking policy, as described in the following table. Add a New Host IP Address Hostname Add Remove Selected Displays the controls for adding a new host. Specify the IP address for the host. Specify a hostname. Adds the host. Select the check box next to the name and click Remove Selected. Tip: To modify the host-ip mapping, in the table row for the mapping, click the hostname to display controls you can use to modify the mapping. Complete the configuration as above. Proxies In this panel, you can set a proxy address for a networking policy. Web/FTP Proxy IP Address Port Specify the IP address for the Web/FTP proxy. Specify the port for the Web/FTP proxy. Riverbed Central Management Console User s Guide 387

396 Viewing Policy Configuration Settings Networking Policy Settings Date and Time In this panel, you can use NTP servers for the host setting of a networking policy, as described in the following table. Use NTP Time Synchronization Add a New NTP Server Hostname or IP Address Check this box to use NTP time synchronization Note: As a best practice, you should configure your own internal NTP servers; however, if you want to use the Riverbed-provided NTP server, the hard-coded IP address that is pre-configured into every Steelhead appliance is This IP address appears in the NTP server list. Click to display control for configuring a new NTP server. Specify the IP address for the NTP server. Version Select the NTP server version from the drop-down list: 3 or 4. Enabled Time Zone Add Remove Selected Enable or disable the connection to the NTP server. Select a time zone from the drop-down list. The default value is US/Pacific. Adds the NTP server to the table list. Select the check box next to the name and click Remove Selected. Tip: To modify server properties, in the table row for the server, click the server name to display controls you can use to modify the properties. Complete the configuration as above. Version Incompatibilities for Host Settings Host Settings are incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. WCCP You can enable WCCP service groups for the selected networking policy in the WCCP page. For details on WCCP, see the Steelhead Management Console User s Guide. The WCCP page contains the following groups of settings: WCCP Service Groups on page 389 Adding a New Service Group on page Riverbed Central Management Console User s Guide

397 Networking Policy Settings Viewing Policy Configuration Settings WCCP Service Groups In this panel, you can enable WCCP service groups. Enable WCCP v2 Support Multicast TTL Enables WCCP v2 support on all groups added to the Service Group list. Specify the TTL boundary for the WCCP protocol packets. The default value is 16. Riverbed Central Management Console User s Guide 389

398 Viewing Policy Configuration Settings Networking Policy Settings Adding a New Service Group In this panel, you can manage WCCP service groups, as described in the following table. Add a New Service Group Interface Service Group ID Protocol Password Password Confirm Priority Displays the controls for adding a new service group. Select a Steelhead appliance interface to participate in a WCCP service group. RiOS v6.1 enables multiple Steelhead interfaces to participate in WCCP on one or more routers for redundancy (RiOS v6.0 and earlier enables a single Steelhead interface). If one of the links goes down, the router can still send traffic to the other active links for optimization. You must include an interface with the service group ID. More than one Steelhead appliance in-path interface can participate in the same service group. For WCCP configuration examples, see the Steelhead Appliance Deployment Guide. If multiple Steelhead appliances are used in the topology, they must be configured as neighbors. Enables WCCP v2 support on all groups added to the Service Group list. Specify a number from 0 to 255 to identify the service group on the router. A value of 0 specifies the standard HTTP service group. Riverbed recommends that you use WCCP service groups 61 and 62. Note: The service group ID is local to the site where WCCP is used. Note: The service group number is not sent across the WAN. Select All, TCP, or UDP from the drop-down list. All specifies all IP-based protocols. For example, it matches ICMP traffic. Optionally, assign a password to the Steelhead appliance interface. This password must be the same password that is on the router. WCCP requires that all routers in a service group have the same password. Passwords are limited to 8 characters. Confirm the password. Specify the WCCP priority for traffic redirection. If a connection matches multiple service groups on a router, the router chooses the service group with the highest priority. The range is The default value is 200. The priority value must be consistent across all Steelhead appliances within a particular service group. 390 Riverbed Central Management Console User s Guide

399 Networking Policy Settings Viewing Policy Configuration Settings Weight Specify the percentage of connections that are redirected to a particular Steelhead appliance interface, which is useful for traffic load balancing and failover support. The number of TCP, UDP, or ICMP connections a Steelhead appliance supports determines its weight. The more connections a CMC model supports, the heavier the weight of that model. In RiOS v6.1 you can modify the weight for each in-path interface to manually tune the proportion of traffic a CMC interface receives. A higher weight redirects more traffic to that Steelhead interface. The ratio of traffic redirected to a Steelhead interface is equal to its weight divided by the sum of the weights of all the Steelhead interfaces in the same service group. For example, if there are two Steelhead appliances in a service group and one has a weight of 100 and the other has a weight of 200, the one with the weight 100 receives 1/3 of the traffic and the other receives 2/3 of the traffic. However, since it is generally undesirable for a CMC with two WCCP in-path interfaces to receive twice the proportion of traffic, for Steelhead appliances with multiple in-paths connected, each of the in-path weights is divided by the number of that CMC's interfaces participating in the service group. For example, if there are two CMC appliances in a service group and one has a single interface with weight 100 and the other has two interfaces each with weight 200, the total weight will still equal 300 ( / /2). The one with the weight 100 receives 1/3 of the traffic and each of the other's in-path interfaces receives 1/3 of the traffic. The range is The default value corresponds to the number of TCP connections your Steelhead appliance supports. Failover Support To enable single in-path failover support with WCCP groups, define the service group weight to be 0 on the backup Steelhead appliance. If one Steelhead appliance has a weight 0, but another one has a non-zero weight, the Steelhead appliance with weight 0 does not receive any redirected traffic. If all the Steelhead appliances have a weight 0, the traffic is redirected equally among them. The best way to achieve multiple in-path failover support with WCCP groups in RiOS v6.1 is to use the same weight on all interfaces from a given Steelhead appliance for a given service group. For example, suppose you have Steelhead A and Steelhead B with two in-path interfaces each. When you configure Steelhead A with weight 100 from both inpath0_0 and inpath0_1 and Steelhead B with weight 200 from both inpath0_0 and inpath0_1, RiOS distributes traffic to Steelhead A and Steelhead B in the ratio of 1:2 as long as at least one interface is up on both Steelhead appliances. In a service group, if an interface with a non-zero weight fails, its weight transfers over to the weight 0 interface of the same service group. For details on using the weight parameter to balance traffic loads and provide failover support in WCCP, see the Steelhead Appliance Deployment Guide. Riverbed Central Management Console User s Guide 391

400 Viewing Policy Configuration Settings Networking Policy Settings Encapsulation Scheme Specifies the method for transmitting packets between a router or a switch and a Steelhead appliance interface. Select one of the following encapsulation schemes from the drop-down list: Either - Use Layer-2 first; if Layer-2 is not supported, GRE is used. This is the default value. GRE - Generic Routing Encapsulation. The GRE encapsulation method appends a GRE header to a packet before it is forwarded. This can cause fragmentation and imposes a performance penalty on the router and switch, especially during the GRE packet de-encapsulation process. This performance penalty can be too great for production deployments. L2 - Layer-2 redirection. The L2 method is generally preferred from a performance standpoint because it requires fewer resources from the router or switch than the GRE does. The L2 method modifies only the destination Ethernet address. However, not all combinations of Cisco hardware and IOS revisions support the L2 method. Also, the L2 method requires the absence of L3 hops between the router or switch and the Steelhead appliance. 392 Riverbed Central Management Console User s Guide

401 Networking Policy Settings Viewing Policy Configuration Settings Assignment Scheme Determines which Steelhead interface in a WCCP service group the router or switch selects to redirect traffic to for each connection. The assignment scheme also determines whether the Steelhead interface or the router processes the first traffic packet. The optimal assignment scheme achieves both load balancing and failover support. Select one of the following schemes from the drop-down list: Either - Uses Hash assignment unless the router does not support it. When the router does not support Hash, it uses Mask. This is the default setting. Hash - Redirects traffic based on a hashing scheme and the Weight of the Steelhead interface, providing load balancing and failover support. This scheme uses the CPU to process the first packet of each connection, resulting in slightly lower performance. However, this method generally achieves better load distribution. Riverbed recommends Hash assignment for most Steelhead appliances if the router supports it. The Cisco switches that do not support Hash assignment are the 3750, 4000, and 4500-series, among others. Your hashing scheme can be a combination of the source IP address, destination IP address, source port, or destination port. Mask - Redirects traffic operations to the Steelhead appliances, significantly reducing the load on the redirecting router. Mask assignment processes the first packet in the router hardware, using less CPU cycles and resulting in better performance. Mask assignment in RiOS v5.0.1 and earlier is limited to one Steelhead appliance per service group. The Steelhead appliance with the lowest inpath IP address receives all the traffic. This scheme provides highavailability. You can have multiple Steelhead appliances in a service group but only the Steelhead appliance with the lowest in-path IP address receives all the traffic. If the Steelhead appliance with the lowest in-path IP address fails, the Steelhead appliance with the next lowest in-path IP address receives all of the traffic. When the Steelhead appliance with the lowest inpath IP address recovers, it again receives all of the traffic. Mask assignment in RiOS v5.0.2 and later supports load-balancing across multiple active Steelhead appliances. This scheme bases load-balancing decisions (for example, which Steelhead appliance in a service group optimizes a given new connection) on bits pulled out, or masked, from the IP address and the TCP port packet header fields. Mask assignment in RiOS v6.1 supports load-balancing across multiple active Steelhead appliance interfaces in the same service group. The default mask scheme uses an IP address mask of 0x1741, which is applicable in most situations. However, you can change the IP mask by clicking the service group ID and changing the service group settings and flags. In multiple CMC environments, it is often desirable to send all users in subnet range to the same CMC. Using mask provides a basic ability to leverage a branch subnet and CMC to the same CMC in a WCCP cluster. Important: If you use mask assignment you must ensure that packets on every connection and in both directions (client-to-server and server-to-client), are redirected to the same Steelhead appliance. For details, see the Steelhead Appliance Deployment Guide. For details and best practices for using assignment schemes, see the Steelhead Appliance Deployment Guide. Source Mask IP Mask - Specify the source IP mask. Port Mask - Specify the source port mask. Riverbed Central Management Console User s Guide 393

402 Viewing Policy Configuration Settings Networking Policy Settings Destination Mask IP Mask - Specify the destination source IP mask. Port Mask - Specify the destination source port mask. Source Hash Source IP Hash - Specify that the router hash the source IP address to determine traffic to redirect. Source Port Hash - Specify that the router hash the source port to determine traffic to redirect. Destination Hash Destination IP Hash - Specify that the router hash the destination IP address to determine traffic to redirect. Destination Port Hash - Specify that the router hash the destination port to determine traffic to redirect. Ports Mode Ports Router IP Address(es) Add Remove Selected Groups Select one of the following modes from the drop-down list: Ports Disabled - Select to disable the ports. Use Source Ports - The router determines traffic to redirect based on source ports. Use Destination Ports - The router determines traffic to redirect based on destination ports. Specify a comma-separated list of up to seven ports that the router will redirect. Use this option only after selecting either the Use Source Ports or the Use Destination Ports mode. Specify a multicast group IP address or a unicast router IP address. You can specify up to 32 routers. Adds the service group. Select the check box next to the name and click Remove Selected Groups. Inbound QoS You configure inbound QoS in the Inbound QoS page. For details on Inbound QoS, see the Steelhead Management Console User s Guide. For information on incompatibilities, see Version Incompatibilities for Inbound QoS on page Riverbed Central Management Console User s Guide

403 Networking Policy Settings Viewing Policy Configuration Settings Enable Inbound QoS Shaping and Enforcement Enable QoS on <interface> with WAN bandwidth (kbps) Enables QoS to control the prioritization of different types of inbound network traffic and to ensure that the Steelhead gives certain network traffic (for example, Voice Over IP) higher priority than other network traffic. Traffic is not classified until at least one WAN interface is enabled. By default, inbound QoS classification is disabled. To disable inbound QoS, clear this check box and restart the optimization service. Enables a WAN interface <X-Y>. Specify its bandwidth link rate in kbps. The bandwidth for the default site is automatically set to this value. Inbound QoS supports in-path interfaces only; it does not support primary or auxiliary interfaces. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your Steelhead appliance connects to a router with a 100-Mbps link, do not specify this value specify the actual WAN bandwidth (for example, T1, T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Version Incompatibilities for Inbound QoS Inbound QoS is incompatible with: Steelhead appliance v6.1.x - is not configurable. Steelhead appliance v6.5.x - is not configurable. Steelhead appliance v is not configurable. Riverbed Central Management Console User s Guide 395

