SteelCentral Controller for SteelHead Mobile User s Guide. Version 4.7 March 2015

SteelCentral ler for SteelHead Mobile User s Guide Version 4.7 March 2015

Riverbed Technology 680 Folsom Street San Francisco, CA 94107 Phone: 415-247-8800 Fax: 415-247-8801 Web: http://www.riverbed.com Part Number 712-00103-14

2015 Riverbed Technology, Inc. All rights reserved. Riverbed, SteelApp, SteelCentral, SteelFusion, SteelHead, SteelScript, SteelStore, Steelhead, SteelHead (in the cloud), SteelHead (virtual edition), Granite, SteelHead Interceptor, Stingray, Whitewater, WWOS, RiOS, Think Fast, AirPcap, BlockStream, FlyScript, SkipWare, TrafficScript, TurboCap, WinPcap, Mazu, OPNET, and Cascade are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners. Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iseries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Juniper Networks and Junos are registered trademarks of Juniper Networks, Incorporated in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Inc. in the United States and in other countries. This product includes Windows Azure Linux Agent developed by the Microsoft Corporation (http://www.microsoft.com/). Copyright 2012 Microsoft Corporation. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. The SteelHead Mobile ler (virtual edition) includes VMware Tools. Portions Copyright 1998-2013 VMware, Inc. All Rights Reserved. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/doc-1152, and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. This documentation is furnished AS IS and is subject to change without notice and should not be construed as a commitment by Riverbed. This documentation may not be copied, modified or distributed without the express authorization of Riverbed and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as commercial computer software documentation and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. SteelCentral ler for SteelHead Mobile User s Guide v

vi SteelCentral ler for SteelHead Mobile User s Guide

Contents Preface...1 About This Guide...1 Audience...2 Document Conventions...2 Documentation and Release Notes...2 Contacting Riverbed...3 Chapter 1 - Overview of SteelCentral ler for SteelHead Mobile...5 Hardware and Software Dependencies...5 Overview of the SteelCentral ler for SteelHead Mobile Solution...6 Definition of Terms...7 Mobile ler Administration Tasks...7 What Are Policies?...8 What Are Packages?...8 What Are Group Assignments?...8 What Are Clusters?...9 Using the Management Console...9 Connecting to the Management Console...9 The Home Page and Menu Bar...10 Navigating in the Management Console...11 Getting Help...14 Next Steps...15 Basic Steps for Deploying the SteelHead Mobile Package...15 Chapter 2 - Modifying Host and Network Interface Settings...17 Modifying General Host Settings...17 Modifying Network Interfaces...20 IPv6 Support...20 Configuring Port Labels...27 Modifying Ports in a Port Label...28 SteelCentral ler for SteelHead Mobile User s Guide iii

Contents Chapter 3 - Configuring System Administrator Settings...31 Setting Announcements...31 Configuring Alarm Settings...32 Configuring Date and Time...37 Configuring Monitored Ports...39 Configuring SNMP Settings...41 Configuring SNMP v3...44 SNMP Authentication and Access...46 Configuring Email Settings...50 Configuring Log Settings...53 Filtering Logs by Application or Process...55 Configuring Advanced Settings...57 Chapter 4 - Configuring Security Settings...61 Configuring General Security Settings...61 Viewing Permissions...62 Managing User Permissions...63 Capability-Based Accounts...63 Setting RADIUS Servers...66 Configuring TACACS+ Access...68 Unlocking the Secure Vault...70 Configuring Web Settings...71 Managing Web SSL Certificates...72 Chapter 5 - Managing Mobile lers...75 Configuring Scheduled Jobs...75 Managing Licenses...76 Installing a License...77 Upgrading Your Software...78 Rebooting and Shutting Down the Mobile ler...80 Configuring Mobile ler Clusters...81 Prerequisites...82 Configuration Settings in Your Clusters...83 Troubleshooting Cluster Connections...84 Troubleshooting Mobile ler Connectivity...84 License Pooling...85 Managing Configurations...85 Chapter 6 - Configuring SSL for Mobile lers...87 Configuring SSL for Mobile lers...87 iv SteelCentral ler for SteelHead Mobile User s Guide

Contents Basic Steps for Configuring SSL...88 Configuring Mobile ler Peering...89 Modifying SSL Server Certificate Settings...90 Configuring SSL Certificate Authorities...98 Configuring SSL Bulk Import and Export...99 Chapter 7 - Managing SteelHead Mobiles...103 Managing SteelHead Mobile Policies...103 Creating New Policies...104 Configuring In-Path Optimization Rules for Policies...106 Configuring Protocol Settings...112 Configuring SSL for Policies...130 Configuring Location Awareness for Policies...133 Configuring Endpoint Settings for Policies...136 Managing SteelHead Mobile Packages...139 Creating Packages...139 Viewing Package Details...141 Deploying SteelHead Mobile Packages...143 Managing SteelHead Mobile Assignments...146 Changing Default Policy Assignments...147 Working with Group Assignments...147 Changing an Endpoint Group for Clients Using a GPO...149 Enabling or Disabling Optimization Using a GPO Template...150 Chapter 8 - Viewing Reports and Logs...151 Viewing Reports for Endpoints...151 Viewing Endpoint Reports...152 Viewing Endpoint User Information...156 Viewing Desktop Bandwidth Reports...158 Viewing Branch Warming Reports...160 Viewing SSL Reports...162 Viewing Endpoint History Reports...164 Viewing Desktop Traffic Reports...166 Viewing Diagnostics Reports...168 Viewing Alarm Status Reports...168 Viewing CPU Utilization Reports...173 Viewing Memory Paging Reports...175 Viewing Interface Counters...177 Viewing and Downloading Logs...179 Viewing Logs...179 Downloading Log Files...182 Viewing Diagnostic Reports for Endpoints...183 Viewing the Memory Dumps List...183 Viewing the System Dumps List...184 SteelCentral ler for SteelHead Mobile User s Guide v

Contents Downloading Endpoint TCP Dumps...185 Viewing ler Reports...186 Viewing the System Dumps List...186 Viewing Process Dump Files...187 Capturing and Uploading TCP Dumps...188 Stopping a TCP Dump After an Event Occurs...195 Exporting Logs...197 Chapter 9 - Troubleshooting the SteelHead Mobile...199 Common SteelHead Mobile Problems...200 Appendix A - Default Policy Settings...203 Default Policy Settings Summary...203 Appendix B - Windows and Mac SteelHead Mobiles...209 Windows SteelHead Mobile Properties...209 Status Tab...210 Settings Tab...211 Support Tab...212 System Tray Options...214 Mac SteelHead Mobile Properties...215 Viewing Preferences and System Status...215 Accessing the Support Menu...217 Managing Optimization s...218 Using the lers Tab...220 Using the SSL Tab...222 Appendix C - Windows Installer Properties...225 Windows Installer Properties Overview...225 Command-line Properties...225 Precedence Rules...225 Appendix D - Mobile ler MIB...229 Accessing the Mobile ler Enterprise MIB...229 SNMP Traps...230 Index...233 vi SteelCentral ler for SteelHead Mobile User s Guide

Preface Read this preface for an overview of the information provided in this guide. This preface includes the following sections: About This Guide on page 1 Documentation and Release Notes on page 2 Contacting Riverbed on page 3 About This Guide The SteelCentral ler for SteelHead Mobile User s Guide describes how to configure and manage the SteelCentral ler for SteelHead Mobile. It describes how to create policies, packages, and assignments for SteelHead Mobiles using the RiverbedManagement Console. The information in this guide applies to the Mobile ler as well as the Virtual SteelHead Mobile ler (Mobile ler-v) products, except where explicit references are made to hardware or virtual features. This guide is written for storage and network administrators who are familiar with administering and managing WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS. You must also be familiar with administering and managing a network of deployed SteelHeads. Riverbed product names have changed. At the time of publication, the user interfaces of the products described in this guide may have not changed, and the original names may be used in the text. For the product naming key, see the following link: http://www.riverbed.com/products/#product_list This guide includes information pertinent to the following products: Riverbed SteelCentral ler for SteelHead Mobile software (SteelCentral ler for SteelHead Mobile) Riverbed SteelCentral ler for SteelHead Mobile (Mobile ler, SMC) Riverbed Mobile ler (virtual edition) (Mobile ler-v, VSMC) Riverbed Management Console (Management Console) Riverbed SteelHead (SteelHead) SteelCentral ler for SteelHead Mobile User s Guide 1

Preface Documentation and Release Notes Audience This guide is written for storage and network administrators who are familiar with administering and managing WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS. You must also be familiar with administering and managing a network of deployed SteelHeads. Document Conventions This guide uses the following standard set of typographical conventions. Convention Meaning italics boldface Courier Within text, new terms and emphasized words appear in italic typeface. Within text, CLI commands, CLI parameters, and REST API properties appear in bold typeface. Code examples appear in Courier font: amnesiac > enable amnesiac # configure terminal < > Values that you specify appear in angle brackets: interface <ip-address> [ ] Optional keywords or variables appear in brackets: ntp peer <ip-address> [version <number>] { } Elements that are part of a required choice appear in braces: {<interface-name> ascii <string> hex <string>} The pipe symbol represents a choice to select one keyword or variable to the left or right of the symbol. The keyword or variable can be either optional or required: {delete <filename> upload <filename>} Documentation and Release Notes To obtain the most current version of all Riverbed documentation, go to the Riverbed Support site at https://support.riverbed.com. If you need more information, see the Riverbed Knowledge Base for any known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at https://support.riverbed.com. Each software release includes release notes. The release notes identify new features in the software as well as known and fixed problems. To obtain the most current version of the release notes, go to the Software and Documentation section of the Riverbed Support site at https://support.riverbed.com. Examine the release notes before you begin the installation and configuration process. 2 SteelCentral ler for SteelHead Mobile User s Guide

Contacting Riverbed Preface Contacting Riverbed This section describes how to contact departments within Riverbed. Technical support - If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415-247-7381 outside the United States. You can also go to https://support.riverbed.com. Professional services - Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, email proserve@riverbed.com or go to http://www.riverbed.com/services-training/services-training.html. Documentation - The Riverbed Technical Publications team continually strives to improve the quality and usability of Riverbed documentation. Riverbed appreciates any suggestions you might have about its online documentation or printed materials. Send documentation comments to techpubs@riverbed.com. SteelCentral ler for SteelHead Mobile User s Guide 3

Preface Contacting Riverbed 4 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 1 Overview of SteelCentral ler for SteelHead Mobile This chapter introduces the Mobile ler, the Management Console, and the basic steps for deploying SteelHead Mobile packages. This overview contains the following sections: Hardware and Software Dependencies on page 5 Overview of the SteelCentral ler for SteelHead Mobile Solution on page 6 Using the Management Console on page 9 Next Steps on page 15 Before reading this chapter and this guide, you should know how to install and connect the Mobile ler to your network. For details, see the SteelCentral ler for SteelHead Mobile Installation Guide. To use this chapter, you must know how to install, configure, and manage WAN optimization using the SteelHead. For details about the SteelHead, see the SteelHead Installation and Configuration Guide, the SteelHead Management Console User s Guide, and the SteelHead Deployment Guide. Hardware and Software Dependencies The following table summarizes the hardware and software requirements for the Mobile ler. SteelCentral ler for SteelHead Mobile Component Mobile ler Management Console Hardware and Software Requirements 19-inch (483-mm) two-post or four-post rack Any computer that supports a Web browser with a color image display The Management Console has been tested with Mozilla Firefox Extended Support Release version 10.0 and Microsoft Internet Explorer version 7.0 and 8.0. Note: JavaScript and cookies must be enabled in your Web browser. SteelHead Mobile RiOS v4.0.x or later on the SteelHead SteelCentral ler for SteelHead Mobile User s Guide 5

Overview of SteelCentral ler for SteelHead Mobile Overview of the SteelCentral ler for SteelHead Mobile Solution Overview of the SteelCentral ler for SteelHead Mobile Solution The SteelCentral ler for SteelHead Mobile solution lets you optimize TCP traffic to remote users who are accessing your computer network using any type of remote access. Remote users employ client software to exchange optimized data with a SteelHead. In most cases, the Mobile ler requires only a hostname and IP address to be operational, and client software can be deployed using default settings. Depending on your organization, your SteelCentral ler for SteelHead Mobile solution can include: SteelHead Mobile ler - A dedicated, rackable unit designed to manage SteelCentral ler for SteelHead Mobile licenses and to control the deployment, management, and reporting of SteelCentral ler for SteelHead Mobile client software for large deployments and rapidly growing organizations. Virtual SteelHead Mobile ler - Provides virtualized enterprise-grade acceleration for smallsized and medium-sized businesses or smaller strategic mobile deployments. SteelHead Mobile Client - The client software that enables LAN-like performance for Windows PCs or Mac computers, no matter where users are located. SteelHead Mobiles are managed by the Mobile ler and connect to a SteelHead. The SteelCentral ler for SteelHead Mobile solution enables you to perform optimization for the following types of users: Mobile Users - Employees who connect to the WAN from various locations and also connect to the LAN locally. Home Users - Employees who use computers that connect to the corporate network. Small Branch Office Users - Users located at offices with fewer than ten employees who connect to the WAN but do not have a standard SteelHead on site. The SteelHead Mobile software is deployed to PC or Mac laptops or desktops. A Mobile ler, typically located in the data center, is required for SteelCentral ler for SteelHead Mobile deployment, management, and licensing control. After the Mobile ler is deployed, packages that contain client software can be distributed. SteelHead Mobile policies are assigned to a group or a particular user on the Mobile ler. Policies define optimization rules and connection information for the SteelHead Mobiles. The Mobile ler can update SteelHead Mobile policies, if desired. Figure 1-1 outlines the optimization process flow. Figure 1-1. Optimization Process Flow SteelCentral ler for SteelHead Mobile is designed to be deployed to your SteelHead Mobiles without additional configuration. It ships with default policies that provide default values for the client software that is deployed to your endpoints. You can create your own packages and your own polices as needed. You can find information about custom deployments in this guide and in the SteelHead Deployment Guide. 6 SteelCentral ler for SteelHead Mobile User s Guide

Overview of the SteelCentral ler for SteelHead Mobile Solution Overview of SteelCentral ler for SteelHead Mobile Definition of Terms The following terms are used to describe SteelCentral ler for SteelHead Mobile features, attributes, and processes in SteelCentral ler for SteelHead Mobile. Term endpoint/ SteelHead Mobile SteelHead Mobile package policies group assignments clusters Demilitarized Zone (DMZ) Definition An endpoint client or SteelHead Mobile is a client computer: for example, a Windows or Mac laptop, or tablet. A SteelHead Mobile install package is used to install SteelHead Mobile software onto each of your endpoint clients. A package created on a Mobile ler contains the fully qualified domain name (FQDN) of the Mobile ler and a certificate that secures communication between the client and the controller. The default SteelHead Mobile package that ships with the Mobile ler contains default package settings. Typically, you can install and deploy SteelCentral ler for SteelHead Mobile without modifying the default policy or package that ship with the product. For details, see Creating Packages on page 139. A policy contains optimization rules for accelerating the WAN traffic between SteelHead Mobiles and SteelHeads in your network. A policy is required for optimization to occur. A policy also contains information about the size of the SteelHead Mobile RiOS data store. For details, see Managing SteelHead Mobile Policies on page 103. Prior to Mobile ler v4.0, policies were separated into endpoint and acceleration policies. A group assignment is an association between a number of SteelHead Mobiles or users and a package and policy. A group assignment governs which policies and packages the Mobile ler provides to SteelHead Mobiles. When you create a package, you can assign a group assignment to it. The group assignment is associated with the SteelHead Mobiles upon installation of the SteelHead Mobile software. The Mobile ler subsequently uses the group assignment to identify the SteelHead Mobile and provides the assigned policies and software updates. For details, see Managing SteelHead Mobile Assignments on page 146. Group assignment was called Deployment ID in Mobile ler v2.x and earlier releases. Clusters are groups of two or more Mobile lers used to pool available SteelHead Mobile licenses and configuration settings. This means that the entire pool of available licenses remains available to SteelHead Mobiles even if one Mobile ler has used all of its licenses or one Mobile ler fails. SteelHead Mobiles can connect to Mobile lers in a cluster and receive a consistent configuration from any Mobile ler in the cluster. Configuration changes made to any Mobile ler propagate to all Mobile lers in the cluster. A demilitarized zone (DMZ) is a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers. Mobile ler Administration Tasks The Mobile ler facilitates the following administration tasks for your SteelHead Mobiles: Configuration - The Mobile ler enables you to install, configure, and update SteelHead Mobiles in groups. The Mobile ler uses policies, packages, and deployment groups to facilitate centralized configuration and reporting. Monitoring - The Mobile ler provides both high-level status and detailed statistics about SteelHead Mobile performance, and enables you to configure alerts for managed SteelHead Mobiles. SteelCentral ler for SteelHead Mobile User s Guide 7

Overview of SteelCentral ler for SteelHead Mobile Overview of the SteelCentral ler for SteelHead Mobile Solution Management - The Mobile ler enables you to schedule software upgrades and configuration changes to groups of SteelHead Mobiles or to collect logs from SteelHead Mobiles. License Pooling - You can join two or more Mobile lers into a cluster, allowing pooling of available licenses. With license pooling, the entire pool of licenses remains available to the SteelHead Mobile Client, even if one Mobile ler has used all of its installed licenses or a Mobile ler in the cluster fails. SteelHead Mobiles can connect to any Mobile ler in a cluster and receive shared configuration settings from any Mobile ler in the cluster. For details, see Configuring Mobile ler Clusters on page 81. What Are Policies? Policies are sets of optimization, security, endpoint storage, and other configuration settings for groups of SteelHead Mobiles that have the same performance requirements. Policies can also be shared by Mobile lers that are members of a cluster. A policy can be for a specific SteelHead Mobile, or it can represent settings for groups of SteelHead Mobiles and SteelHeads in your enterprise environment. The Mobile ler ships with a default policy, Initial, which the Mobile ler automatically provides to endpoint clients. For basic settings, you can install and deploy SteelCentral ler for SteelHead Mobile without modifying the default policy. For details, see Managing SteelHead Mobile Packages on page 139. What Are Packages? You use packages to install and update the SteelHead Mobile Client software on each of your endpoint clients. A package is an installation bundle for the client s operating system that contains the SteelHead Mobile Client software and the information necessary for SteelHead Mobiles to communicate with the Mobile ler. In most cases, you can deploy the default package included with Mobile ler. For details, see Creating Packages on page 139. Note: If the package is to be downloaded by more than 50 clients, Riverbed recommends that you put the package on a file server so that the Mobile ler is not overloaded with requests. What Are Group Assignments? Group assignments govern which policies and packages your SteelHead Mobiles receive. Group assignments enable you to deploy different policies to groups of SteelHead Mobiles, based on their individual performance needs. When you deploy a package to a group, the Mobile ler uses the group assignment to identify the proper subset of SteelHead Mobiles and automatically provides policy and software updates to them. For details, see Managing SteelHead Mobile Assignments on page 146. 8 SteelCentral ler for SteelHead Mobile User s Guide

Using the Management Console Overview of SteelCentral ler for SteelHead Mobile What Are Clusters? Clusters are groups of two or more Mobile lers used to pool available endpoint licenses and share configurations when multiple Mobile lers are needed to support large deployments. SteelHead Mobiles associated with clusters have access to the licenses on all of the Mobile lers in the cluster, even if one or more of the Mobile lers is unavailable. Any member of a cluster can modify settings used by the cluster, and the settings are then automatically updated to the entire cluster. For detailed information about clusters, see Configuring Mobile ler Clusters on page 81. Using the Management Console The following section describes how to connect to and navigate in the Management Console. It includes the following sections: Connecting to the Management Console on page 9 The Home Page and Menu Bar on page 10 Navigating in the Management Console on page 11 Getting Help on page 14 You manage the Mobile ler using either the Web-based Management Console or the Riverbed command-line interface. Riverbed recommends that you use the Management Console to configure and manage your system. The Mobile ler command-line features are described in the Riverbed Command- Line Interface Reference Manual. Connecting to the Management Console To connect to the Management Console, you must know the URL or IP address and administrator password that you assigned when you set up your Mobile ler using the configuration wizard of the Mobile ler. For details, see the SteelCentral ler for SteelHead Mobile Installation Guide. Note: JavaScript and cookies must be enabled in your Web browser. To connect to the Management Console 1. Enter the URL for the Mobile ler in the location box of your Web browser: protocol://host.domain protocol is HTTP or HTTPS. HTTPS uses the SSL protocol to ensure a secure channel. If you use HTTPS to connect, you might be prompted to inspect and verify the SSL certificate. By default, the Mobile ler uses a self-signed certificate, which provides encrypted Web connections to the Management Console. It is re-created when the appliance hostname changes and when the certificate has expired. host is the hostname you assigned to the Mobile ler primary interface in the configuration wizard. If your DNS server maps that IP address to a name, you can specify the DNS name. domain is the full domain name for the Mobile ler appliance. SteelCentral ler for SteelHead Mobile User s Guide 9