404 Viewing Policy Configuration Settings Networking Policy Settings Inbound QoS Interfaces You configure inbound QoS interfaces in the Inbound QoS Interfaces page. For details on Inbound QoS Interfaces see the Steelhead Management Console User s Guide. It includes the following section: Version Incompatibilities for Inbound QoS Interfaces on page 396 Enable Inbound QoS Shaping and Enforcement Enable QoS on <interface> with WAN bandwidth (kbps) Enables QoS to control the prioritization of different types of inbound network traffic and to ensure that the Steelhead gives certain network traffic (for example, Voice Over IP) higher priority than other network traffic. Traffic is not classified until at least one WAN interface is enabled. By default, inbound QoS classification is disabled. To disable inbound QoS, clear this check box and restart the optimization service. Enables a WAN interface <X-Y>. Specify its bandwidth link rate in kbps. The bandwidth for the default site is automatically set to this value. Inbound QoS supports in-path interfaces only; it does not support primary or auxiliary interfaces. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your Steelhead appliance connects to a router with a 100-Mbps link, do not specify this value specify the actual WAN bandwidth (for example, T1, T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Version Incompatibilities for Inbound QoS Interfaces Inbound QoS Interfaces are incompatible with: Steelhead appliance v6.1.x - is not configurable. Steelhead appliance v6.5.x - is not configurable. Steelhead appliance v is not configurable. Outbound QoS Interfaces You configure outbound QoS (Basic) and outbound QoS (Advanced) interfaces in the Outbound QoS Interfaces page. For details on Outbound QoS Interfaces see the Steelhead Management Console User s Guide. It includes the following section: Version Incompatibilities for Outbound QoS Interfaces on page Riverbed Central Management Console User s Guide

405 Networking Policy Settings Viewing Policy Configuration Settings Enable Inbound QoS Shaping and Enforcement Enable QoS on <interface> with WAN bandwidth (kbps) Enables QoS to control the prioritization of different types of inbound network traffic and to ensure that the Steelhead gives certain network traffic (for example, Voice Over IP) higher priority than other network traffic. Traffic is not classified until at least one WAN interface is enabled. By default, inbound QoS classification is disabled. To disable inbound QoS, clear this check box and restart the optimization service. Enables a WAN interface <X-Y>. Specify its bandwidth link rate in kbps. The bandwidth for the default site is automatically set to this value. Inbound QoS supports in-path interfaces only; it does not support primary or auxiliary interfaces. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. For example, if your Steelhead appliance connects to a router with a 100-Mbps link, do not specify this value specify the actual WAN bandwidth (for example, T1, T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Version Incompatibilities for Outbound QoS Interfaces Outbound QoS Interfaces are incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v is not configurable. Hardware Assist Rules You configure hardware assist rules in the Hardware Assist Rules page. This feature only appears on a Steelhead appliance equipped with one or more Two-Port SR Multimode Fiber 10 Gigabit-Ethernet PCI-E cards. Hardware Assist rules can automatically bypass all UDP (User Datagram Protocol) connections. You can also configure rules for bypassing specific TCP (Transmission Protocol) connections. Automatically bypassing these connections decreases the work load on the local Steelhead appliances because the traffic is immediately sent to the kernel of the host machine or out of the other interface before the Steelhead receives it. For details on Hardware Assist Rules, see the Steelhead Management Console User s Guide. For a hardware assist rules to be applied to a specific 10G bypass card, the corresponding in-path interface must be enabled and have an IP address. The Hardware Assist Rules page contains the following group of settings: Editing Hardware Assist Rules Settings on page 398 Riverbed Central Management Console User s Guide 397

406 Viewing Policy Configuration Settings Networking Policy Settings Editing Hardware Assist Rules Settings Under 10G NIC Hardware Assist Rules Settings, enable pass-through as follows: To automatically pass-through all UDP traffic, click the Enable Hardware Passthrough of All UDP Traffic check box. To pass-through TCP traffic based on the configured rules, click the Enable Hardware Passthrough of TCP Traffic Defined in the Rules Below check box. TCP pass-through is controlled by rules. The next step describes how to step up hardware assist rules. All hardware assist rules are ignored unless this check box is selected. No TCP traffic will be passed through. Under TCP Hardware Assist Rules, complete the configuration, as described in the following table. Add a New Rule Type Position Subnet A Subnet B VLAN Tag ID Displays the controls for adding a new rule. Select one of the following rule types: Accept - Accepts rules matching the Subnet A or Subnet B IP address and mask pattern for the optimized connection. Pass-Through - Identifies traffic to be passed through the network unoptimized. Determines the order in which the system evaluates the rule. Select start, end, or a rule number from the drop-down list. The system evaluates rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied and the system moves on to the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. In general, filter traffic that is to be unoptimized, discarded, or denied before processing rules for traffic that is to be optimized. Specify an IP address and mask for the subnet that can be both source and destination together with Subnet B. Use the following format XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Specify an IP address and mask for the subnet that can be both source and destination together with Subnet A. Use the following format XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Optionally, specify a numeric VLAN tag identification number. Select all to specify the rule applies to all VLANs. Select untagged to specify the rule applies to non-tagged connections. Note: Pass-through traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. Note: To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the Steelhead appliance uses to communicate with other Steelhead appliances. Optionally, include a description of the rule. 398 Riverbed Central Management Console User s Guide

407 Networking Policy Settings Viewing Policy Configuration Settings Add Remove Selected Rules Move Selected Rules Add Adds the new hardware assist rules to the list. You can add up to a maximum number of 50 rules. RiOS applies the same rule to both LAN and WAN interfaces. Every 10G card has the same rule set. The Steelhead appliance refreshes the Hardware Assist Rules table and applies your modifications to the running configuration, which is stored in memory. Select the check box next to the name and click Remove Selected Rules. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Click Add to add the new rule. Simplified Routing You can enable simplified routing for the selected networking policy in the Simplified Routing page. For details on simplified routing, see thesteelhead Management Console User s Guide Collect Mappings From Select one of the following options from the drop-down list: None - Do not collect mappings. Destination Only - Collects destination MAC data. Use this option in connection forwarding deployments. This is the default setting. Destination and Source - Collect mappings from destination and source MAC data. Use this option in connection forwarding deployments. All - Collect mappings for destination, source, and inner MAC data. Also collect data for connections that are un-natted (that is, connections that are not translated using NAT). Riverbed recommends that you use this option to maximize the effects of simplified routing. Asymmetric Routing You enable asymmetric route detection for the selected optimization policy in the Asymmetric Routing page. For details on asymmetric routing, see the Steelhead Management Console User s Guide. Riverbed Central Management Console User s Guide 399

408 Viewing Policy Configuration Settings Networking Policy Settings You can also use the Steelhead CLI to detect and analyze asymmetric routes. For details, see the Riverbed Command-Line Interface Reference Manual or the Steelhead Appliance Deployment Guide. Enable Asymmetric Routing Detection Enable Asymmetric Routing Pass-Through Detects asymmetric routes in your network. Enables pass-through traffic if asymmetric routing is detected. If asymmetric routing is detected, the pair of IP addresses, defined by the client and server addresses of this connection, is cached on the Steelhead appliance. Further connections between these hosts are passed through unoptimized until that particular asymmetric routing cache entry times out. Detecting and caching asymmetric routes does not optimize these packets. If you want to optimize asymmetric routed packets you must make sure that the packets going to the WAN always go through a Steelhead appliance either by using a multiport Steelhead appliance, connection forwarding, or using external ways to redirect packets, such as WCCP or PBR. For detailed information, see the Steelhead Appliance Deployment Guide. Connection Forwarding You configure connection forwarding for a network with multiple paths from the server in the Connection Forwarding page. For details on connection forwarding, see the Steelhead Management Console User s Guide. The Connection Forwarding page contains the following groups of settings: Connection Forwarding Settings on page 400 Adding a New Neighbor on page 401 Connection Forwarding Settings In this panel, you can enable connection forwarding for a networking policy, as described in the following table. Enable Connection Forwarding Port Keep-Alive Interval Keep-Alive Count When checked, this option enables connection forwarding by default on all neighbors added to the peer list. The default port for connection forwarding is Specify the port number to use as the default for the neighbor Steelhead appliance in-path port. The default value is Specify the number of seconds to use as the default interval for ping commands between neighbor Steelhead appliance. Specify the number of tries to use as the default number of failed ping attempts before an appliance terminates a connection with a neighbor. The default value is Riverbed Central Management Console User s Guide

409 Networking Policy Settings Viewing Policy Configuration Settings In-Path Neighbor Failure Multiple Interface Support Enables neighbor failure so connections might be handled by another Steelhead appliance. Select this option to enable communication between the CMC and the Steelhead appliance on multiple interfaces, ensuring continued connection in the event one interface fails. Adding a New Neighbor In this panel, you can manage connection forwarding neighbors for a networking policy, as described in the following table. Add a New Neighbor Hostname In-Path IP Address Port Additional IP Addresses Remove Selected Click to display the controls to add a new neighbor. Specify a name. Specify the in-path IP address for the neighbor Steelhead appliance. When you define a neighbor, you must specify the appliance in-path IP address, not the primary IP address. Specify the in-path port for the neighbor Steelhead appliance. The default value is Adds a neighbor Steelhead appliance to the neighbor list. Select the check box next to the name and click Remove Selected. Flow Export You configure flow export for a network from the server in the Flow Export page. For details on flow export, see the Steelhead Management Console User s Guide. The Flow Export page contains the following groups of settings: Flow Export and Top Talker Settings on page 402 Enable Interfaces on page 402 Adding a New Flow Collector on page 403 Riverbed Central Management Console User s Guide 401

410 Viewing Policy Configuration Settings Networking Policy Settings Flow Export and Top Talker Settings In this panel, you can manage flow export, as described in the following table. Enable Flow Export Enable Top Talkers Disable Top Talkers Apply Enables flow export support. By default, this setting is disabled. Click to continuously collect statistics for the most active traffic flows. A traffic flow consists of data sent and received from a single source IP address and port number to a single destination IP address and port number over the same protocol. The most active, heaviest users of WAN bandwidth are called the Top Talkers. A flow collector identifies the top consumers of the available WAN capacity (the top 50 by default) and displays them in the Top Talkers report. Collecting statistics on the Top Talkers provides visibility into WAN traffic without applying an in-path rule to enable a WAN visibility mode. You can analyze the Top Talkers for accounting, security, troubleshooting, and capacity planning purposes. You can also export the complete list in CSV format. The collector gathers statistics on the Top Talkers based on the proportion of WAN bandwidth consumed by the top hosts, applications, and host and application pair conversations. The statistics track pass-through or optimized traffic, or both. Data includes TCP or UDP traffic, or both (configurable on the Top Talkers report page). You must enable Flow Export before you enable Top Talkers. A NetFlow collector is not required for this feature. Enabling Top Talkers automatically sets the Active Flow Timeout to 60 seconds. Optionally, click a time period to adjust the collection interval: 24-hour Report Period (Higher Granularity) - For a five-minute granularity (the default setting). 48-hour Report Period (Lower Granularity) - For a ten-minute granularity. Click to stop collecting statistics on the most active or inactive users of WAN bandwidth. Active Flow Timeout - Optionally, specify the amount of time, in seconds, the collector retains the list of active traffic flows. The default value is 1800 seconds. Enabling Top Talkers automatically sets the time-out period to 60 seconds and disables this option. Inactive Flow Timeout - Optionally, specify the amount of time, in seconds, the collector retains the list of inactive traffic flows. The default value is 15 seconds. Click Apply to apply your settings. Enable Interfaces In this panel, you can enable interfaces for a networking policy. Select the interfaces to include when adding a new Flow collector, and click Apply. 402 Riverbed Central Management Console User s Guide