Overview of SteelCentral ler for SteelHead Mobile Using the Management Console The Management Console appears, displaying the Login page. Figure 1-2. Login Page 2. In the Username text box, specify the user login: admin, monitor, a login from a RADIUS or TACACS+ database, or any local accounts created using the role-based accounts feature. The default login is admin. For details on role-based accounts, see Managing User Permissions on page 63. Users with administrator (admin) privileges can configure and administer the Mobile ler. Users with monitor (monitor) privileges can view the Mobile ler reports, user logs, and change their own password. A monitor user cannot make configuration changes. 3. In the Password text box, specify the password you assigned in the configuration wizard of the Mobile ler. (The Mobile ler is shipped with the default password: password.) 4. Click Log In to display the Home page. The Home Page and Menu Bar The top of every page displays the menu bar. The current state of the system appears to the right of the menus Healthy, Admission, Degraded, or Critical and is always visible. A status of Healthy (Needs Attention) indicates that the management tasks that do not affect optimization are needed. For details, select the current system status to display the Alarm Status page. Figure 1-3. Mobile ler Menu Bar The system saves settings on a per-user basis. A message appears at the top of each page when more than one user is logged in, explaining that user preferences might be overwritten. The Home page displays the controller up time, temperature (if the Mobile ler is not virtual), CMC hostname (if you have one in your network), connected clients, licenses in use, and the status of the clients (healthy, degraded, critical, and disabled). In Mobile ler v4.7 and later, the Home page also displays cluster information, if a cluster is configured. The Cluster Wide Connection Information lists the number of controllers in the cluster, installed and free licenses, connections and licensed connections, and the status of the clients in the cluster (healthy, degraded, critical, and disabled). The Home page also displays the following reports: Bandwidth Optimization - Summarizes the throughput or total data transmitted by all clients over the WAN and the LAN in the last week. In Mobile ler v4.7 and later, this graph also shows the number of desktop licenses installed and in use. 10 SteelCentral ler for SteelHead Mobile User s Guide

Using the Management Console Overview of SteelCentral ler for SteelHead Mobile Endpoint History - Displays the endpoints that are connected to the controller and the licensed endpoints. By default, endpoint data for the past week is shown. In Mobile ler v4.7 and later, this graph also shows the history of desktop endpoints. Figure 1-4. The Home Page (Bandwidth Optimization Report) In Mobile ler v4.7 and later, there are panes for the Bandwidth Optimization and Endpoint History reports at the bottom of the Home page. Click a pane to display the report you want to see. Navigating in the Management Console You can navigate to the tools and reports available to you in the Management Console using hyperlinked tabs and menus. To display cascading menus 1. Select the Configure, Manage, and Reports menus to display the submenus. For example, select Reports to display the submenus Endpoints, Diagnostics, and Export. The menu item that is currently active is highlighted. 2. To go to a page, slide your cursor down to the submenu item you want to display and select the menu name. For example, under Reports > Optimization, select Bandwidth Optimization to display the page. SteelCentral ler for SteelHead Mobile User s Guide 11

Overview of SteelCentral ler for SteelHead Mobile Using the Management Console The following table summarizes the cascading menus. Tab Home Configure Purpose Displays the current status of your system and verifies bandwidth optimization. Networking - Configure host settings, network interfaces, and port labels. SSL - Configure peering, signing CA, and certificate authorities. System Settings - Configure announcements, alarms, monitored ports, SNMP basic, SNMP v.3, SNMP ACIs, email, and logging. Security - Configure general security settings, user permissions, RADIUS, TACACS+, secure vault, and Web settings. Maintenance - Configure scheduled jobs, licenses, software upgrade, reboot/ shutdown. Cluster - Configure cluster settings. My Account - Change your password and configure user roles. Configurations - Apply a saved configuration. Manage Reports Support Save Healthy/Degraded/ Critical/Unlicensed Configure policies, packages, and assignments. Create and display endpoint reports and diagnostic reports and export reports to files and email. Displays contact information for Riverbed Support, software and hardware information, MIB files, and the online help. Save current settings on all pages. Click the status display to navigate to the Reports > Diagnostics > Alarm Status page. Displaying Report Details You can zoom in to display report details. 12 SteelCentral ler for SteelHead Mobile User s Guide

Using the Management Console Overview of SteelCentral ler for SteelHead Mobile To display chart details 1. Click and drag your cursor across an area of interest to you. Figure 1-5. Highlight Area of Interest 2. Release the cursor to magnify the highlighted area. Figure 1-6. Magnified Area 3. To return to the original report view, click Reset Zoom or refresh your browser. SteelCentral ler for SteelHead Mobile User s Guide 13

Overview of SteelCentral ler for SteelHead Mobile Using the Management Console Saving Your Configuration Most Management Console configuration pages include an Apply button for you to commit your changes. When you click Apply, the Management Console updates the running configuration, but your changes are written to disk only when you save your configuration. The Save icon on the menu bar alerts you if the changes you have made require saving to disk. To permanently save the changes, click Save. Logging Out Click Logout in the upper-right corner of the screen to log out of the current session. Printing Pages and Reports You can print Management Console pages and reports using the print option on your Web browser. To print pages and reports Choose File > Print in your Web browser to open the Print dialog box. Getting Help The Support page provides the following options: Online Help - View browser-based online help. Support - View links and contact information for Riverbed Support. Appliance Details - View appliance information such as model number, hardware revision type, serial number, and software version number currently installed on the appliance. MIB Files - View Riverbed and appliance MIB files in text format. Displaying Online Help The Management Console provides page-level help for the appliance. To display online help in the Management Console Click the question mark icon next to the page title. The help for the page appears in a new browser window. Downloading Documentation The Riverbed Support Site contains PDF versions of the documentation for all Riverbed products: https://support.riverbed.com/ 14 SteelCentral ler for SteelHead Mobile User s Guide

Next Steps Overview of SteelCentral ler for SteelHead Mobile Next Steps This section contains the steps required to deploy SteelHead Mobile Clients software to SteelHead Mobiles. If you use the default package, all you have to do is distribute the package and make sure the endpoints connect successfully. If you create a custom package, additional steps are required to configure your custom policies. Basic Steps for Deploying the SteelHead Mobile Package The following section describes the basic steps for deploying the default SteelHead Mobile package to the endpoint clients in your network. You have a number of options with regard to the default package and policy that is shipped with SteelCentral ler for SteelHead Mobile. You can create custom packages to be used in the future with customized policies, or you can customize the default policy, Initial. In addition, you can use the default package and customize the policy that is assigned to the Default group on the assignments page. To deploy a custom SteelHead Mobile package 1. Log in to the Management Console. For details, see Connecting to the Management Console on page 9. 2. Apply your policies. For details, see Managing SteelHead Mobile Packages on page 139. 3. Create your packages to deploy the SteelHead Mobile software to your endpoint clients. For details, see Managing SteelHead Mobile Packages on page 139. Note: If the package will be downloaded by more than 50 clients simultaneously, Riverbed recommends that you put the package on a file server so that the Mobile ler is not overloaded with requests. 4. Define your group. For details about groups, see Managing SteelHead Mobile Assignments on page 146. 5. Assign your policies and packages to groups. For details, see Managing SteelHead Mobile Packages on page 139 and Managing SteelHead Mobile Policies on page 103. 6. Using the deployment tool of your choice (for example, email or an internal Web site), deploy the packages to your endpoint clients. For details, see Deploying SteelHead Mobile Packages on page 143. 7. Verify your connection and optimization in the Endpoint Report page. For details, see Viewing Endpoint Reports on page 152. SteelCentral ler for SteelHead Mobile User s Guide 15

Overview of SteelCentral ler for SteelHead Mobile Next Steps 16 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 2 Modifying Host and Network Interface Settings This chapter describes how to configure host and network interface settings. You initially set these properties when you ran the installation wizard. This section describes how you can view and modify these settings, if needed. It includes the following sections: Modifying General Host Settings on page 17 Modifying Network Interfaces on page 20 Configuring Port Labels on page 27 Modifying General Host Settings You can view and modify general host settings in the Configure > Networking > Host Settings page. When you initially ran the installation wizard, you set required network host settings for the Mobile ler. Use the following controls only if modification or additional configuration is required: Name - Modify the hostname only if your deployment requires it. DNS Settings - Riverbed recommends that you use DNS resolution. Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can create a host-ip address resolution map. Web/FTP Proxy - Configure proxy addresses for Web or FTP proxy access to the Mobile ler. SteelCentral ler for SteelHead Mobile User s Guide 17

Modifying Host and Network Interface Settings Modifying General Host Settings To modify general host settings Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-1. Host Settings Page To change the hostname 1. Choose Configure > Networking > Host Settings to display the Host Settings page. 2. Under Name, modify the value in the Hostname field. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. To specify DNS settings 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Under DNS Settings, complete the configuration as described in this table. Primary DNS Server Secondary DNS Server Specify the IP address for the primary name server. Optionally, specify the IP address for the secondary name server. 18 SteelCentral ler for SteelHead Mobile User s Guide