411 Networking Policy Settings Viewing Policy Configuration Settings Adding a New Flow Collector In this panel, you can add and manage flow collector for a networking policy, as described in the following table. Add a New Flow Collector Collector IP Address Port Version Packet Source Interface LAN Address Capture Interface primary Enable Filter Filter Displays the controls to add a Flow collector. Specify the IP address for the Flow collector. Specify the UDP port the Flow collector is listening on. The default value is Select one of the following versions from the drop-down list: CascadeFlow - Use with Cascade v8.4 or later. CascadeFlow-compatible - Use with Cascade v8.34 or earlier. NetFlow v5 - Enables ingress flow records. Netflow v9 - Enables both ingress and egress flow records. For details on the Netflow v9 templates, flow record field descriptions, and Riverbed-specific fields, see the Steelhead Appliance Deployment Guide. CascadeFlow and CascadeFlow compatible are enhanced versions of flow export to Riverbed Cascade. Select the interface to use as the source IP address of the flow packets (Primary or Aux) from the drop-down list. NetFlow records sent from the Steelhead appliance appear to be sent from the IP address of the selected interface Causes the TCP/IP addresses and ports reported for optimized flows to contain the original client and server IP addresses and not those of the Steelhead appliance. The default setting displays the IP addresses of the original client and server without the IP address of the Steelhead appliance. This setting is unavailable with NetFlowv9, because the optimized flows are always sent out with both the original client server IP addresses and the IP addresses used by the Steelhead appliance. Specify the traffic type to export to the flow collector. Select one of the following types from the drop-down list: All - Exports both optimized and non optimized traffic. Optimized - Exports optimized traffic. Optimized-lan - Exports optimized LAN traffic when WCCP is enabled. Optimized-wan - Exports optimized WAN traffic when WCCP is enabled. Passthrough - Exports pass-through traffic. None - Disables traffic flow export. The default value is All for LAN and WAN interfaces, for all four collectors. The default value for the other interfaces (Primary, rios_lan, and rios_wan) is None. (CascadeFlow and NetFlow v9 only) Click to filter flow reports by IP/subnets or IP:ports included in the Filter list. When disabled, reports include all IP/ subnets. (CascadeFlow and NetFlow v9 only) Specify the IP/subnet or IP:port to include in the report, one entry per line, up to 25 filters maximum. Note: Flow reports will only be sent for IP/Subnets included in this list. If the filter is not enabled, all will be reported. The filter should be of the form IP/Subnet or IP:Port, one entry per line. Riverbed Central Management Console User s Guide 403

412 Viewing Policy Configuration Settings Networking Policy Settings Add Remove Selected Adds the settings. Select the check box next to the name and click Remove Selected. Outbound QoS (Basic) Basic QoS simplifies QoS configuration by accurately identifying business applications and classifying traffic according to priorities. The Steelhead uses this information to control the amount of WAN resources that each application can use. This ensures that your important applications are prioritized and removes the guesswork from protecting performance of key applications. In addition, basic QoS prevents recreational applications from interfering with business applications. The policy might not be pushed to an appliance running RiOS v6.5.0 or lower. Basic QoS comes with a predefined set of six classes, a list of global applications, and a predefined set of profiles. All interfaces have the same link rate. Basic QoS includes a default site that is tied to the predefined service profile Medium Office. The bandwidth for the default site is automatically set to the same bandwidth as the interface's WAN throughput value. You can edit the bandwidth for the default site but you cannot edit the subnet. You cannot add or delete classes in basic QoS. For details on Basic QoS, see the Steelhead Management Console User s Guide. For information on version incompatibility for Outbound QoS (Basic), see Version Incompatibilities for Outbound QoS (Basic) on page 408. WAN Link Under WAN Link, you can enable QoS Shaping and Enforcement, as described in the following table. Enable QoS Shaping and Enforcement WAN Bandwidth (kbps) Enable QoS on <interface> Enables QoS classification to control the prioritization of different types of network traffic and to ensure that the Steelhead gives certain network traffic (for example, Voice Over IP) higher priority than other network traffic. Traffic is not classified until at least one WAN interface is enabled. To disable QoS, clear this check box and restart the optimization service. Specify the interface bandwidth link rate in kbps. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. As an example, if your Steelhead connects to a router with a 100 Mbps link, do not specify this value specify the actual WAN bandwidth (for example, T1, T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Specify a WAN interface <X-Y> to enable. 404 Riverbed Central Management Console User s Guide

413 Networking Policy Settings Viewing Policy Configuration Settings Enable Local WAN Oversubscription Enable QoS Marking Optionally, select to allow the sum of remote site bandwidths to exceed the WAN uplink speed. Bandwidth oversubscription shares the bandwidth fairly when the network includes remote site bandwidths that collectively exceed the available bandwidth of the local WAN uplink interface speed. The link sharing provides bandwidth guarantees when some of the sites are partially or fully inactive. As an example, your data center uplink might be 45 Mbit/s with three remote office sites each with 20 Mbit/s uplinks. When disabled, you can only allocate bandwidth for the remote sites such that the total bandwidth does not exceed the bandwidth of any of the interfaces on which QoS is enabled. Note: Enabling this option can degrade latency guarantees when the remote sites are fully active. Identify traffic using marking values. You can mark traffic using header parameters such as VLAN, DSCP, and protocols. In RiOS 7.0, you can also use Layer-7 protocol information through AppFlow Engine (AFE) inspection to apply DSCP marking values to traffic flows. In RiOS v7.0 and later, the DSCP or IP TOS marking only has local significance. This means you can set the DSCP or IP TOS values on the server-side Steelhead appliance to values different to those set on the client-side Steelhead appliance. The Basic QoS page contains the following panels: Site Panel Settings on page 405 Applications Panel Settings on page 406 Service Policies Panel Settings on page 408 Site Panel Settings In the Sites panel, configure the information, as described in the following table. Add Site Position Site Name Subnet Remote Link Bandwidth Service Policy Displays the controls to define a remote site. Select Start or End from the drop-down list. Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. The default site, which is tied to the Medium Office policy, cannot be removed and is always listed last. Specify the site name. For example, data center. Specify a maximum of five destination subnets that represent individual sites. You cannot edit the subnet for the default site. Specify the maximum WAN bandwidth in Kbps. Optionally, select a service policy from the drop-down list. The default policy is Large Office. Riverbed Central Management Console User s Guide 405

414 Viewing Policy Configuration Settings Networking Policy Settings Add Remove Site Move Site Adds the site to the list. The Central Management Console redisplays the Sites table and applies your modifications to the running configuration, which is stored in memory. This button is dimmed and unavailable until you enter the WAN bandwidth. Select the check box next to the name and click Remove Site. Moves the selected sites. Click the arrow next to the desired rule position; the site moves to the new position. Applications Panel Settings In the Applications panel, configure the information, as described in the following table. Add Application Application Name Position Source Subnet Source Port Destination Subnet Destination Port Protocol Traffic Type Displays the controls to define an application. Optionally, specify the application name. For example, Outlook AnywherePass through Select Start, End, or a rule number from the drop-down list. Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Specify an IP address and mask for the traffic source, or you can specify all or /0 as the wildcard for all traffic. Use the following format XXX.XXX.XXX.XXX/XX Optionally, specify all source ports, a single source port value or a port range of port1-port2, where port1 must be less than port2. The default setting is all ports. Specify an IP address and mask pattern for the traffic destination, or you can specify all or /0 as the wildcard for all traffic. Use the following format XXX.XXX.XXX.XXX/XX Optionally, specify all destination ports, a single source port value or a port range of port1-port2, where port1 must be less than port2. The default setting is all ports. Select All, TCP, UDP GRE, ICMP, or IPsec from the drop-down list. The default setting is All. Select Optimized, Passthrough, or All from the drop-down list. The default setting is All. DSCP Optionally, specify a DSCP value from 0 to 63, or all to use all DSCP values. 406 Riverbed Central Management Console User s Guide

415 Networking Policy Settings Viewing Policy Configuration Settings VLAN Service Class Application Add Remove Application Move Application Optionally, specify a VLAN tag as follows: Specify a numeric VLAN tag identification number from 0 to Specify all to specify the rule applies to all VLANs. Specify none to specify the rule applies to untagged connections. RiOS supports VLAN v802.1q. To configure VLAN tagging, configure transport rules to apply to all VLANs or to a specific VLAN. By default, rules apply to all VLAN values unless you specify a particular VLAN ID. Passthrough traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. The service class indicates how delay-sensitive a traffic class is to the QoS scheduler. Select a service class for the application from the drop-down list (highest priority to lowest): Real-Time - Specifies real-time traffic class. Give this value to your highest priority traffic. For example, VoIP, or video conferences. Interactive - Specifies an interactive traffic class. For example, Citrix, RDP, Telnet and SSH. Business Critical - Specifies the high priority traffic class. For example, Thick Client Applications, ERPs, and CRMs. Normal Priority - Specifies a normal priority traffic class. For example, Internet browsing, file sharing, and . Low Priority - Specifies a low priority traffic class. For example, FTP, backup, replication, other high-throughput data transfers, and recreational applications such as audio file sharing. Best Effort - Specifies the lowest priority. These are minimum service class guarantees; if better service is available, it is provided. For example, if a class is specified as low priority and the higher priority classes are not active, then the low priority class receives the highest possible available priority for the current traffic conditions. This parameter controls the priority of the class relative to the other classes. The service class describes only the delay sensitivity of a class, not how much bandwidth it is allocated, nor how important the traffic is compared to other classes. Typically you configure low priority for high-throughput, non-packet delay sensitive applications like FTP, backup, and replication. Select an application from the drop-down list. Selecting HTTP expands the controls to include the Domain Name and Relative Path controls. The relative path is the part of the URL that follows the domain name. Adds the rule to the list. The Central Management Console redisplays the Applications table and applies your modifications to the running configuration, which is stored in memory. Select the check box next to the name and click Remove Application. Moves the selected applications. Click the arrow next to the desired rule position; the application moves to the new position. Riverbed Central Management Console User s Guide 407

416 Viewing Policy Configuration Settings Networking Policy Settings Service Policies Panel Settings In the Service Policies panel, configure the information, as described in the following table. Add Service Policy Policy Name Realtime Interactive Business-Critical Normal Low-Priority Best Effort Add Remove Service Policy Displays the controls to add a service policy. Specify the policy name. For example, New York Office. Specify the percentage to allocate for the guaranteed and maximum bandwidth. The guaranteed bandwidth is the percentage of the bandwidth that is guaranteed to be allocated to the applications in the traffic class. A lower value indicates that the traffic in the class is more likely to be delayed. The maximum bandwidth is the maximum percentage of the bandwidth that can be allocated to the applications in the traffic class. A zero indicates that all traffic in the class is dropped. Specify the percentage to allocate for the guaranteed and maximum bandwidth. Specify the percentage to allocate for the guaranteed and maximum bandwidth. Specify the percentage to allocate for the guaranteed and maximum bandwidth. This is the default service policy; specify the percentage to allocate for the guaranteed and maximum bandwidth. Specify the percentage to allocate for the guaranteed and maximum bandwidth. Adds the service policy to the list. The Central Management Console redisplays the Policies table and applies your modifications to the running configuration, which is stored in memory. Select the check box next to the name and click Remove Service Policy. Version Incompatibilities for Outbound QoS (Basic) Outbound QoS (Basic) is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is not configurable. Outbound QoS (Advanced) After upgrading a Steelhead with no QoS configuration running RiOS v6.1.x or earlier to RiOS v6.5, you must migrate from basic to advanced QoS on both the client-side and server-side Steelhead appliances before configuring advanced QoS. If you are configuring QoS for the first time, you need to migrate from basic to advanced QoS. If you are upgrading a Steelhead with an existing QoS configuration running RiOS v6.1.x or earlier, the system automatically upgrades to advanced QoS. You might also want to migrate from basic to advanced QoS after configuring basic and finding you need more control. For details on Advanced QoS, see the Steelhead Management Console User s Guide. For information on version incompatibility, see Version Incompatibilities for Outbound QoS (Advanced) on page Riverbed Central Management Console User s Guide