Modifying General Host Settings Modifying Host and Network Interface Settings Tertiary DNS Server DNS Domain List Optionally, specify the IP address for the tertiary name server. Specify an ordered list of domain names. If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system. 2. Click Apply to apply your changes to the running configuration. 3. Click Save to save your settings permanently. To add a new host 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Under Hosts, complete the configuration as described in this table. IP Address Hostname Add Remove Selected Specify the IP address for the host. Specify a hostname. Adds the host. Select the check box next to the name and click Remove Selected. 2. Click Apply to apply your changes to the running configuration. 3. Click Save to save your settings permanently. To set a Web/FTP proxy 1. Choose Configure > Networking > Host Settings to display the Host Settings page. 2. Under Web/FTP Proxy, complete the configuration as described in this table. Enable Web Proxy Web/FTP Proxy Provides Web proxy access to the Mobile ler. Enables the Mobile ler to use a Web proxy to contact the Riverbed licensing portal and fetch licenses in a secure environment. You can optionally require user credentials to communicate with the proxy, and you can specify the method used to authenticate and negotiate user credentials. Web proxy access is disabled by default. RiOS supports the following proxies: Squid, Blue Coat Proxy SG, Microsoft WebSense, and McAfee Web Gateway. Specify the IP address for the Web or FTP proxy. SteelCentral ler for SteelHead Mobile User s Guide 19

Modifying Host and Network Interface Settings Modifying Network Interfaces Port Optionally, specify the port for the Web or FTP proxy. The default port is 1080. Enable Authentication Optionally, select to require user credentials for use with Web or FTP proxy traffic. Specify the following to authenticate the users: Username - Specify a username. Password - Specify a password. Authentication Type - Select an authentication method from the drop-down list: Basic - Authenticates user credentials by requesting a valid username and password. This is the default setting. NTLM - Authenticates user credentials based on an authentication challenge and response. Digest - Provides the same functionality as Basic authentication; however, Digest authentication improves security because the system sends the user credentials across the network as a Message Digest 5 (MD5) hash. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Modifying Network Interfaces You can view and modify settings for the appliance primary and auxiliary interfaces in the Configure > Networking > Network Interfaces page. When you initially ran the Configuration wizard, you set required values for the base interfaces for the Mobile ler. Use the following controls if modification or additional configuration is required: Primary Interface - On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the appliance management interface. The primary interface is also used by SteelHead Mobiles to connect to the Mobile ler. Auxiliary Interface - On the appliance, the auxiliary interface provides a second subnet, if needed, to separate administration from client access. The IP address for the auxiliary interface must be on a subnet different from the primary interface subnet. Main Routing Table - Displays a summary of the main routing table for the appliance. If necessary, you can add static routes that might be required for out-of-path deployments or particular device management subnets. IPv6 Support RiOS v7.0 extended support for IPv6 traffic with packet-mode optimization, and RiOS v8.5 and later further enhances its IPv6 capabilities by supporting auto-discovery and fixed-target rules. By using auto-discovery or fixed-target in-path rules, RiOS can apply transport and application streamlining techniques (similarly as it does for TCP connections over IPv4) to improve the user experience as the transition to IPv6 continues. 20 SteelCentral ler for SteelHead Mobile User s Guide

Modifying Network Interfaces Modifying Host and Network Interface Settings IPv6 is enabled by default in RiOS v8.5 and later. The SteelHead support for IPv6 is twofold: Managing SteelHeads - Support for management access using IPv6 IP addresses on primary and auxiliary interfaces. Optimizing IPv6 traffic using SteelHead appliances - SteelHeads can optimize IPv6 traffic. For details on IPv6 deployments, see the SteelHead Deployment Guide. This table lists IPv6 support by feature and notes any limits and special considerations. RiOS IPv6 Support Includes Conformance with Request for Comments (RFCs) 1981, 2460, 2464, 2710, 3590, 4007, 4291, 4443, 4861, 4862, 4943, 5095, and 5156. TCP IPv6 traffic interception between source and destination, bandwidth optimization. Auto-discovery of SteelHeads. Ability to automatically discover fixed-target and pass-through in-path rules, along with ability to deny and reject IPv6 TCP traffic as configured in the in-path rules. SteelCentral ler for SteelHead Mobile User s Guide HTTP and HTTPS latency optimization for IPv6 TCP traffic. Ability to configure serial clusters. Interception of IPv6 traffic for in-path, virtual in-path, and server-side out-of-path configurations. Intercepting and passing through IPv4 and/or IPv6 traffic, depending on the in-path rules. Ability to detect asymmetric routes for IPv6 TCP traffic; enables connection forwarding of IPv6 TCP traffic in asymmetric conditions. Ability to configure IPv4 and IPv6 addresses on every in-path interface and intercepting and optimizing IPv4 and IPv6 traffic. Ability to configure one IPv6 address configuration for every in-path interface. RiOS intercepts and optimizes traffic matching the scope of the IPv6 address configured on the in-path interface. Not applicable for a link-local address configured on the in-path interface. RiOS Version v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later v8.5 and later Notes TCP inner connections between the peer SteelHeads is strictly IPv4. RiOS does not support the Outlook Anywhere and Citrix latency optimization policies for autodiscovery and fixed-target rules. RiOS does not support the neural framing modes Always, TCP Hints, and Dynamic. RiOS does not support the Oracle forms and Oracle forms over SSL preoptimization policies. WCCPv6 support is not available. Virtual in-path support is PBR only. Interceptor is not supported. The connection-forwarding control channel between the neighbors is strictly IPv4. You must configure IPv4 addresses on the SteelHeads when using a connection-forwarding control channel. RiOS passes through IPv6 TCP traffic not matching the scope of the IPv6 address configured on the in-path interface. SteelCentral ler for SteelHead Mobile User s Guide 21

Modifying Host and Network Interface Settings Modifying Network Interfaces RiOS IPv6 Support Includes RiOS Version Notes Ability to configure IPv6 addresses on any in-path interface. IPv6 TCP inner connections only in fixed-target cases. Enhanced autodiscovery of SteelHeads for IPv6 TCP traffic. Simplified routing for IPv6 TCP traffic. Connection forwarding for IPv6 traffic in multi-interface mode. v8.5 and later v8.5 and later v8.5 and later v8.5 and later This IPv6-only mode requires configuring only fixed-target in-path rules. TCP inner connections between the peer SteelHeads is IPv4 only. The control connection between neighbors is still IPv4 only. When multiple interface support in the Networking > Network Integration: Connection Forwarding page is not enabled, IPv6 traffic is passed through. Ability to configure peering rules for IPv6 traffic. v8.5 The peer client-side SteelHead IP address is IPv4 only. Ability to configure IPv6 addresses in Single Ended Interception (SEI) rules under Optimization > Network Services: Transport Settings. Global and automatic kickoff for pass-through TCP IPv6 traffic. Ability to configure asymmetric VLANs for IPv6 TCP traffic. Latency optimization of signed-smb, CIFS/SMB1, SMB2, and SMB3 using IPv6 endpoint addressing. Encrypted Outlook Anywhere latency optimization. MAPI, emapi latency optimization Authentication over IPv6. v8.5 and later v8.5 and later v8.5 and later v8.5.2 and later v8.6 and later v8.6 and later v8.6 and later The authentication stack continues to require IPv4 endpoint addressing. Authentication is over IPv4. Features Not Supported with IPv6 The following features are not IPv6 compatible: Management In-Path (MIP) Interface Transparency NetFlow RSP Path selection QoS Host labels IPSec 22 SteelCentral ler for SteelHead Mobile User s Guide

Modifying Network Interfaces Modifying Host and Network Interface Settings Automatic address assignment through DHCPv6 Multicast listener discovery IPv6 stateless address autoconfiguration WCCP using anything other than IPv4 outer connections To display and modify the configuration for network interfaces 1. Choose Configure > Networking > Network Interfaces to display the Network Interfaces page. The Network Interfaces page is divided into four areas: Primary Interface, Auxiliary Interface, Main IPv4 Routing Table, and Main IPv6 Routing Table. Figure 2-2. Network Interfaces Page 2. Under Primary Interface, complete the configuration as described in this table. Enable Primary Interface Obtain IPv4 Address Automatically Enables the appliance management interface, which can be used for both managing the SteelHead and serving data for a server-side out-of-path (OOP) configuration. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Note: The primary and in-path interfaces can share the same network subnet. The primary and auxiliary interfaces cannot share the same network subnet. Enable IPv4 Dynamic DNS Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Configure > Networking > Host Settings page. SteelCentral ler for SteelHead Mobile User s Guide 23

Modifying Host and Network Interface Settings Modifying Network Interfaces Specify IPv4 Address Manually Specify IPv6 Address Manually Select this option if you do not use a DHCP server to set the IPv4 address. Specify these settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Default IPv4 Gateway - Specify the default gateway IPv4 address. The default gateway must be in the same network as the primary interface. You must set the default gateway for in-path configurations. Select this option and specify these settings to set an IPv6 address. IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the base interfaces. IPv6 Address - Specify an IP address using this format: eight 16-bit hex strings separated by colons, 128-bits. For example 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros; for example 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example 2001:38dc:52::e9a4:c5:6282 IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 IPv6 Gateway - Specify the gateway IP address. The gateway must be in the same network as the primary interface. Note: You cannot set an IPv6 address dynamically using a DHCP server. MTU Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500. 24 SteelCentral ler for SteelHead Mobile User s Guide

Modifying Network Interfaces Modifying Host and Network Interface Settings 3. Under Auxiliary Interface, complete the configuration as described in this table. Enable Aux Interface Obtain IPv4 Address Automatically Enables an auxiliary interface, which can be used only for managing the SteelHead. It cannot be used for an out-of-path (OOP) SteelHead data service. Typically this is used for device-management networks. Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Note: The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces cannot share the same network subnet. Enable IPv4 Dynamic DNS Specify IPv4 Address Manually Specify IPv6 Address Manually Select this option to send the hostname with the DHCP request for registration with Dynamic DNS. The hostname is specified in the Configure > Networking > Host Settings page. Select this option if you do not use a DHCP server to set the IPv4 address. Specify these settings: IPv4 Address - Specify an IP address. IPv4 Subnet Mask - Specify a subnet mask. Select this option and specify these settings to set an IPv6 address. IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the base interfaces. IPv6 Address - Specify an IP address, using this format: eight 16-bit hex strings separated by colons, 128-bits: for example 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282 IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 Note: You cannot set an IPv6 address dynamically using a DHCP server. MTU Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500. 4. Click Apply to apply your changes to the running configuration. SteelCentral ler for SteelHead Mobile User s Guide 25