417 Networking Policy Settings Viewing Policy Configuration Settings WAN Link Under WAN Link, you can enable QoS Shaping and Enforcement, as described in the following table. Enable QoS Shaping and Enforcement WAN Bandwidth (kbps) Enable QoS on <interface> Enable Local WAN Oversubscription Enable QoS Marking Enables QoS classification to control the prioritization of different types of network traffic and to ensure that the Steelhead gives certain network traffic (for example, Voice Over IP) higher priority than other network traffic. Traffic is not classified until at least one WAN interface is enabled. To disable QoS, clear this check box and restart the optimization service. Specify the interface bandwidth link rate in kbps. The link rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. As an example, if your Steelhead connects to a router with a 100 Mbps link, do not specify this value specify the actual WAN bandwidth (for example, T1, T3). Important: Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly. Specify a WAN interface <X-Y> to enable. Optionally, select to allow the sum of remote site bandwidths to exceed the WAN uplink speed. Bandwidth oversubscription shares the bandwidth fairly when the network includes remote site bandwidths that collectively exceed the available bandwidth of the local WAN uplink interface speed. The link sharing provides bandwidth guarantees when some of the sites are partially or fully inactive. As an example, your data center uplink might be 45 Mbit/s with three remote office sites each with 20 Mbit/s uplinks. When disabled, you can only allocate bandwidth for the remote sites such that the total bandwidth does not exceed the bandwidth of any of the interfaces on which QoS is enabled. Note: Enabling this option can degrade latency guarantees when the remote sites are fully active. Identify traffic using marking values. You can mark traffic using header parameters such as VLAN, DSCP, and protocols. In RiOS 7.0, you can also use Layer-7 protocol information through AppFlow Engine (AFE) inspection to apply DSCP marking values to traffic flows. In RiOS v7.0 and later, the DSCP or IP TOS marking only has local significance. This means you can set the DSCP or IP TOS values on the server-side Steelhead appliance to values different to those set on the client-side Steelhead appliance. The Advanced QoS page contains the following panels: QoS Classes on page 409 QoS Sites and Rules on page 413 QoS Classes Under QoS Classes, configure the information, as described in the following table. Add a New QoS Class Class Name Displays the controls for adding a class. Specify a name for the QoS class. Riverbed Central Management Console User s Guide 409

418 Viewing Policy Configuration Settings Networking Policy Settings Class Parent Latency Priority Guaranteed Bandwidth Appears only when a QoS hierarchy is enabled. Select the parent for a child class. The class inherits the parent s definitions. For example, if the parent class has a business critical latency priority, and its child has a real-time latency priority, the child inherits the business critical priority from its parent, and uses a real-time priority only with respect to its siblings. Select a class parent from the drop-down list. Indicates how delay-sensitive a traffic class is to the QoS scheduler. Select the latency priority for the class from the drop-down list (highest priority to lowest): Real-Time - Specifies real-time traffic class. Give this value to your highest priority traffic. For example, VoIP or video conferencing. Interactive - Specifies an interactive traffic class. For example, Citrix, RDP, Telnet and SSH. Business Critical - Specifies the high priority traffic class. For example, Thick Client Applications, ERPs, and CRMs. Normal Priority - Specifies a normal priority traffic class. For example, Internet browsing, file sharing, and . Low Priority - Specifies a low priority traffic class for all traffic that does not fall into any other service class. For example, FTP, backup, replication, other highthroughput data transfers, and recreational applications such as audio file sharing. Best Effort - Specifies the lowest priority. These are minimum priority guarantees; if better service is available, it is provided. For example, if a class is specified as low priority and the higher priority classes are not active, then the low priority class receives the highest possible available priority for the current traffic conditions. This parameter controls the priority of the class relative to the other classes. The latency priority describes only the delay sensitivity of a class, not how much bandwidth it is allocated, nor how important the traffic is compared to other classes. Typically, you configure low latency priority for high-throughput, non-packet delay sensitive applications like FTP, backup, and replication. Specify the minimum amount of bandwidth (as a percentage) to guarantee to a traffic class when there is bandwidth contention. All of the classes combined cannot exceed 100%. During contention for bandwidth, the class is guaranteed the amount of bandwidth specified. The class receives more bandwidth if there is unused bandwidth remaining. The guaranteed bandwidth must fall within the bandwidth limit for the Steelhead appliance. In hierarchical mode, excess bandwidth is allocated based on the relative ratios of guaranteed bandwidth. The total minimum guaranteed bandwidth of all QoS classes must be less than or equal to 100% of the parent class. A default class is automatically created with guaranteed bandwidth of 10%. Traffic that does not match any of the rules is put into the default class. Riverbed recommends that you change the guaranteed bandwidth of the default class to the appropriate value. The guaranteed bandwidth calculated based on this percentage must be no less than 1 Kbps. 410 Riverbed Central Management Console User s Guide

419 Networking Policy Settings Viewing Policy Configuration Settings Link Share Weight Upper Bandwidth Connection Limit Specify the weight for the class. Applies to flat mode only. The link share weight determines how the excess bandwidth is allocated among sibling classes. Link share does not depend on the minimum guaranteed bandwidth. By default, all the link shares are equal. Classes with a larger weight are allocated more of the excess bandwidth than classes with a lower link share weight. You cannot specify a Link Share Weight in Hierarchical QoS. In Hierarchical QoS, the link share weight is the same proportion as the guaranteed bandwidth of the class. The Link Share Weight does not apply to MX-TCP queues. Specify the maximum allowed bandwidth (as a percentage) a class receives as a percentage of the parent class guaranteed bandwidth. The limit is applied even if there is excess bandwidth available. Upper Bandwidth does not apply to MX-TCP queues. Optionally, specify the maximum number of optimized connections for the class. When the limit is reached, all new connections are passed through unoptimized. In hierarchical mode, a parent class connection limit does not affect its child. Each child class optimized connection is limited by the connection limit specified for their class. For example, if B is a child of A, and the connection limit for A is set to 5, while the connection limit for B is set to 10, the connection limit for B is 10. Connection Limit is supported only in in-path configurations. It is not supported in out-of-path or virtual-in-path configurations. Connection Limit does not apply to the packet-order queue or Citrix ICA traffic. RiOS does not support a connection limit assigned to any QoS class that is associated with a QoS rule with an AFE component. An AFE component consists of a Layer-7 protocol specification. RiOS cannot honor the class connection limit because the QoS scheduler may subsequently re-classify the traffic flow after applying a more precise match using AFE identification. Riverbed Central Management Console User s Guide 411

420 Viewing Policy Configuration Settings Networking Policy Settings Queue Optionally, select one of the following queue methods for the leaf class from the drop-down list (the queue does not apply to the inner class): SFQ - Shared Fair Queueing (SFQ) is the default queue for all classes. Determines Steelhead appliance behavior when the number of packets in a QoS class outbound queue exceeds the configured queue length. When SFQ is used, packets are dropped from within the queue in a round-robin fashion, among the present traffic flows. SFQ ensures that each flow within the QoS class receives a fair share of output bandwidth relative to each other, preventing bursty flows from starving other flows within the QoS class. FIFO - Transmits all flows in the order that they are received (first in, first out). Bursty sources can cause long delays in delivering time-sensitive application traffic and potentially to network control and signaling messages. MXTCP - Has very different use cases than the other queue parameters. MX- TCP also has secondary effects that you need to understand before configuring: When optimized traffic is mapped into a QoS class with the MX-TCP queuing parameter, the TCP congestion control mechanism for that traffic is altered on the Steelhead appliance. The normal TCP behavior of reducing the outbound sending rate when detecting congestion or packet loss is disabled, and the outbound rate is made to match the minimum guaranteed bandwidth configured on the QoS class. You can use MX-TCP to achieve high-throughput rates even when the physical medium carrying the traffic has high loss rates. For example, MX-TCP is commonly used for ensuring high throughput on satellite connections where a lower-layer-loss recovery technique is not in use. Another usage of MX-TCP is to achieve high throughput over high-bandwidth, high-latency links, especially when intermediate routers do not have properly tuned interface buffers. Improperly tuned router buffers cause TCP to perceive congestion in the network, resulting in unnecessarily dropped packets, even when the network can support high-throughput rates. MX-TCP is incompatible with AFE identification. A traffic flow cannot be classified as MX-TCP and then subsequently classified in a different queue. This reclassification can occur if there is a more exact match of the traffic using AFE identification. You must ensure the following when you enable MX-TCP: The QoS rule for MX-TCP is at the top of QoS rules list. The rule does not use AFE identification. You only use MX-TCP for optimized traffic. MX-TCP does not work for unoptimized traffic. Use caution when specifying MX-TCP. The outbound rate for the optimized traffic in the configured QoS class immediately increases to the specified bandwidth, and does not decrease in the presence of network congestion. The Steelhead appliance always tries to transmit traffic at the specified rate. If no QoS mechanism (either parent classes on the Steelhead appliance, or another QoS mechanism in the WAN or WAN infrastructure) is in use to protect other traffic, that other traffic might be impacted by MX-TCP not backing off to fairly share bandwidth. When MX-TCP is configured as the queue parameter for a QoS class, the following parameters for that class are also affected: Link share weight. The link share weight parameter has no effect on a QoS class configured with MX-TCP. Upper limit. The upper limit parameter has no effect on a QoS class configured with MX-TCP. 412 Riverbed Central Management Console User s Guide

421 Networking Policy Settings Viewing Policy Configuration Settings Packet-order - Protects the TCP stream order by keeping track of flows that are currently inside the packet-shaping infrastructure. Packet-order protection enables only one packet from each flow into the HFSC traffic shaper at a time. The backlog for each flow stores the packets from the flow in order until the packet inside the HFSC infrastructure is dequeued for delivery to the network interface. This packet order priority protection works for both TCP and UDP streams. For best performance, select this queue with Citrix real-time latency priority traffic. Add Remove Selected Adds the QoS class. Select the check box next to the name and click Remove Selected. To remove a parent class, delete all rules for the corresponding child classes first. When a parent class has rules or children, the check box for the parent class is unavailable. QoS Sites and Rules Under QoS Sites and Rules, configure the information, as described in the following table. Add Site or QoS Rule Add a Parent Site Insert Rule At Class Name Source Subnet Port Destination Subnet Port Protocol Traffic Type Displays the controls to add a QoS site or rule. Select either Site or Rule. The default is rule. Appears in hierarchical mode only. Select a parent site from the drop-down list. The default value is Default-site. Inserts a QoS rule for a QoS class. Select Start, End, or a rule number from the drop-down list. Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Select a class name from the drop-down list. If the rule matches, the specified rule sends the packet to this class. Specify the IP address for the source network. Use the following format XXX.XXX.XXX.XXX/XX Specify the port or port label for the source subnet. The default value is All. Rules support port labels for source and destination ports. Specify the IP address for the destination network. Use the following format XXX.XXX.XXX.XXX/XX Specify the port or port label for the destination subnet. The default value is All. Rules support port labels for source and destination ports. Select All, TCP, GRE, UDP, ICMP, or IPSec from the drop-down list. All specifies all TCP and UDP-based protocols. Select All, Optimized, or Pass-Through from the drop-down list. The system applies the QoS rules to optimized and pass-through (egress only) traffic. Session reliability (port 2598) is not supported with pass-through Citrix traffic. Riverbed Central Management Console User s Guide 413

422 Viewing Policy Configuration Settings Networking Policy Settings DSCP Optionally, select a DSCP level from the drop-down list. In RiOS v5.5 and earlier, the DSCP field in a QoS classification rule matches the DSCP value before DSCP marking rules are applied. In RiOS v6.0.x and v6.1.x, the DSCP field in a QoS classification rule matches the DSCP value after DSCP marking rules are applied; that is, it matches the post-marking DSCP value. In RiOS v6.5, the DSCP field in a QoS classification rule for pass-through traffic matches the DSCP value before DSCP marking rules are applied. The DSCP field in a QoS classification rule for optimized traffic matches the DSCP value after DSCP marking rules are applied; that is, it matches the post-marking DSCP value. VLAN Application Protocols Add Remove Site or QoS Rules Move Site or QoS Rules Optionally, specify the VLAN tag for the rule. Select an application from the drop-down list of global applications. You can define and add any applications that do not appear in the list. Selecting HTTP expands the control to include the Domain Name and Relative Path controls. Enter the domain name and relative path. The relative path is the part of the URL that follows the domain name. Selecting ICA expands the control to include priorities 0 3. Select a priority for the Citrix application to separate low-priority traffic (such as print jobs), from high-priority traffic (such as interactive screen updates). Citrix classification using a priority supports optimized and pass-through traffic. You must select the packet-order queue when using ICA priorities. Adds a rule or site to the QoS rule or site list. Removes the selected sites or rules. Select the box next to the name and click Move QoS Rules. Click the arrow next to the desired rule position. The rule or sites moves to the new position. Version Incompatibilities for Outbound QoS (Advanced) Outbound QoS (Advanced) are incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is not configurable. QoS Marking (Legacy) You set QoS marking for the selected networking policy in the QoS Marking (Legacy) page. For details on QoS marking, see the Steelhead Management Console User s Guide. For information on version incompatibility for QoS Marking (Legacy), see Version Incompatibilities for QoS Marking (Legacy) on page 417. Tip: Optionally, to view and edit additional policy settings, select the policy from the Editing <policy type> Policy drop-down list. To view and edit additional policy feature sets, select a feature set from the Page drop-down list. 414 Riverbed Central Management Console User s Guide

423 Networking Policy Settings Viewing Policy Configuration Settings The QoS Marking page contains the following groups of settings: QoS DSCP Monitor Settings on page 415 Adding a New Optimized QoS Map on page 416 Adding a New Pass-through QoS Map on page 417 QoS DSCP Monitor Settings In this panel, you can set DSCP monitor settings for a networking policy. TOS Monitor Interval TOS Monitor Repeat Specify how many TCP bytes the client Steelhead appliance receives on the upstream connection before sending packets that reflect the same DSCP value. The default value is For example, after the TCP connection has received 3000 bytes of data, the Steelhead appliance checks the DSCP value received in the last packet for that connection and uses that value to mark packets on the next hop. The DSCP value in packets received from the server is used in packets sent from the server-side Steelhead appliance to the client-side Steelhead appliance. This way, as soon as the server sends data back, the DSCP value is sent for packets in the reverse direction. This also applies to packets sent from a server-side Steelhead appliance to the server. If you set the interval to 1, the connection setup packets (SYN/SYN-ACK/ACK) are not marked, but the next packets are marked, because the server-side Steelhead appliance sends data to the server only after it receives data from the client-side Steelhead appliance. Specify how often the client-side Steelhead appliance rechecks the DSCP value of the traffic. The default value is 1. Change this value when you expect the DSCP value to change during the duration of the connection and you want to use the most recent value. If you want to check indefinitely, set the repeat interval to1. Riverbed Central Management Console User s Guide 415

424 Viewing Policy Configuration Settings Networking Policy Settings Adding a New Optimized QoS Map In this panel, you can manage optimized QoS maps, as described in the following table. Add a New Optimized QoS Map Source Subnet Source Port Destination Subnet Destination Port DSCP Add Remove QoS Maps Move QoS Maps Displays the controls to add an optimized QoS map. Specify the IP address for the source network. Use the following format XXX.XXX.XXX.XXX/XX Specify the source port number, port label, or all. A port label is a label that you assign to a set of ports so that you can reduce the number of configuration rules in your system. For the MAPI data channel, specify port 7830 and the corresponding DSCP level. The method you use to configure QoS for active FTP depends on the RiOS version. RiOS versions and For the FTP data channel, specify source port 20 and the corresponding DSCP level on the Steelhead appliance closest to the FTP server (assuming the FTP server initiates the data channel on port 20). Setting QoS for port 20 on the serverside Steelhead appliance affects active FTP. RiOS versions prior to and For the FTP data channel, configure a QoS map on the server-side Steelhead appliance to match the destination port 20, because RiOS versions prior to and do not support the creation of QoS maps based on the source port for optimized traffic. Specify the IP address for the destination subnet. Use the following format XXX.XXX.XXX.XXX/XX Specify the destination port number, port label, or all. A port label is a label that you assign to a set of ports so that you can reduce the number of configuration rules in your system. For the MAPI data channel, specify port 7830 and the corresponding DSCP level. For the FTP data channel, specify destination port 20 and the corresponding DSCP level. Setting QoS for port 20 on the server-side Steelhead appliance affects passive FTP. Optionally, select a DSCP level (0-63) or Reflect (the default setting) from the drop-down list. Reflect specifies that the DSCP level or IP ToS value found on pass-through traffic is unchanged when it passes through the Steelhead appliance. Important: If your connections already have a DSCP level and you do not define one on the client-side Steelhead appliance, the Steelhead appliance uses the existing DSCP level for the connection between the Steelhead appliances. If you define a DSCP level on the client-side Steelhead appliance, the Steelhead appliance overrides the existing DSCP level and the value that you defined is applied. Note: Optimized traffic is marked in both directions, but pass-through traffic is marked only on the egress traffic. Note: In RiOS 5.5 and earlier, the DSCP field in a QoS classification rule matches the DSCP value before DSCP marking rules are applied. In RiOS 6.0, the DSCP field in a QoS classification rule matches the DSCP value after DSCP marking rules are applied; that is, it matches the post-marking DSCP value. Optionally, specify a description to identify the rule. Adds the rule to the optimized QoS map list. Removes the selected map configurations. Reorders the selected maps in the list. 416 Riverbed Central Management Console User s Guide

425 Networking Policy Settings Viewing Policy Configuration Settings Adding a New Pass-through QoS Map In this panel, you can manage pass-through QoS maps, as described in the following table. Add a New Passthrough QoS Map Source Subnet Port Destination Subnet Port DSCP Add Remove QoS Maps Move QoS Maps Displays the controls to add a pass-through QoS map. Specify the IP address for the source network. Use the following format XXX.XXX.XXX.XXX/XX Specify the source port number, port label, or all. A port label is a label that you assign to a set of ports so that you can reduce the number of configuration rules in your system. For the MAPI data channel, specify port 7830 and the corresponding DSCP level. You cannot optimize a pass-through FTP data channel connection. Specify the IP address for the destination subnet. Use the following format XXX.XXX.XXX.XXX/XX Specify the destination port number, port label, or all. A port label is a label that you assign to a set of ports so that you can reduce the number of configuration rules in your system. For the MAPI data channel, specify port 7830 and the corresponding DSCP level. You cannot optimize a pass-through FTP data channel connection. Optionally, select a DSCP level (0-63) or Reflect (the default setting) from the drop-down list. Reflect specifies that the DSCP level or IP ToS value found on pass-through traffic is unchanged when it passes through the Steelhead appliance. Important: If your connections already have a DSCP level and you do not define one in the Central Management Console, the Steelhead appliance uses the existing DSCP level for the connection between the Steelhead appliances. If you define a DSCP level in the Central Management Console, the Steelhead appliance overrides the existing DSCP level and the value that you defined is applied. Note: Optimized traffic is marked in both directions, but pass-through traffic is marked only on the egress traffic. Optionally, specify a description to help you identify the map. Adds the map to the pass-through QoS map list. Removes the selected map configurations. Reorders the selected maps in the list. Version Incompatibilities for QoS Marking (Legacy) QoS Marking (Legacy) is incompatible with: Steelhead appliance v7.0.0 and higher - is not configurable. Riverbed Central Management Console User s Guide 417

426 Viewing Policy Configuration Settings Security Policy Settings Port Labels You create port labels for the selected networking policy in the Port Labels page. Port labels are names given to sets of port numbers. You use port labels when configuring in-path rules. For example, you can use port labels to define a set of ports for which the same in-path, peering, QoS classification, and QoS marking rules apply. For details on the port labels, see the Steelhead Management Console User s Guide. Add a New Port Label Name Ports Remove Selected Add Displays the controls to add a new port label. Specify the label name. The following rules apply: Port labels are not case sensitive and can be any string consisting of letters, the underscore ( _ ), or the hyphen ( - ). There cannot be spaces in port labels. The fields in the various rule pages of the Central Management Console that take a physical port number also take a port label. To avoid confusion, do not use a number for a port label. Port labels that are used in in-path and other rules, such as QoS and peering rules, cannot be deleted. Port label changes (that is, adding and removing ports inside a label) are applied immediately by the rules that use the port labels that you have modified. Specify a comma-separated list of ports. Select the check box next to the name and click Remove Selected. Adds the port label. Security Policy Settings The following section describes the Security Policy feature set. This section includes the following topics: General Security Settings on page 418 User Permissions on page 419 RADIUS on page 422 Password Policy on page 421 TACACS+ on page 423 Management ACL on page 425 The following procedures assume you have already created a Security Policy. General Security Settings You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the General Settings page. 418 Riverbed Central Management Console User s Guide

427 Security Policy Settings Viewing Policy Configuration Settings Important: Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted. Tip: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server: service = rbt-exec { local-user-name = monitor } where you replace monitor with admin for write access. For details on general security settings, see the Steelhead Management Console User s Guide. For details on setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide. In this panel, you can select the authentication method, as described in the following table. Authentication Methods For RADIUS/ TACACS+, fallback only when servers are unavailable Apply Specifies an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been attempted. When checked, indicates fallback to a RADIUS or TACACS+ server only when all of the other servers have not responded. This is the default setting. When this feature is disabled, the Steelhead appliance does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure. Applies your settings to the running configuration. User Permissions You can change the administrator or monitor passwords and define role-based users for the selected security policy in the User Permissions page. For details on user permissions, see Managing User Permissions on page 59. The User Permissions page contains the following groups of settings: Capability-Based Accounts on page 419 Adding a New User on page 420 Capability-Based Accounts The system has two accounts based on what actions the user can take: Admin - The administrator user has full privileges. For example, as an administrator you can set and modify configuration settings, add and delete users, restart the Steelhead service, reboot the Steelhead appliance, and create and view performance and system reports. Monitor - A monitor user can view reports, user logs, and change their password. A monitor user cannot make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system. Riverbed Central Management Console User s Guide 419

428 Viewing Policy Configuration Settings Security Policy Settings In this panel, you can manage capability accounts for the security policy, as described in the following table. admin/monitor Click the magnifying glass to change the administrator or monitor password. Enable Account - Click to enable or clear to disable the administrator or monitor account. Use a Password - Enables password protection. Password - Type a password in the text box. The password must have a minimum of six characters. Password Confirm - Confirm the new administrator password. Apply Applies your settings to the running configuration. Adding a New User In this panel, you can manage role-based accounts for the security policy, as described in the following table. Important: A role-based account cannot modify another role-based or capability-based account. Add a New User Account Name Enable Account Use a Password Roles and Permissions Click to display the controls for creating a new role-based account. Specify a name for the role-based account. Select the check box to enable the new role-based account. Select the check box to enable password protection and type the following: Password - Type a password in the text box. The password must have a minimum of six characters. Password Confirm - Type the new password again for confirmation. Grant the user one of the following privileges: Deny - With deny privileges the user cannot view settings or make configuration changes for a feature. This is the default. Read-Only - With read privileges the user can view current configuration settings for the feature but cannot change them. Read/Write - With write privileges the user can view settings and make configuration changes for a feature. Roles are comprised of groups of settings. With write access permission the user can change the configuration for these roles. For details on available roles and permissions, see Steelhead Appliance Roles and Permissions on page Riverbed Central Management Console User s Guide

429 Security Policy Settings Viewing Policy Configuration Settings Password Policy You can choose one of the following password policy templates, depending on your security requirements: Strong - Sets the password policy to more stringent enforcement settings. Selecting this template automatically prepopulates the password policy with stricter settings commonly required by higher security standards such as for the Department of Defense. Basic - Reverts the password policy to its predefined settings so you can customize your policy. For details on password policy, see the Steelhead Management Console User s Guide. For information on version incompatibility for password policy, see Version Incompatibilities for Password Policy on page 422. Under Password Management, complete the configuration as described in the following table. Login Attempts Before Lockout Timeout for User Login After Lockout Days Before Password Expires Days to Warn User of an Expiring Password Days to Keep Account Active After Password Expires Minimum Interval for Password Reuse Specify the maximum number of unsuccessful login attempts before temporarily blocking user access to the Steelhead appliance. The user is prevented from further login attempts when the number is exceeded. The default for the strong security template is 3. The lockout expires after the amount of time specified in Timeout for User Login After Lockout elapses. Specify the amount of time, in seconds, that must elapse before a user can attempt to log in after an account lockout due to unsuccessful login attempts. The default for the strong security template is 300. Specify the number of days the current password remains in effect. The default for the strong security template is 60. To set the password expiration to 24 hours, specify 0. To set the password expiration to 48 hours, specify 1. Leave blank to turn off password expiration. Specify the number of days the user is warned before the password expires. The default for the strong security template is 7. Specify the number of days the account remains active after the password expires. The default for the strong security template is 305. When the time elapses, RiOS locks the account permanently, preventing any further logins. Specify the number of password changes allowed before a password can be reused. The default for the strong security template is 5. Under Password Characteristics, complete the configuration as described in the following table. Minimum Password Length Minimum Uppercase Characters Minimum Lowercase Characters Minimum Numerical Characters Minimum Special Characters Specify the minimum password length. The default for the strong security template is 14 alphanumeric characters. Specify the minimum number of uppercase characters required in a password. The default for the strong security template is 1. Specify the minimum number of lowercase characters required in a password. The default for the strong security template is 1. Specify the minimum number of numerical characters required in a password. The default for the strong security template is 1. Specify the minimum number of special characters required in a password. The default for the strong security template is 1. Riverbed Central Management Console User s Guide 421