.. Modifying Host and Network Interface Settings Modifying Network Interfaces 5. Click Save to save your changes permanently. Note: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. After this verification, you can write the active configuration that is stored in memory to the active configuration file (or you can save it as any filename you choose). For details on saving configurations, see Managing Configurations on page 85. To configure routes for IPv4 Under the Main IPv4 Routing Table you can configure a static routing in the main routing table for outof-path deployments or if your device management network requires static routes. You can add or remove routes from the table list as described in this table. Add a New Route Destination IPv4 Address IPv4 Subnet Mask Gateway IPv4 Address Interface Add Displays the controls for adding a new route. Specify the destination IP address for the out-of-path appliance or network management device. Specify the subnet mask. Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you are configuring. Select an interface for the IPv4 route from the drop-down menu. Adds the route to the table list. Remove Selected The Management Console writes your configuration changes to memory. To configure routes for IPv6 Select the check box next to the name and click Remove Selected. Under Main IPv6 Routing Table, you can configure static routing in the main routing table if your device-management network requires static routes. You can add or remove routes from the table list as described in this table. Add a New Route Destination IPv6 Address IPv6 Prefix Gateway IPv6 Address Interface Add Remove Selected Displays the controls for adding a new route. Specify the destination IP address. Specify a prefix. The prefix length is from 0 to 128 bits, separated from the address by a forward slash (/). Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you are configuring. Select an interface for the IPv6 route from the drop-down menu. Adds the route to the table list. Select the check box next to the name and click Remove Selected. 26 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Port Labels Modifying Host and Network Interface Settings Configuring Port Labels You create port labels in the Port Labels page. Port labels are names given to sets of port numbers. You use port labels when configuring in-path rules. For example, you can use port labels to define a set of ports for which the same in-path or load balancing rules apply. The following table summarizes the port labels that are provided by default. Port Type Interactive RBT-Proto and Ports Use this port label to automatically pass-through traffic on interactive ports (for example, Telnet, TCP ECHO, remote logging, and shell). Use this port label to automatically pass-through traffic on ports used by the system: 7744 (RiOS data store synchronization), 7800 (in-path), 7810 (out-of-path), 7820 (failover), 7850 (connection forwarding), 7860 (SteelHead Interceptor), and 7870 (Mobile ler). Secure If you do not want to automatically forward traffic on interactive, RBT-Proto, or secure ports, you must delete the Interactive, RBT-Proto, and Secure in-path rules. For details, see Configuring In-Path Optimization Rules for Policies on page 106. This feature is optional. To create a port label 1. Choose Configure > Networking > Port Labels to display the Port Labels page. Figure 2-3. Port Labels Page Use this port label to automatically pass-through traffic on commonly secure ports (for example, SSH, HTTPS, and SMTPS). SteelCentral ler for SteelHead Mobile User s Guide 27

Modifying Host and Network Interface Settings Configuring Port Labels 2. To add a port label, complete the configuration as described in this table. Add a New Port Label Name Ports Remove Selected Add Displays the controls to add a new port label. Specify the label name. These rules apply: Port labels are not case sensitive and can be any string consisting of letters, the underscore ( _ ), or the hyphen ( - ). There cannot be spaces in port labels. The fields in the various rule pages of the Management Console that take a physical port number also take a port label. To avoid confusion, do not use a number for a port label. Port labels that are used in in-path and other rules, such as QoS and peering rules, cannot be deleted. Port label changes (that is, adding and removing ports inside a label) are applied immediately by the rules that use the port labels that you have modified. Specify a comma-separated list of ports. Select the check box next to the name and click Remove Selected. Adds the port label. 3. Click Save to save your settings permanently. Modifying Ports in a Port Label You can add or delete ports associated with a port label in the Port Label page. To modify ports in a port label 1. Choose Configure > Networking > Port Labels to display the Port Labels page. 2. Select the port label name in the Port Labels list to display the Editing Port Label group. Figure 2-4. Editing Port Labels Page 28 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Port Labels Modifying Host and Network Interface Settings 3. Under Editing Port Label <port label name>, add or delete ports in the Ports text box. 4. Click Apply to save your settings to the running configuration; click Cancel to cancel your changes. 5. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 29

Modifying Host and Network Interface Settings Configuring Port Labels 30 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 3 Configuring System Administrator Settings This chapter describes how to configure system administration settings. It includes the following sections: Setting Announcements on page 31 Configuring Alarm Settings on page 32 Configuring Date and Time on page 37 Configuring Monitored Ports on page 39 Configuring SNMP Settings on page 41 Configuring Email Settings on page 50 Configuring Log Settings on page 53 Configuring Advanced Settings on page 57 Setting Announcements You can create or modify a login message or a message of the day. The login message appears in the Mobile ler Login page. The message of the day appears in the Home page and when you first log in to the CLI. SteelCentral ler for SteelHead Mobile User s Guide 31

Configuring System Administrator Settings Configuring Alarm Settings To set an announcement 1. Choose Configure > System Settings > Announcements to display the Announcements page. Figure 3-1. Announcements Page 2. Use the controls to complete the configuration as described in this table. Login Message MOTD Specify a message in the text box to appear in the Login page. Specify a message in the text box to appear in the Home page. 3. Click Apply to view the message before saving. 4. Click Save to save your settings permanently. Configuring Alarm Settings You can set alarms in the Configure > System Settings > Alarms page. Enabling alarms is optional. Mobile ler v4.0 and later uses hierarchical alarms. The system groups certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information. As an example, the Disk Full top-level parent alarm aggregates over multiple partitions. If a specific partition is full, the Disk Full parent alarm triggers and the Alarm Status report displays more information regarding which partition caused the alarm to trigger. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. Notice that CPU Utilization settings are percentage thresholds, while endpoint-related alarm settings are number counts. Disabling a parent alarm disables its children. You can enable a parent alarm and disable any of its child alarms. You cannot enable a child alarm without first enabling its parent. The children alarms of a disabled parent appear on the Alarms Status report with a suppressed status. Disabled children alarms of an enabled parent appear on the Alarm Status report with a disabled status. For more details on alarm status, see Viewing Alarm Status Reports on page 168. 32 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Alarm Settings Configuring System Administrator Settings To set alarm parameters 1. Choose Configure > System Settings > Alarms to display the Alarms page. 2. Under Enable Alarms, complete the configuration as described in this table. Configuration CPU Utilization Whether a configuration error was detected. Enables an alarm and sends an email notification if the average and peak threshold for the CPU utilization is exceeded. By default, this alarm is enabled with a rising threshold of 90% and a reset threshold of 70%. Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. Disk Full Endpoint Datastore Endpoint Filesystem Full Endpoint Firewall Endpoint Gen ID Error Endpoint NFS Endpoint Service Endpoint SSL Error Enables an alarm if the system partitions (not the SteelHead Mobile data store) are full or almost full. For example, Mobile ler monitors the available space on /var, which is used to hold logs, statistics, system dumps, TCP dumps, and so on. By default, this alarm is enabled. This alarm monitors the following system partitions: Partition "/" Free Space Partition "/boot" Free Space Partition "/bootmgr" Free Space Partition "/config" Free Space Partition /data Free Space Partition "/tmp/mnt/config" Free Space Partition "/var" Free Space Whether the number of endpoint clients with data store errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with File System Full errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with firewall status errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with Endpoint genid errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with NFS errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with service errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether the number of endpoint clients with SSL errors has reached the rising threshold. By default, this alarm is enabled with a rising threshold of 50 and a reset count of 40. SteelCentral ler for SteelHead Mobile User s Guide 33

Configuring System Administrator Settings Configuring Alarm Settings Endpoint Version Endpoint License Hardware Whether the number of endpoint clients in your network with mismatches between software versions has reached the rising threshold. If a software mismatch is detected, resolve the mismatch by upgrading or reverting to a previous version of the software. By default, this alarm is enabled with a rising threshold of 50 and a reset threshold of 40. Whether to send an alarm when all the licenses of the selected type have been used. Endpoint License to enable alarms for any license type. Desktop to enable alarms only for that specific license type. Fan Error - Enables an alarm and sends an email notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled. Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled. IPMI - Enables an alarm and sends an email notification if an Intelligent Platform Management Interface (IPMI) event is detected. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: Chassis intrusion (physical opening and closing of the appliance case) Memory errors (correctable or uncorrectable ECC memory errors) Hard drive faults or predictive failures Power cycle, such as turning the power switch on or off, physically unplugging and replugging the cable, or issuing a power cycle from the power switch controller. By default, this alarm is enabled. Memory Error - Enables an alarm and sends an email notification if a memory error is detected: for example, when a system memory stick fails. By default, this alarm is enabled. Power Supply - Enables an alarm and sends an email notification if an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled. RAID - Indicates that the system has encountered RAID errors (for example, missing drives, pulled drives, drive failures, and drive rebuilds). 34 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Alarm Settings Configuring System Administrator Settings Licensing Enables an alarm and sends an email notification if a license on the Mobile ler is removed, is about to expire, has expired, or is invalid. This alarm triggers if the Mobile ler has no license installed for its currently configured model. Autolicense Critical Event - This alarm triggers on a SteelHead (virtual edition) appliance when the Riverbed Licensing Portal cannot respond to a license request with valid licenses. The Licensing Portal cannot issue a valid license for one of these reasons: A newer SteelHead (virtual edition) appliance is already using the token, so you cannot use it on the SteelHead (virtual edition) appliance displaying the critical alarm. Every time the SteelHead (virtual edition) appliance attempts to refetch a license token, the alarm retriggers. The token has been redeemed too many times. Every time the SteelHead (virtual edition) appliance attempts to refetch a license token, the alarm retriggers. Autolicense Informational Event - This alarm triggers if the Riverbed Licensing Portal has information regarding the licenses for a SteelHead (virtual edition) appliance. For example, the SteelHead (virtual edition) appliance displays this alarm when the portal returns licenses that are associated with a token that has been used on a different SteelHead (virtual edition) appliance. Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired. Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. Licensing- This alarm triggers if the Mobile ler has no license installed for its currently configured model. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1- FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. By default, this alarm is enabled. Link Duplex Enables an alarm and sends an email notification when an interface was not configured for half-duplex negotiation but has negotiated half-duplex mode. Half-duplex significantly limits the optimization service results. The alarm displays which interface is triggering the duplex alarm. By default, this alarm is enabled. You can enable or disable the alarm for a specific interface. To enable or disable an alarm, choose Configure > System Settings> Alarms and select or clear the check box next to the link name. SteelCentral ler for SteelHead Mobile User s Guide 35