430 Viewing Policy Configuration Settings Security Policy Settings Minimum Character Differences Between Passwords Prevent Dictionary Words Specify the minimum number of characters that must be changed between the old and new password. The default for the strong security template is 4. Select to prevent the use of any word that is found in a dictionary as a password. By default, this control is enabled. Version Incompatibilities for Password Policy Password policy is incompatible with: Steelhead appliance v6.1.x - is not configurable. Steelhead appliance v6.5.x - is not configurable. Steelhead appliance v7.0.x - is not configurable. Steelhead EX appliance v1.0.x - is not configurable. RADIUS You set up RADIUS server authentication for the selected security policy in the RADIUS page. RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional. For details on the RADIUS feature, see the Steelhead Management Console User s Guide The RADIUS page contains the following groups of settings: Default RADIUS Settings on page 422 RADIUS Servers on page 423 Version Incompatibilities for RADIUS on page 423 Default RADIUS Settings In this panel, you can enable and define RADIUS authentication for the security policy, as described in the following table. Set a Global Default Key Global Key Confirm Global Key Enables a global server key for the RADIUS server. Specify the global server key. Note: Leave it unchanged to leave the global key unchanged. Confirm the global server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. The default value is Riverbed Central Management Console User s Guide

431 Security Policy Settings Viewing Policy Configuration Settings RADIUS Servers In this panel, you can add and manage RADIUS authentication servers, as described in the following table. Add a RADIUS Server Server IP Address Authentication Port Override the Global Default Key Displays the controls for defining a new RADIUS server. Specify the server IP address. Specify the port for the server. Overrides the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1 60). The default value is 3. Retries Enabled Add Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default value is 1. Enables the new server. Adds the RADIUS server to the list. Remove Selected If you add a new server to your network and you do not specify these fields at that time, the global settings are applied automatically. Version Incompatibilities for RADIUS RADIUS is incompatible with: Select the check box next to the name and click Remove Selected. Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. TACACS+ You set up TACACS+ server authentication for the selected security policy in the TACACS+ page. Enabling this feature is optional. TACACS+ is an authentication protocol that enables a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system. For details on TACACS+, see the Steelhead Management Console User s Guide. The TACACS+ page contains the following groups of settings: Default TACACS+ Settings on page 424 TACACS+ Servers on page 424 Version Incompatibilities for TACACS+ on page 424 Riverbed Central Management Console User s Guide 423

432 Viewing Policy Configuration Settings Security Policy Settings Default TACACS+ Settings In this panel, you can enable and define TACACS+ authentication for the security policy, as described in the following table. Set a Global Default Key Global Key Confirm Global Key Specify this option to enable a global server key for the server. Specify the global server key. Note: Leave it unchanged to leave the global key unchanged. Confirms the global server key. Timeout (seconds) Specify the time-out period in seconds (1 60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default is 1. TACACS+ Servers In this panel, you can add and manage TACACS+ authentication servers, as described in the following table. Add a TACACS+ Server Server IP Address Displays the controls for defining a new TACACS+ server, as described in this table. Specify the server IP address. Authentication Port Specify the port for the server. The default value is 49. Authentication Type Override the Global Default Key Click either PAP or ASCII to select the authentication type. Specify this option to override the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default is 1. Enables the new server. Adds the TACACS+ server to the list. Select the check box next to the name and click Remove Selected. Version Incompatibilities for TACACS+ TACACAS+ is incompatible with: Steelhead appliance v6.1.x - is configurable with limitations. Steelhead appliance v6.5.x - is configurable with limitations. Steelhead appliance v7.0.x - is configurable with limitations. Steelhead EX appliance v1.0.x - is configurable with limitations. 424 Riverbed Central Management Console User s Guide

433 Security Policy Settings Viewing Policy Configuration Settings Management ACL You configure management ACL for the selected security policy in the Management ACL page. Steelhead appliances are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can: restrict access to certain interfaces or protocols of a Steelhead appliance. restrict inbound IP access to a Steelhead appliance, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall). specify which hosts or groups of hosts can access and manage a Steelhead appliance by IP address, simplifying the integration of Steelhead appliances into your network. The Management ACL provides the following safeguards to prevent accidental disconnection from the Steelhead appliance (or the CMC): It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address. It always enables the default Steelhead appliance ports 7800, 7801, 7810, 7820, and It always enables a previously-connected CMC to connect and tracks any changes to the IP address of the CMC to prevent disconnection. It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial. It tracks changes to default service ports and automatically updates any references to changed ports in the access rules. For details on management ACL, see the Steelhead Management Console User s Guide. The Management ACL page contains the following groups of settings: Management ACL Settings on page 425 Adding a New Rule on page 425 Management ACL Settings The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a CMC, the destination specifies the CMC itself, and the source specifies a remote host. In this panel, you can choose: Enable Management ACL Secures access to a Steelhead appliance using a management ACL. Adding a New Rule The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a Steelhead appliance, the destination specifies the Steelhead appliance itself, and the source specifies a remote host. Riverbed Central Management Console User s Guide 425

434 Viewing Policy Configuration Settings Security Policy Settings The ACL rules list contains default rules that allow you to use the management ACL with the RiOS features PFS, DNS caching, and RSP. These default rules allow access to certain ports required by these features. The list also includes a default rule that enables access to the CMC. In this panel, you can add and manage a new rule, as described in the following table. Add a New Rule Action Service Protocol Source Network Interface Rule Number Log Packets Add Remove Selected Move Selected Displays the controls for adding a new rule. Select one of the following rule types from the drop-down list: Allow - Enables a matching packet access to the CMC. This is the default action. Deny - Denies access to any matching packets. Select All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet. When specified, the Destination Port is dimmed and unavailable. (Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP, UDP, ICMP or a specify a protocol number (1, 6, 17). The default value is All. When set to All or ICMP, the Service and Destination Ports are dimmed and unavailable. Optionally, specify the source network of the inbound packet. Optionally, select an interface name from the drop-down list. Select All to specify all interfaces. Optionally, describe the rule to facilitate administration. Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Note: The default rule, Allow, which enables all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last. Tracks denied packets in the log. By default, packet logging is enabled. Adds the rule to the list. Select the check box next to the name and click Remove Selected. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. 426 Riverbed Central Management Console User s Guide

435 Branch Services Settings Viewing Policy Configuration Settings Branch Services Settings The following section describes Branch Services feature set. This section includes the following topics: Caching DNS on page 427 RSP/VSP Slots on page 430 RSP/VSP Data Flow on page 431 Common Branch Storage Settings on page 432 Common VSP Settings on page 432 Caching DNS You configure DNS caching in the Branch Services page. By default, the DNS cache is disabled. A DNS name server resolves hostnames to IP addresses and stores them locally in a single Steelhead appliance. Any time your browser requests a URL, it first looks in the local cache to see if it is there before querying the external name server. If it finds the resolved URL locally, it uses that IP address. This is a non-transparent DNS caching service. Any client machine must point to the client-side Steelhead appliance as their DNS server. Hosting the DNS name server function provides: Improved performance for applications by saving the round trips previously needed to resolve names. Whenever the name server receives address information for another host or domain, it stores that information for a specified period of time. That way, if it receives another name resolution request for that host or domain, the name server has the address information ready, and does not need to send another request across the WAN. Improved performance for services by saving round trips previously required for updates. Continuous DNS service locally when the WAN is disconnected, with no local administration needed, eliminating the need for DNS servers at branch offices. For details on DNS caching, see the Steelhead Management Console User s Guide. The Branch Services page contains the following groups of settings: General Settings on page 428 DNS Forwarding Name Servers on page 428 Advanced Cache on page 429 Advanced Name Servers on page 430 Riverbed Central Management Console User s Guide 427

436 Viewing Policy Configuration Settings Branch Services Settings General Settings In this panel, you can enable and define the general settings, as described in the following table. Enable Caching DNS DNS Cache Size (bytes) Primary Interface Responding to DNS Requests Aux Interface Responding to DNS Requests Apply Enabled - Forwards name resolution requests to a DNS name server, then stores the address information locally in the CMC. By default, the requests go to the root name server, unless you specify another name server. Disabled - Stops the CMC from acting as the DNS name server. Specifies the cache size, in bytes. The default value is The range is from to Enabled - Enables the name server to listen for name resolution requests on the primary interface. Disabled - Stops the name server from using the primary interface Enabled - Enables the name server to listen for name resolution requests on the auxiliary interface. Disabled - Stops the name server from using the auxiliary interface. Applies the settings to the current configuration. DNS Forwarding Name Servers In this panel, you can add a new DNS forwarding name servers, as described in the following table. Add a New DNS Server Name Name Server IP Address Position Add Displays the controls to add a DNS name server to which the CMC forwards requests to cache responses. By default, the CMC only forwards requests to the Internet root name servers when you enable caching DNS without specifying any name servers to forward requests to. You can add multiple name servers to use; the CMC uses failover to these if one name server is not responding. Specify an IP address for the name server. Specify the order in which the name servers are queried (when using more than one). If the first name server, or forwarder, does not respond, the Steelhead appliance queries each remaining forwarder in sequence until it receives an answer or until it exhausts the list. Adds the name server. 428 Riverbed Central Management Console User s Guide

437 Branch Services Settings Viewing Policy Configuration Settings Advanced Cache In this panel, you can edit the advanced cache, as described in the following table. Caching of Forwarded Responses Maximum Cache Time (seconds) Minimum Cache Time (seconds) Neg DNS Maximum Cache Time (seconds) Neg DNS Minimum Cache Time (seconds) Freeze Cache Minimum TTL of a Frozen Entry (seconds) Enables the cache. The cache is enabled by default; however nothing is actually cached until you select the General Setting Enable Caching DNS. Specify the maximum number of seconds the name server stores the address information. The default setting is one week (604,800 seconds). The minimum is 2 seconds and the maximum is thirty days (2,592,000 seconds). You can adjust this setting to reflect how long the cached addresses remain up-to-date and valid. Note: Changes to this setting affect new address information and do not change responses already in the cache. Specify the minimum number of seconds that the name server stores the address entries. The default value is 0. The maximum value is the current value of Maximum Cache Time. Typically there is no need to adjust this setting. Note: Changes to this setting affect new responses and do not change any responses already in the cache. Specify the maximum number of seconds that an unresolved negative address is cached. The valid range is from two seconds to thirty days (2,592,000 seconds). The default value is 10,800 seconds. A negative entry occurs when a DNS request fails and the address remains unresolved. When a negative entry is in the cache, the appliance does not request it again until the cache expires, the maximum cache time is reached, or the cache is cleared. Specify the TTL for a negative entry, which is always this value or above, even if the server returns a smaller TTL value. For example, when this value is set to 300 seconds and the client queries aksdfjh.com, the DNS service returns a negative answer with a TTL of 100 seconds, but the DNS cache stores the entry as having a TTL of 300 seconds. The default value is 0, which specifies that the Steelhead appliance still caches negative responses; it does not place a lower bound on what the TTL value for the entry can be. Freezes the cache contents. When the cache is frozen, entries do not automatically expire from the cache. They are still returned in response to DNS queries. This is useful to keep local services available when the WAN is disconnected. By default, this setting is disabled. Note: When the cache is frozen and full, entries can still be pushed out of the cache by newer entries. Specify the minimum TTL in seconds that a response from a frozen cache has when sent to a branch office client. The default value is 10. For example, suppose this value is set to 60 seconds. At the time the cache is frozen, the cache entry for riverbed.com has a TTL of 300 seconds. For subsequent client requests for riverbed.com, the service responds with a TTL of 300 seconds minus however much time has lapsed since the cache freeze. After 240 seconds have elapsed, the service responds to all subsequent requests with a TTL of 60 seconds regardless of how much time elapses, until the cache is unfrozen. Riverbed Central Management Console User s Guide 429

438 Viewing Policy Configuration Settings Branch Services Settings Advanced Name Servers In this panel, you can edit advanced name servers, as described in the following table. For Unresponsive Name Servers Forwarder Down After (seconds) Forwarder Down After (requests) Retry Forwarder After (seconds) Fallback to Root Name Servers Apply Detects when one of the name servers is not responding and send requests to a responsive name server instead Specify how many seconds can pass without a response from a name server until the appliance considers it unresponsive. The default value is 120. When the name server receives a request but does not respond within this time and does not respond after the specified number of failed requests, the appliance determines that it is down. It then queries each remaining forwarder in sequence until it receives an answer or it exhausts the list. When the list is exhausted and the request is still unresolved, you can specify that the Steelhead appliance try the root name server. Specify how many requests a name server can ignore before the appliance considers it unresponsive. The default value is 30. When the name server does not respond to this many requests and does not respond within the specified amount of time, the appliance determines that it is down. It then queries each remaining forwarder in sequence until it receives an answer or it exhausts the list. When the list is exhausted and the request is still unresolved, you can specify that the Steelhead appliance try the root name server. Specify the time limit, in seconds, that the appliance forwards the name resolution requests to name servers that are responding instead of name servers that are down. The appliance also sends a single query to name servers that are down using this time period. If they respond, the appliance considers them back up again. The default value is 300. The single query occurs at intervals of this value if the value is set to 300, a request is allowed to go to a forwarder considered down about every 300 seconds until it responds to one. Forwards the request to a root name server when all other name servers have not responded to a request. This is the default setting; either this option must be enabled or a server must be present. When the fallback to root name servers option is disabled, the Steelhead appliance only forwards a request to the forwarding name servers listed above. If it exhausts these name servers and does not get a response, it does not forward the request to a root name server and returns a server failure. Note: If the name servers used by the Steelhead appliance are internal name servers; that is, they can resolve hostnames that external name servers like the Internet DNS root servers cannot, you must disable this option. Otherwise, if the name servers all fail, the root name servers might inform the Steelhead appliance that a host visible only to internal name servers does not exist, might cache that response, and return it to clients until it expires. This prolongs the period of time until service comes back up after name servers are down. Applies the changes. RSP/VSP Slots You configure RSP /VSP slots in the RSP/VSP Slots page. You can install one package per slot. By default, the RSP slots are numbered 1 to 5. However, Riverbed recommends changing slot names to meaningful, descriptive terms because RSP-enabled Steelhead appliances might be remotely configured by the Central Management Console (CMC). Meaningful names reduce the potential for confusion. Riverbed also recommends you give slots with identical VMs identical names to facilitate batch management. 430 Riverbed Central Management Console User s Guide

439 Branch Services Settings Viewing Policy Configuration Settings When you install an RSP package you must select an RSP slot. A slot is a directory on disk. When you install a package into a slot, the system unpacks the VM into the directory. When you uninstall a VM from a slot, the system removes the VM and deletes the files from the slot. For details about creating an RSP package for a Windows Server, see the RSP Package Creation Guide For details on RSP/VSP Slots, see the Steelhead Appliance Deployment Guide. The slot names and installed packages should match the configuration of the Steelheads that are affected by this policy. In this panel, you can configure RSP/VSP slots, as described in the following table. Enable VM Consoles Slot Name Rename Slot Package Configure Slot Enables the VM consoles. Select the slot to display the slot name. Optionally, type a unique descriptive name for the slot (up to eight characters). Note: The slot must be empty before you can change its name. Note: Once a slot is occupied, it cannot be renamed. The slot names installed packages should match the configuration of the Steelhead appliances that are affected by this policy. Optionally, type a description of the slot. Renames the slot. Select the package name from the drop-down list. Configures the slot. RSP/VSP Data Flow You configure RSP/VSP data flow in the RSP/VSP Data Flow page. For details on RSP/VSP data flow, see the Steelhead Management Console User s Guide In this panel, you can edit RSP/VSP data flow settings. Select interface to configure Add a VNI Data Flow Position Add Select an in-path interface from the drop-down list. Displays the controls to add a VNI. Select one of the following from the drop-down list. start - Locates the VNI next to the LAN. A packet coming from thesteelhead appliance LAN interface goes to this VNI first. end - Locates the VNI next to the WAN. A packet coming from the Steelhead appliance WAN interface goes to this VNI first. order number - Specifies the VNI order number. A lower number locates the VNI closer to the LAN. A higher number locates the VNI closer to the WAN Adds the VNI to the data flow. Riverbed Central Management Console User s Guide 431

440 Viewing Policy Configuration Settings Branch Services Settings Remove Selected VNIs Move Selected VNIs Select the check box next to the name and click Remove Selected VNIs. Moves the selected VNIs. Click the arrow next to the desired VNI position; the VNI moves to the new position. Common Branch Storage Settings You configure common branch storage settings in the Common Branch Storage Settings page. For details on common branch storage settings, see the Steelhead Management Console User s Guide In this panel, you can edit common branch storage settings. Alternate IP: Port, separate multiple by, Local Interfaces Local Interfaces for MPIO Specify the alternate IP. Separate ports with a comma. Select the local interface from the list. Select the local interface for MPIO from the list. Version Incompatibilities for Common Branch Storage Settings Common Branch Storage Settings is incompatible with: Steelhead EX appliance v1.0.x - is not configurable. Common VSP Settings You configure common VSP settings in the Common VSP Settings page. For details on common VSP settings, see the Steelhead Management Console User s Guide In this panel, you can edit common VSP settings. ESXi License Push Settings VNC Settings Password Settings Override Default License - Select this option to override the default license. License Key - Specify the license key. Push RiOS NTP Settings to ESXi - Select this option to push RiOS NTP settings to ESXi. Enable VNC - Select this option to enable VNC. Port - Specify the port. Password - Specify the password. Password Confirm - Confirm the password. ESXi Password - Specify the ESXi password. ESXi Password Confirm - Confirm the ESXi password. 432 Riverbed Central Management Console User s Guide

441 Branch Services Settings Viewing Policy Configuration Settings Version Incompatibilities for Common VSP Settings Common VSP settings is incompatible with: Steelhead EX appliance v1.0.x - is not configurable. Riverbed Central Management Console User s Guide 433

442 Viewing Policy Configuration Settings Branch Services Settings 434 Riverbed Central Management Console User s Guide

443 APPENDIX B Riverbed System Ports This appendix provides a reference to ports used by the system. This section includes the following topics: Default Ports on page 435 Commonly Excluded Ports on page 436 Interactive Ports Forwarded by the Steelhead Appliance on page 436 Secure Ports Forwarded by the Steelhead Appliance on page 437 Default Ports The following table summarizes Steelhead appliance default ports with the port label: RBT-Proto. Default Ports 7744 RiOS data store synchronization port In-path port for appliance to appliance connections Network Address Translation (NAT) port Out-of-path server port Failover port for redundant appliances Connection forwarding (neighbor) port Interceptor appliance Steelhead Mobile ler. Note: Because optimization between Steelhead appliances typically takes place over a secure WAN, it is not necessary to configure company firewalls to support Steelhead specific ports. If there are one or more firewalls between two Steelhead appliances, ports 7800 and 7810, must be passed through firewall devices located between the pair of Steelhead appliances. Also, SYN and SYN/ACK packets with the TCP option 76 must be passed through firewalls for auto-discovery to function properly. For the CMC, port 22 must be passed through for the firewall to function properly. Riverbed Central Management Console User s Guide 435

444 Riverbed System Ports Commonly Excluded Ports Commonly Excluded Ports This section summarizes the ports that are commonly excluded from optimization in the Steelhead appliance. If you have multiple ports that you want to exclude, create a port label and list the ports. Application Ports PolyComm (video conferencing) 1503, , , 5060 Cisco IPTel 2000 Interactive Ports Forwarded by the Steelhead Appliance A default in-path rule with the port label Interactive is automatically created in your system. This in-path rule automatically passes through traffic on interactive ports (for example, Telnet, TCP ECHO, remote logging, and shell). Tip: If you do not want to automatically forward these ports, simply delete the Interactive rule in the Central Management Console. The following table lists the interactive ports that are automatically forwarded by the Steelhead appliance. Port 7 TCP ECHO 23 Telnet 37 UDP/Time 107 Remote Telnet Service 179 Border Gateway Protocol 513 Remote Login 514 Shell 1494 Citrix h323gatedisc Cisco SCCp 2427 Media Gateway Protocol Gateway 2598 Citrix 2727 Media Gateway Protocol Call Agent 3389 MS WBT Server, TS/Remote Desktop 5060 SIP 436 Riverbed Central Management Console User s Guide

445 Secure Ports Forwarded by the Steelhead Appliance Riverbed System Ports Port 5631 PC Anywhere VNC 6000 X11 Secure Ports Forwarded by the Steelhead Appliance A default in-path rule with the port label Secure is automatically created in your system. This in-path rule automatically passes through traffic on commonly secure ports (for example, SSH, HTTPs, and SMTPS). Tip: If you do not want to automatically forward these ports, simply delete the Secure rule in the Central Management Console. The following table lists the common secure ports that are automatically forwarded by the Steelhead appliance. Type Port ssh 22/tcp SSH Remote Login Protocol tacacs 49/tcp TACACS+ https 443/tcp http protocol over TLS/SSL smtps 465/tcp # SMTP over SSL (TLS) nntps 563/tcp nntp protocol over TLS/SSL (was snntp) imap4-ssl 585/tcp IMAP4+SSL (use 993 instead) sshell 614/tcp SSLshell ldaps 636/tcp ldap protocol over TLS/SSL (was sldap) ftps-data 989/tcp ftp protocol, data, over TLS/SSL ftps 990/tcp ftp protocol, control, over TLS/SSL telnets 992/tcp Telnet protocol over TLS/SSL imaps 993/tcp imap4 protocol over TLS/SSL pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3) l2tp 1701/tcp l2tp pptp 1723/tcp pptp tftps 3713/tcp TFTP over TLS Riverbed Central Management Console User s Guide 437

446 Riverbed System Ports Secure Ports Forwarded by the Steelhead Appliance The following table contains the uncommon ports automatically forwarded by the Steelhead appliance. Type Port nsiiops 261/tcp IIOP Name Service over TLS/SSL ddm-ssl 448/tcp DDM-Remote DB Access Using Secure Sockets corba-iiop-ssl 684/tcp CORBA IIOP SSL ieee-mms-ssl 695/tcp IEEE-MMS-SSL ircs 994/tcp irc protocol over TLS/SSL njenet-ssl 2252/tcp NJENET using SSL ssm-cssps 2478/tcp SecurSight Authentication Server (SSL) ssm-els 2479/tcp SecurSight Event Logging Server (SSL) giop-ssl 2482/tcp Oracle GIOP SSL ttc-ssl 2484/tcp Oracle TTC SSL groove 2492 GROOVE syncserverssl 2679/tcp Sync Server SSL dicom-tls 2762/tcp DICOM TLS realsecure 2998/tcp Real Secure orbix-loc-ssl 3077/tcp Orbix 2000 Locator SSL orbix-cfg-ssl 3078/tcp Orbix 2000 Locator SSL cops-tls 3183/tcp COPS/TLS csvr-sslproxy 3191/tcp ConServR SSL Proxy xnm-ssl 3220/tcp XML NM over SSL msft-gc-ssl 3269/tcp Microsoft Global Catalog with LDAP/SSL networklenss 3410/tcp NetworkLens SSL Event xtrms 3424/tcp xtrade over TLS/SSL jt400-ssl 3471/tcp jt400-ssl seclayer-tls 3496/tcp securitylayer over tls vt-ssl 3509/tcp Virtual Token SSL Port jboss-iiop-ssl 3529/tcp JBoss IIOP/SSL ibm-diradm-ssl 3539/tcp IBM Directory Server SSL can-nds-ssl 3660/tcp Candle Directory Services using SSL can-ferret-ssl 3661/tcp Candle Directory Services using SSL linktest-s 3747/tcp LXPRO.COM LinkTest SSL asap-tcp-tls 3864/tcp asap/tls tcp port topflow-ssl 3885/tcp TopFlow SSL sdo-tls 3896/tcp Simple Distributed Objects over TLS 438 Riverbed Central Management Console User s Guide

447 Secure Ports Forwarded by the Steelhead Appliance Riverbed System Ports Type Port sdo-ssh 3897/tcp Simple Distributed Objects over SSH iss-mgmt-ssl 3995/tcp ISS Management Svcs SSL suucp 4031/tcp UUCP over SSL wsm-server-ssl 5007/tcp wsm server ssl sip-tls 5061/tcp SIP-TLS imqtunnels 7674/tcp imq SSL tunnel davsrcs 9802/tcp WebDAV Source TLS/SSL intrepid-ssl 11751/tcp Intrepid SSL rets-ssl 12109/tcp RETS over SSL Riverbed Central Management Console User s Guide 439

448 Riverbed System Ports Secure Ports Forwarded by the Steelhead Appliance 440 Riverbed Central Management Console User s Guide