Configuring System Administrator Settings Configuring Alarm Settings Link I/O Errors Enables an alarm and sends an email notification when the link error rate exceeds 0.1 percent while either sending or receiving packets. This threshold is based on the observation that even a small link error rate reduces TCP throughput significantly. A properly configured LAN connection experiences very few errors. The alarm clears when the rate drops below 0.05 percent. You can change the default alarm thresholds by entering the alarm link_errors errthreshold xxxxx CLI command at the system prompt. For details, see the Riverbed Command-Line Interface Reference Manual. By default, this alarm is enabled. You can enable or disable the alarm for a specific interface: for example, you can disable the alarm for a link after deciding to tolerate the errors. To enable or disable an alarm, choose Configure > System Settings > alarms and select or clear the check box next to the link name. Link State Enables an alarm and sends an email notification if an Ethernet link is lost due to a network event. Depending on which link is down, the system might no longer be optimizing and a network outage could occur. Interface aux Link Error - This alarm triggers if an Ethernet link is lost with the aux interface. Interface primary Link Error - This alarm triggers if an Ethernet link is lost with the primary interface. This is often caused by surrounding devices, like routers or switches that are transitioning between interfaces. This alarm also accompanies system restarts on the Mobile ler. By default, this alarm is disabled. Memory Paging Enables an alarm and sends an email notification if memory paging is detected. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at https://support.riverbed.com. By default, this alarm is disabled. Process Dump Creation Error Secure Vault SSL Enables an alarm and sends an email notification if the system detects an error while trying to create a process dump. This alarm indicates an abnormal condition in which the Mobile ler cannot collect the core file after three retries. It can be caused when the /var directory is reaching capacity or other conditions. When the alarm is raised, the directory is blacklisted. By default, this alarm is enabled. Enables an alarm and sends an email notification if the system encounters a problem with the secure vault: Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use Mobile ler data store encryption, the secure vault must be unlocked. Go to Configure > Security > Secure Vault and unlock the secure vault. By default, this alarm is enabled. Enables an alarm if an error is detected in your SSL configuration. SSL Certificates - Indicates that an SSL peering certificate has failed to re-enroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Signing Certificate Validity - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. By default, this alarm is enabled. 36 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Date and Time Configuring System Administrator Settings Temperature Under-provisioned VM Valid Platform Valid VM Enables an alarm if the temperature of your system exceeds the rising threshold. Critical Temperature - Enables an alarm and sends an email notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. Warning Temperature - Enables an alarm and sends an email notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared. Rising Threshold - Specify the rising threshold (º C). When an alarm reaches the rising threshold, it is activated. The default value is 70º. Reset Threshold - Specify the reset threshold (º C). When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 67º. Memory, data storage, or CPU resources are insufficient for the maximum number of endpoints. For VSMC only (VSMC-VSP and VSMC-ESX). Enables an alarm to be triggered if the hardware platform does not support SteelCentral ler for SteelHead Mobile - Virtual Edition (VSMC-VSP). SteelHead EX is required for VSMC-VSP. By default, this alarm is enabled. Enables an alarm to be triggered if the virtual machine is unavailable. For VSMC and VSMC-VSP only. By default, this alarm is enabled. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Configuring Date and Time Riverbed recommends that you use NTP time synchronization for Date and Time. SteelCentral ler for SteelHead Mobile User s Guide 37

Configuring System Administrator Settings Configuring Date and Time To use Network Time Protocol (NTP) time synchronization 1. Choose Configure > System Settings > Date and Time to display the Date and Time page. Figure 3-2. Date and Time Page 2. Under Date and Time, click Use NTP Time Synchronization. 3. As a best practice, you should configure your own internal NTP servers; however, if you want to use the Mobile ler-provided NTP server, the hard-coded IP address that is preconfigured into every Mobile ler is 208.70.196.25. This IP address appears in the NTP server list. 4. To add a new NTP server, complete the configuration as described in this table. Add a New NTP Server Hostname or IP Address Displays the controls to add a server. Specify the hostname or IP address for the NTP server. You can connect to an NTP public server pool; for example, 0.riverbed.pool.ntp.org. When you add an NTP server pool, the server is selected from a pool of time servers. Version Select the NTP server version from the drop-down list: 3 or 4. 38 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Monitored Ports Configuring System Administrator Settings Enabled/Disabled Key ID Add Remove Selected Select Enabled from the drop-down list to connect to the NTP server. Select Disabled from the drop-down list to disconnect from the NTP server. Specify the MD5 or SH1 key identifier to use to authenticate the NTP server. The valid range is from 1-65534. The key ID must appear on the trusted keys list. Adds the NTP server to the server list. Select the check box next to the name and click Remove Selected. 5. Click Save to save your settings permanently. Note: To modify server properties, select the server name in the server table row. To set the time and date manually 1. Choose Configure > System Settings > Date and Time to display the Date and Time page. 2. Under Date and Time, click Set Time Manually. Complete the configuration as described in this table. Time Zone Select a time zone from the drop-down list. The default value is GMT. Note: If you change the time zone, log messages retain the previous time zone until you reboot. Change Date Change Time Specify the date in this format: YYYY/MM/DD. Specify military time in this format: HH:MM:SS. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Note: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. After this verification, you can write the active configuration that is stored in memory to the active configuration file (or save it with any filename you choose). For details on saving configurations, see Managing Configurations on page 85. Configuring Monitored Ports You specify the TCP ports that you want to monitor in the Configure > System Settings > Monitored Ports page. The ports you specify appear in the Desktop Traffic report. Make sure that the description you provide helps you identify the type of traffic on the port. SteelCentral ler for SteelHead Mobile User s Guide 39

. Configuring System Administrator Settings Configuring Monitored Ports The SteelHead Mobile reports all ports that have traffic to the Mobile ler. Discovered ports, with a label (if one exists), are added to the Desktop Traffic report. If a label does not exist, then an unknown label is added to the discovered port. To change the unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port label are preserved from the time the port was discovered. By default, traffic is monitored on ports 21 (FTP), 80 (HTTP), 139 (CIFS:NetBIOS), 443 (SSL), 445 (CIFS:TCP), 1352 (Lotus Notes), 1433 (SQL:TDS), 7830 (MAPI), 8777 (RCU), and 10566 (SnapMirror). To set monitored ports 1. Choose Configure > System Settings > Monitored Ports to display the Monitored Ports page. Figure 3-3. Monitored Ports Page 2. Complete the configuration as described in this table. Add Port Port Number Port Add Remove Selected Displays the controls to add a new port. Specify the port to be monitored. Specify a description of the type of traffic on the port. Displays the controls for adding a port. Select the check box next to the name and click Remove Selected. 3. To modify a monitored port, click the magnifying glass icon next to the port and complete the configuration as described in this table. Port Apply Specify a description of the type of traffic on the port. Applies your settings to the running configuration. 40 SteelCentral ler for SteelHead Mobile User s Guide

Configuring SNMP Settings Configuring System Administrator Settings 4. Click Save to save your settings permanently. Configuring SNMP Settings You configure SNMP contact and trap receiver settings to allow events to be reported to an SNMP entity in the Configure > System Settings > SNMP Basic page. Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration does not include SNMP traps. Mobile ler 4.7 provides support for the following: SNMP Version 1 SNMP Version 2c SNMP Version 3, which provides authentication through the User-based Security Model (USM) View-Based Access Mechanism (VACM), which provides richer access control SNMP Version 3 authentication using AES 128 and DES encryption privacy For a summary of the SNMP traps sent to configured trap receivers, see Appendix D, SNMP Traps. For details on MIBs, see Appendix D, Mobile ler MIB. SteelCentral ler for SteelHead Mobile User s Guide 41

. Configuring System Administrator Settings Configuring SNMP Settings To set general SNMP parameters 1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page. Figure 3-4. SNMP Basic Page 2. Under SNMP Server Settings, complete the configuration as described in this table. Enable SNMP Traps System Contact System Location Read-Only Community String Enables event reporting to an SNMP entity. Specify the user name for the SNMP contact. Specify the physical location of the SNMP system. Specify a password-like string to identify the read-only community: for example, public. This community string overrides any VACM settings. Community strings cannot contain the # (hash) value. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. 42 SteelCentral ler for SteelHead Mobile User s Guide

Configuring SNMP Settings Configuring System Administrator Settings To add or remove a trap receiver 1. Under Trap Receivers, complete the configuration as described in this table. Add a New Trap Receiver Receiver Destination Port Receiver Type Remote User Authentication Authentication Protocol Password/Password Confirm Security Level Displays the controls to add a new trap receiver. Specify the destination IPv4 or IPv6 address or hostname for the SNMP trap. Specify the destination port. Select SNMP version v1, v2c, or v3 (user-based security model). (Appears only when you select v3.) Specify a remote username. (Appears only when you select v3). Optionally, select either Supply a Password or Supply a Key to use while authenticating users. (Appears only when you select v3.) Select an authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. (Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box. (Appears only when you select v3.) Determines whether a single atomic message exchange is authenticated. Select one of these levels from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy. Note: A security level applies to a group, not to an individual user. Privacy Protocol Privacy Privacy Password MD5/SHA Key Privacy MD5/SHA Key (Appears only when you select v3 and AuthPriv.) Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm. (Appears only when you select v3 and AuthPriv.) Select Same as Authentication Key, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication Key. (Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box. (Appears only when you select v3 and Authentication as Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40- hexadecimal digit SHA digest created using md5sum or sha1sum. (Appears only when you select v3 and Privacy as Supply a Key.) Specify the privacy authentication key. The key is either a 32-hexadecimal digit MD5 or a 40- hexadecimal digit SHA digest created using md5sum or sha1sum. SteelCentral ler for SteelHead Mobile User s Guide 43