449 APPENDIX C CMC Management Information Base (MIB) This appendix describes the appliance Management Information Base (MIB). The MIB monitors device status, peers, and provides network statistics for seamless integration into network management systems such as Hewlett Packard OpenView Network Node Manager, PRTG, and other SNMP browser tools. For details on configuring and using these network monitoring tools, consult the vendor documentation. This Appendix provides the following references: Accessing MIB Files on page 441 SNMP Traps on page 442 Accessing MIB Files The following guidelines describe how to download and access the MIB: You can download the MIB file from the CMC Support page. You can load the MIB file into any MIB browser utility. Some utilities might expect a file type other than a text file. If this occurs, change the file type to the one expected. Some utilities assume that the root is mib-2 by default. If the utility sees a new node, such as enterprises, it might look under mib-2.enterprises. If this occurs, use.iso.org.dod.internet.private.enterprises.rbt as the root. Some command-line browsers might not load all MIB files by default. If this occurs, find the appropriate command option to load the RBT-mib.txt file. For example, for NET-SNMP browsers: snmwalkm all Riverbed Central Management Console User s Guide 441

450 CMC Management Information Base (MIB) SNMP Traps SNMP Traps Alarms fire for their event only. If a service alarm is fired indicating that the service has halted, no alarm is fired when the service returns to normal operation. The following table summarizes the SNMP traps sent out from the system to configured trap receivers. Trap Text proccrash (enterprises.rbt.products.cmc ) procexit (enterprises.rbt.products.cmc ) cpuutil (enterprises.rbt.products.cmc ) pagingactivity (enterprises.rbt.products.cmc ) confmodeenter (enterprises.rbt.products.cmc ) A proccrash trap signifies that a process managed by PM has crashed and left a core file. The variable sent with the notification indicates which process crashed. A procexit trap signifies that a process managed by PM has exited unexpectedly, but not left a core file. The variable sent with the notification indicates which process exited. The average CPU utilization in the past minute has gone above the acceptable threshold. The system has been paging excessively (thrashing). A user has entered configuration mode. A process has crashed and subsequently been restarted by the system. The trap contains the name of the process that crashed. A system snapshot associated with this crash has been created on the appliance and is accessible via the CLI or the Central Management Console. Riverbed Support might need this information to determine the cause of the crash. No other action is required on the appliance as the crashed process is automatically restarted. A process has unexpectedly exited and been restarted by the system. The trap contains the name of the process. The process might have exited on its own or due to other process failures on the appliance. Review the release notes for known issues related to this process exit. If none exist, contact Riverbed Support ([email protected]) to determine the cause of this event. No other action is required on the appliance as the crashed process is automatically restarted. Average CPU utilization has exceeded an acceptable threshold. If CPU utilization spikes are frequent, it can be because the system is undersized. Sustained CPU load can be symptomatic of more serious issues. Consult the CPU Utilization report to gauge how long the system has been loaded and also monitor the amount of traffic currently going through the appliance. A one-time spike in CPU is normal but extended high CPU utilization should be reported to Riverbed Support ([email protected]). No other action is necessary as the alarm clears on its own. The system is running low on memory and has begun swapping memory pages to disk. This event can be triggered during a software upgrade while the optimization service is still running but there can be other causes which should be monitored or diagnosed. Should this event be triggered at any other time, generate a debug sysdump and send it to Riverbed Support ([email protected]). No other action is required as the alarm clears on its own. A user on the system has entered a configuration mode from either the CLI or Central Management Console. A log in to the Central Management Console by user admin sends this trap as well. This is for notification purposes only; no other action is necessary. 442 Riverbed Central Management Console User s Guide

451 SNMP Traps CMC Management Information Base (MIB) Trap Text confmodeexit (enterprises.rbt.products.cmc ) powersupplyerror (enterprises.rbt.products.cmc ) fanerror (enterprises.rbt.products.cmc ) memoryerror (enterprises.rbt.products.cmc ) ipmi (enterprises.rbt.products.cmc ) configchange (enterprises.rbt.products.cmc ) temperaturewarning (enterprises.rbt.products.cmc ) temperaturecritical (enterprises.rbt.products.cmc ) extbackupfailed (enterprises.rbt.products.cmc ) apphealthnotif (enterprises.rbt.products.cmc ) A user has exited configuration mode. A power supply on the appliance has failed (not supported on all models). A fan has failed on this appliance (not supported on all models). A memory error has been detected on the appliance (not supported on all models). An IPMI event has been detected on the appliance. Check the details in the alarm report on the Web UI (not supported on all models). A change has been made to the system s configuration. The system temperature has exceeded the threshold. The system temperature has reached a critical stage. The external backup or restore has failed. A apphealthnotif trap signifies that an appliance managed by the CMC has changed health state. The variables sent with the notification indicates the serial number of the appliance, the display address, and the health state that it is in. A user on the system has exited configuration mode from either the CLI or Central Management Console. A log out of the Central Management Console by user admin sends this trap as well. This is for notification purposes only; no other action is necessary. A power supply on the appliance has failed (not supported on all models). A fan has failed on this appliance (not supported on all models). A memory error has been detected on the appliance (not supported on all models). An IPMI event has been detected on the appliance. Check the details in the alarm report on the Web UI (not supported on all models). A change has been made to the system s configuration. The system temperature has exceeded the threshold. The system temperature has reached a critical stage. The external backup or restore has failed. A apphealthnotif trap signifies that an appliance managed by the CMC has changed health state. The variables sent with the notification indicates the serial number of the appliance, the display address, and the health state that it is in. Riverbed Central Management Console User s Guide 443

452 CMC Management Information Base (MIB) SNMP Traps Trap Text appconnnotif (enterprises.rbt.products.cmc ) appbackupsuccess (enterprises.rbt.products.cmc ) appbackupfailure (enterprises.rbt.products.cmc ) underprovisionedvm (enterprises.rbt.products.cmc ) autoconnectfailed (enterprises.rbt.products.cmc ) licensefailureregimechange (enterprises.rbt.products.cmc ) certsexpiring (enterprises.rbt.products.cmc ) fsmntbytes (enterprises.rbt.products.cmc ) linkstate (enterprises.rbt.products.cmc ) A appconnnotif trap signifies that an appliance managed by the CMC has changed connection state. The variables sent with the notification indicates the serial number of the appliance, the display address, and the new connection status it is in. A appbackupsuccess trap signifies that an appliance managed by the CMC has successfully completed a backup. The variables sent with the notification indicates the appliance serial number, the display address, and the time of the backup. A appbackupfailure trap signifies that an appliance managed by the CMC has failed a backup. The variables sent with the notification indicates the appliance serial number, the display address, and the time of the backup. VM has too little storage or CPU. SH could not autoconnect due to license depletion. Licensing status has changed. Some SSL certificates may be expiring. System disk full. Network interface link errors. A appconnnotif trap signifies that an appliance managed by the CMC has changed connection state. The variables sent with the notification indicates the serial number of the appliance, the display address, and the new connection status it is in. A appbackupsuccess trap signifies that an appliance managed by the CMC has successfully completed a backup. The variables sent with the notification indicates the appliance serial number, the display address, and the time of the backup. A appbackupfailure trap signifies that an appliance managed by the CMC has failed a backup. The variables sent with the notification indicates the appliance serial number, the display address, and the time of the backup. VM has too little storage or CPU. Steelhead could not autoconnect due to license depletion. Licensing status has changed. The service has detected some SSL certificates used for Network Administration Access to the Steelhead appliance that are close to their expiration dates. The alarm clears when the x.509 certificates are updated. System disk is full. Network interface link errors. 444 Riverbed Central Management Console User s Guide

453 SNMP Traps CMC Management Information Base (MIB) Trap Text raiderror (enterprises.rbt.products.cmc ) traptest (enterprises.rbt.products.cmc ) configsave (enterprises.rbt.products.cmc ) tcpdumpstarted (enterprises.rbt.products.cmc ) tcpdumpscheduled (enterprises.rbt.products.cmc ) newusercreated (enterprises.rbt.products.cmc ) cliuserlogin (enterprises.rbt.products.cmc ) cliuserlogout (enterprises.rbt.products.cmc ) An error has been generated by the RAID array. Trap test. The current appliance configuration has been saved. A TCP Dump has been started. A TCP Dump has been scheduled. A new user has been created. A user has just logged-in via CLI. A CLI user has just logged-out. A drive has failed in a RAID array. Consult the CLI or Management Console to determine the location of the failed drive. Contact Riverbed Support for assistance with installing a new drive, a RAID rebuild, or drive reseating. The appliance continues to optimize during this event. After the error is corrected, the alarm clears automatically. Note: Applicable to models 3010, 3510, 3020, 3520, 5010, 5520, 6020, and 6120 only. An SNMP trap test has occurred on the Steelhead appliance. This message is informational and no action is necessary. A configuration has been saved either by entering the write mem CLI command or by clicking Save in the Central Management Console. This message is for security notification purposes only; no other action is necessary. A user has started a TCP dump on the Steelhead appliance by entering a tcpdump or tcpdump-x command from the CLI. This message is for security notification purposes only; no other action is necessary. A user has started a TCP dump on the Steelhead appliance by entering a tcpdump or tcpdump-x command with a scheduled start time from the CLI. This message is for security notification purposes only; no other action is necessary. A new Role-Based Management user has been created using the CLI or the Central Management Console. This message is for security notification purposes only; no other action is necessary. A user has logged in to the Steelhead appliance using the command-line interface. This message is for security notification purposes only; no other action is necessary. A user has logged out of the Steelhead appliance using the command-line interface using the Quit command or ^D. This message is for security notification purposes only; no other action is necessary. Riverbed Central Management Console User s Guide 445

454 CMC Management Information Base (MIB) SNMP Traps Trap Text webuserlogin (enterprises.rbt.products.cmc ) webuserlogout (enterprises.rbt.products.cmc ) applianceconfigchange (enterprises.rbt.products.cmc ) cpuutilclear (enterprises.rbt.products.cmc ) pagingactivityclear (enterprises.rbt.products.cmc ) powersupplyerrorclear (enterprises.rbt.products.cmc ) fanerrorclear (enterprises.rbt.products.cmc ) memoryerrorclear (enterprises.rbt.products.cmc ) ipmiclear (enterprises.rbt.products.cmc ) temperaturenormal (enterprises.rbt.products.cmc ) temperaturenoncritical (enterprises.rbt.products.cmc l.1013) extbackupfailedclear (enterprises.rbt.products.cmc ) underprovisionedvmclear (enterprises.rbt.products.cmc ) A user has just logged-in via the Web UI. A user has just loggedout via the Web UI. Appliance configuration has been changed. The average CPU utilization has fallen back within the acceptable threshold. The system has stopped paging excessively (thrashing). All power supplies are now functioning normally (not supported on all models). All system fans are not functioning normally (not supported on all models). A memory error has been rectified on the appliance (not supported on all models). An IPMI event has been rectified on the appliance (not supported on all models). The system temperature is back within the threshold. The system temperature is no longer in a critical stage. The external backup or restore failure has been addressed. VM storage and memory are now adequate. A user has logged in to the Steelhead appliance using the Central Management Console. This message is for security notification purposes only; no other action is necessary. A user has logged out of the Steelhead appliance using the Central Management Console. This message is for security notification purposes only; no other action is necessary. A change has been made to the system configuration. A configuration change has been detected. Check the log files around the time of this trap to determine what changes were made and whether they were authorized. The average CPU utilization has fallen back within the acceptable threshold. The system has stopped paging excessively (thrashing). All power supplies are now functioning normally (not supported on all models). All system fans are not functioning normally (not supported on all models). A memory error has been rectified on the appliance (not supported on all models). An IPMI event has been rectified on the appliance (not supported on all models). The system temperature is back within the threshold. The system temperature is no longer in a critical stage. The external backup or restore failure has been addressed. VM storage and memory are now adequate. 446 Riverbed Central Management Console User s Guide

455 SNMP Traps CMC Management Information Base (MIB) Trap Text certsexpiringclear (enterprises.rbt.products.cmc ) fsmntbytesclear (enterprises.rbt.products.cmc ) linkstateclear (enterprises.rbt.products.cmc ) raiderrorclear (enterprises.rbt.products.cmc ) applianceconfigchangeclear (enterprises.rbt.products.cmc ) SSL certificates no longer expiring. System disk no longer full. Interface has regained link. RAID ok now. Successfully pushed policy or restored configuration. SSL certificates no longer expiring. System disk no longer full. Interface has regained link. The RAID is working. Successfully pushed the policy or restored the configuration. Riverbed Central Management Console User s Guide 447

456 CMC Management Information Base (MIB) SNMP Traps 448 Riverbed Central Management Console User s Guide