Configuring System Administrator Settings Configuring SNMP Settings Community Enable Receiver Add Remove Selected For v1 or v2 trap receivers, specify the SNMP community name. For example, public or private v3 trap receivers need a remote user with an authentication protocol, a password, and a security level. Select to enable the new trap receiver. Clear to disable the receiver. Adds a new trap receiver to the list. Select the check box next to the name and click Remove Selected. 2. Click Save to save your settings permanently. To test an SNMP trap 1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page. 2. Under SNMP Trap Test, click Run. Configuring SNMP v3 SNMP v3 provides additional authentication and access control for message security. For example, you can verify the identity of the SNMP entity (manager or agent) sending the message. SteelCentral ler for SteelHead Mobile supports SNMPv3 message encryption for increased security. Using SNMP v3 is more secure than SNMP v1 or v2; however, it requires more configuration steps to provide the additional security features. Basic Steps 1. Create the SNMP-server users. Users can be authenticated using either a password or a key. 2. Configure SNMP-server views to define which part of the SNMP MIB tree is visible. 3. Configure SNMP-server groups, which map users to views, enabling you to control who can view what SNMP information. 4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request. 44 SteelCentral ler for SteelHead Mobile User s Guide

. Configuring SNMP Settings Configuring System Administrator Settings To create users for SNMP v3 1. Choose Configure > System Settings > SNMP v3 to display the SNMP v3 page. Figure 3-5. SNMP v3 Page 2. Under Users, complete the configuration as described in this table. Add a New User User Name Authentication Protocol Authentication Password/Password Confirm Use Privacy Option Privacy Protocol Privacy Add Remove Selected Displays the controls to add a new user. Specify the username. Select an authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. Optionally, select either Supply a Password or Supply a Key to use while authenticating users. Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box. Select to use SNMPv3 encryption. Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm. Select Same as Authentication, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication. Adds the user. Select the check box next to the name and click Remove Selected. 3. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 45

Configuring System Administrator Settings Configuring SNMP Settings SNMP Authentication and Access The following features apply to SNMP v1, v2c, and v3 unless noted otherwise: Security Names - Identify an individual user (v1 or v2c only). Secure Groups - Identify a security name or security model by a group, and are referred to by a group name. Secure Views - Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs. For example, some users have access to critical read-write control data, while other users have access to just read-only data. For a list of OIDs, see Configuring SNMP Settings on page 41. Security Models - A security model identifies the SNMP version associated with a user for the group in which the user resides. Secure Access Policies - Defines who gets access to which type of information. An access policy is composed of <group-name, security-model, security-level, read-view-name>. read-view-name is a preconfigured view that applies to read requests by this security-name. write-view-name is a preconfigured view that applies to write requests by this security-name. notify-view-name is a preconfigured view that applies to write requests to this security-name. An access policy is the configurable set of rules, based on which the entity decides how to process a given request. To set secure usernames 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure 3-6. SNMP ACLs Page - Security Names 46 SteelCentral ler for SteelHead Mobile User s Guide

Configuring SNMP Settings Configuring System Administrator Settings 2. Under Security Names, complete the configuration as described in this table. Add a New Security Name Security Name Community String Source IP Address and Mask Bits Add Remove Selected Displays the controls to add a security name. Specify a name to identify a requester allowed to issue gets and sets (v1 and v2c only). The specified requester can make changes to the view-based access-control model (VACM) security name configuration. This control does not apply to SNMPv3 queries. To restrict v3 USM users from polling a particular subnet, use the RiOS Management ACL feature, located in the Configure > Security > Management ACL page. Traps for v1 and v2c are independent of the security name. Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the SteelHead. Community strings do not allow printable 7-bit ASCII characters, except for white spaces. Also, the community strings cannot begin with '#' and '-'. If you specify a read-only community string (located in the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the readonly community string. To create multiple SNMP community strings on a SteelHead, leave the default public community string and then create a second read-only community string with a different security name. Or, you can delete the default public string and create two new SNMP ACLs with unique names. Specify the host IPv4 or IPv6 address and mask bits to which you permit access using the security name and community string. Adds the security name. Select the check box next to the name and click Remove Selected. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 47

. Configuring System Administrator Settings Configuring SNMP Settings To set secure groups 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure 3-7. SNMP ACLs Page - Groups 2. Under Groups, complete the configuration as described in this table. Add a New Group Group Name Security Models and Name Pairs Add Remove Selected Displays the controls to add a new group Specify a group name. Click the + button and select a security model from the drop-down list: v1 or v2c - Displays another drop-down menu. Select a security name. v3 (usm) - Displays another drop-down menu. Select a user. To add another Security Model and Name pair, click the plus sign (+). Adds the group name and security model and name pairs. Select the check box next to the name and click Remove Selected. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. 48 SteelCentral ler for SteelHead Mobile User s Guide

. Configuring SNMP Settings Configuring System Administrator Settings To set secure views 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure 3-8. SNMP ACLs Page - Views 2. Under Views, complete the configuration as described in this table. Add a New View View Name Includes Excludes Add Remove Selected Displays the controls to add a new view. Specify a descriptive view name to facilitate administration. Specify the object identifiers (OIDs) to include in the view, separated by commas. One example is.1.3.6.1.4.1. By default, the view excludes all OIDs. You can specify.iso or any subtree or subtree branch. You can specify an OID number or use its string form: for example:.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs. Adds the view. Select the check box next to the name and click Remove Selected. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 49

Configuring System Administrator Settings Configuring Email Settings To add an access policy 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure 3-9. SNMP ACLs Page 2. Under Access Policies, complete the configuration as described in this table. Add a New Access Policy Group Name Security Level Displays the controls to add a new access policy. A group and a view must be created before an access policy can be added. Select a group name from the drop-down list. Determines whether a single atomic message exchange is authenticated. Select one of the following from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. AuthPriv - Authenticates packets using AES or DES to encrypt messages for privacy. Note: A security level applies to a group, not to an individual user. Read View Add Remove Selected Select a view from the drop-down list. Adds the policy to the policy list. Select the check box next to the name and click Remove Selected. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Configuring Email Settings You can set email notification parameters for events and failures in the Configure > System Settings > Email page. By default, email addresses are not specified for event and failure notification. 50 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Email Settings Configuring System Administrator Settings To set event and failure email notification 1. Choose Configure > System Settings > Email to display the Email page. Figure 3-10. Email Page 2. Under Email Notification, complete the configuration as described in this table. SMTP Server Specify the SMTP server. You must have external DNS and external access for SMTP traffic for this feature to function. Note: Make sure that you provide a valid SMTP server to ensure that the users you specify receive email notifications for events and failures. SMTP Port Specify the port number for the SMTP server. SteelCentral ler for SteelHead Mobile User s Guide 51

Configuring System Administrator Settings Configuring Email Settings Report Events via Email Override Default Sender s Address Report Failures to Technical Support Specify this option to report alarm events through email. Specify a list of email addresses to receive the notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars. The following alarms are events: CPU utilization (rising threshold, reset threshold) Temperature (rising threshold, reset threshold) Network interface link errors Hardware error Fan error Flash error IPMI Memory error Power supply Licensing Memory error Endpoint NFS Secure vault System disk full Expiring SSL certificates Disk error Specify this option to configure the SMTP protocol for outgoing server messages for errors or events. Specify a list of email addresses to receive the notification messages. Separate addresses by commas. You can also configure the outgoing email address sent to the client recipients. The default outgoing address is do-not-reply@hostname.domain. If you do not specify a domain, the default outgoing email is do-not-reply@hostname. You can configure the host and domain settings in the Configure > Networking > Host Settings page. Specify this option to report serious failures such as system crashes to Riverbed Support. Riverbed recommends that you activate this feature so that problems are promptly corrected. Note: This option does not automatically report a disk drive failure. In the event of a disk drive failure, contact Riverbed Support at https://support.riverbed.com 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Related Topic Configuring Alarm Settings on page 32 52 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Log Settings Configuring System Administrator Settings Configuring Log Settings You set up local and remote logging in the Configure > System Settings > Logging page. By default, the system rotates each log file every 24 hours or if the file size reaches one Gigabyte uncompressed. You can change this to rotate every week or month and you can rotate the files based on file size. The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file. To set up logging 1. Choose Configure > System Settings > Logging to display the Logging page. Figure 3-11. Log Settings Page SteelCentral ler for SteelHead Mobile User s Guide 53

Configuring System Administrator Settings Configuring Log Settings 2. Under Logging Configuration, complete the configuration as described in this table. Minimum Severity Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the SteelHead. Error - Conditions that probably affect the functionality of the SteelHead. Warning - Conditions that could affect the functionality of the SteelHead, such as authentication failures. Notice - Normal but significant conditions, such as a configuration change. This is the default setting. Info - Informational messages that provide general information about system operations. Note: This control applies to the system log only. It does not apply to the user log. Maximum Number of Log Files Specify the maximum number of logs to store. The default value is 10. Lines Per Log Page Specify the number of lines per log page. The default value is 100. Rotate Based On Specifies the rotation option: Time - Select Day, Week, or Month from the drop-down list. The default setting is Day. Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB. Note: The log file size is checked at 10-minute intervals. If there is an unusually large amount of logging activity, it is possible for a log file to grow larger than the set disk space limit in that period of time. 3. To rotate the logs manually, under Log Actions, click Rotate Logs. After the logs are rotated, this message appears: logs have been successfully rotated When you click Rotate Logs, your archived file #1 contains data for a partial day because you are writing a new log before the current 24-hour period is complete. 4. Click Apply to apply your changes to the running configuration. 5. Click Save to save your settings permanently. 54 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Log Settings Configuring System Administrator Settings To add or remove a log server 1. To add or remove a log server, complete the configuration as described in this table. Add a New Log Server Server IP Minimum Severity Add Remove Selected Displays the controls for configuring new log servers. Specify the server IP address. Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such as authentication failures. Notice - Normal but significant conditions, such as a configuration change. This is the default setting. Info - Informational messages that provide general information about system operations. Adds the server to the list. Select the check box next to the name and click Remove Selected. 2. Click Apply to apply your changes to the running configuration. 3. Click Save to save your settings permanently. Filtering Logs by Application or Process You can filter a log by one or more applications or one or more processes. This is particularly useful when capturing data at a lower severity level, at which a Mobile ler appliance might not be able to sustain the flow of logging data the service is committing to disk. SteelCentral ler for SteelHead Mobile User s Guide 55

Configuring System Administrator Settings Configuring Log Settings To filter a log 1. Choose Configure > System Settings > Logging to display the Logging page. Figure 3-12. Filtering a Log 2. Under Per-Process Logging, complete the configuration as described in this table. Add a New Process Logging Filter Process Displays the controls for adding a process level logging filter. Select a process to include in the log from the drop-down list: alarmd - Alarm manager, which processes all alarms, including their thresholds and severity. cmcfc - CMC automatic registration utility. rgp - SCC connector, which handles SCC appliance communication. rgpd - SCC client daemon, the connection manager. cli - Command-line interface. mgmtd - Device control and management, which directs the entire device management system. It handles message passing between various management daemons, managing system configuration and general application of system configuration on the hardware underneath through the hald. hald - Hardware abstraction daemon, which handles access to the hardware. pm - Process manager, which handles launching of internal system daemons and keeps them running. sched - Process scheduler, which handles one-time scheduled events. statsd - Statistics collector, which handles queries, storage, and trending of system statistics. wdt - Watchdog timer, the motherboard watchdog daemon. webasd - Web application process, which handles the Web user interface. 56 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Advanced Settings Configuring System Administrator Settings Minimum Severity Add Remove Selected Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency; the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Mobile ler. Error - Conditions that probably affect the functionality of the Mobile ler. Warning - Conditions that could affect the functionality of the Mobile ler, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. This is the default setting. Info - Informational messages that provide general information about system operations. Adds the filter to the list. The process now logs at the selected severity and higher level. Select the check box next to the name and click Remove Selected to remove the filter. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Configuring Advanced Settings You configure the Mobile ler service port and Endpoint Report settings in the Configure > System Settings > Advanced Settings page. You can also view and manage network adapters on this page. SteelCentral ler for SteelHead Mobile User s Guide 57

Configuring System Administrator Settings Configuring Advanced Settings To configure the service port and Endpoint Report settings, and to manage adapters 1. Choose Configure > System Settings > Advanced Settings to display the Advanced Settings page. Figure 3-13. Advanced Settings Page 2. Complete the configuration as described in this table. SteelCentral ler for SteelHead Mobile Service Port Specify a port number for the Mobile ler service port, or leave the default value of 7870. Caution: Do not modify the service port setting until after you deploy the SteelHead Mobile Client that connects to this Mobile ler. This modification changes the port on which the Mobile ler listens for incoming SteelHead Mobile connections. If you change this setting, SteelHead Mobiles trying to connect to the Mobile ler on the old port are disconnected. 58 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Advanced Settings Configuring System Administrator Settings Remove Inactive Endpoints After Adapter List Settings From the drop-down list, select a period of time after which the SteelHead Mobile information for the Endpoint report is removed from the Management Console: 1 Day 1 Week 1 Month 3 Months This area displays the existing network adapters in the current configuration. Use the controls to work with adapters. You can modify existing adapters or add a new one. Select one or more adapters and: Click Enable/Disable to toggle on or off the selected adapters. Click Remove Selected Adapters to delete. Click Add New Adapter to specify a new one. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 59

Configuring System Administrator Settings Configuring Advanced Settings 60 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 4 Configuring Security Settings This chapter describes how to configure Mobile ler security features. It includes the following sections: Configuring General Security Settings on page 61 Viewing Permissions on page 62 Managing User Permissions on page 63 Setting RADIUS Servers on page 66 Configuring TACACS+ Access on page 68 Unlocking the Secure Vault on page 70 Configuring Web Settings on page 71 To use this chapter, you must know how to install, configure, and manage WAN optimization using the SteelHead. For details about the SteelHead, see the SteelHead Installation and Configuration Guide, the SteelHead Management Console User s Guide, and the SteelHead Deployment Guide. Configuring General Security Settings You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Configure > Security > General Security Settings page. Note: Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted. Note: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server: service = rbt-exec { local-user-name = monitor } where you replace monitor with admin for write access. SteelCentral ler for SteelHead Mobile User s Guide 61

Configuring Security Settings Viewing Permissions For details on setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide. To set general security settings 1. Choose Configure > Security > General Security Settings to display the General Security Settings page. Figure 4-1. General Security Settings Page 2. Under Authentication Methods, complete the configuration as described in this table. Authentication Methods For RADIUS/TACACS+, fallback only when servers are unavailable. Authorization Policy Specifies the authentication method. Select an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted. Specifies that the SteelHead falls back to a RADIUS or TACACS+ server only when all other servers do not respond. This is the default setting. When this feature is disabled, the SteelHead does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure. Appears only for some Authentication Methods. Optionally, select one of these policies from the drop-down list: Remote First - Check the remote server first for an authentication policy, and only check locally if the remote server does not have one set. This is the default behavior. Remote Only - Only checks the remote server. Local Only - Only checks the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Viewing Permissions You can display your system permissions and add or change your login password in the Configure > My Account page. 62 SteelCentral ler for SteelHead Mobile User s Guide

Managing User Permissions Configuring Security Settings To display system permissions 1. Choose Configure > My Account to display the My Account page. Figure 4-2. My Account Page 2. Under Password, complete the configuration as described in this table. Change Password New Password/Confirm New Password Old Password Allows you to add or change your log in password. Specify a password in the text box. Retype the password in the Confirm New Password text box. (Appears when password policy is enabled and the Minimum Character Difference Between Passwords value is greater than 0). Non-administrators must specify the old password. Administrators are never required to enter an old password when changing an account password. 3. Click Apply to apply your changes to the running configuration. The permissions list displays the roles and permissions assigned to your username. Note: For details on setting user permissions, see Managing User Permissions on page 63. Managing User Permissions You can change the administrator or monitor passwords and define role-based users in the Configure > Security > User Permissions page. Capability-Based Accounts The system provides two user account options, based on what actions the user can take: Admin - The administrator user has full privileges. For example, as an administrator you can set and modify configuration settings, add and delete users, restart the SteelCentral ler for SteelHead Mobile service, reboot the Mobile ler, and create and view performance and system reports. SteelCentral ler for SteelHead Mobile User s Guide 63

Configuring Security Settings Managing User Permissions Monitor - A monitor user can view reports, user logs, and change their password. A monitor user cannot make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system. Role-Based Accounts You can also create users, assign passwords to the user, and assign varying configuration roles to the user. A user role determines whether the user has permission to: Read-only - With read-only privileges, the user can view current configuration settings but you cannot change them. Read/Write - With read and write privileges, the user can view settings and make configuration changes for a feature. Deny - With deny privileges, the user cannot view settings or save configuration changes for a feature. Available menu items reflect the privileges of the user. For example, any menu items that a user does not have permission to use are unavailable. When a user selects an unavailable link, the User Permissions page appears. To configure user permissions 1. Choose Configure > Security > User Permissions to display the User Permissions page. Figure 4-3. User Permissions Page 64 SteelCentral ler for SteelHead Mobile User s Guide

Managing User Permissions Configuring Security Settings 2. Under Capability-Based Accounts, complete the configuration as described in this table. admin/monitor Click the magnifying glass to change the administrator or monitor password and to display the controls for modifying the capability-based accounts. Clear Login Failure Details - Clears the detailed information about login failures. Change Password - Enables password protection. Mobile ler 4.7 and later includes an account control feature that allows you to select a password policy for more security. When you enable account control on the Configure > Security > Password Policy page, a user must use a password. When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it cannot be reset to null as long as account control is enabled. New Password - Specify a password in the text box. New Password Confirm - Retype the new administrator password. Enable Account - Select to enable or clear to disable the administrator or monitor account. 3. Click Apply to apply your changes to the running configuration. Note: A role-based account cannot modify another role-based or capability account. 4. Under Role-Based Accounts, complete the configuration as described in this table. Add a New User Account Name Password New Password Confirm Enable Account General Settings Network Settings Security Settings Policy/Package/ Assignment Settings Diagnostic Reports Settings Endpoint Reports Settings SSL Settings Click to display the controls for creating a new role-based account. Specify a name for the role-based account. Specify a password in the text box. Retype the password to confirm. Select the check box to enable the new role-based account. Configures per-source IP connection limit and the maximum connection pooling size. Configures host and network interface settings, including DNS cache settings and hardware assist rules. Configures security settings, including RADIUS and TACACS authentication settings and the secure vault password. Configures policy, package, and assignment settings. Customizes system diagnostic reports, including system and user log settings. It does not include TCP dumps. Configures endpoint client report settings. Configures SSL support and the secure inner channel. SteelCentral ler for SteelHead Mobile User s Guide 65

Configuring Security Settings Setting RADIUS Servers Cluster Settings Add Remove Selected Users Configures Mobile ler cluster settings. Adds your settings to the system. Click to remove the selected users. 5. Click Save to save your settings permanently. Setting RADIUS Servers You set up RADIUS server authentication in the Configure > Security > RADIUS page. RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional. You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Configure > Security > General Security Settings page. For details on setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide. To set RADIUS server authentication 1. Choose Configure > Security > RADIUS to display the RADIUS page. Figure 4-4. RADIUS Page 66 SteelCentral ler for SteelHead Mobile User s Guide

Setting RADIUS Servers Configuring Security Settings 2. Under Default RADIUS Settings, complete the configuration as described in this table. Set a Global Default Key Global Key Confirm Global Key Enables a global server key for the RADIUS server. Specify the global server key. Confirm the global server key. Timeout Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. The default value is 1. 3. Click Apply to apply your changes to the running configuration. 4. To add a new RADIUS server, complete the configuration as described in this table. Add a RADIUS Server Hostname or IP Address Authentication Port Authentication Type Override the Global Default Key Displays the controls for defining a new RADIUS server. Specify the hostname or server IP address. RiOS does not support IPv6 server IP addresses. Specify the port for the server. Select one of these authentication types: PAP - Password Authentication Protocol (PAP), which validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP. CHAP - Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP. CHAP validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server. Overrides the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout Specify the time-out period in seconds (1 to 60). The default value is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default value is 1. Enables the new server. Adds the RADIUS server to the list. Select the check box next to the name and click Remove Selected. 5. If you add a new server to your network and you do not specify these values at that time, the global settings are applied automatically. SteelCentral ler for SteelHead Mobile User s Guide 67

Configuring Security Settings Configuring TACACS+ Access 6. Click Save to save your settings permanently. Note: To modify RADIUS server settings, click the server IP address in the list of Radius Servers. Use the Status dropdown list to enable or disable a server in the list. Related Topic Configuring General Security Settings on page 61 Configuring TACACS+ Access You set up TACACS+ server authentication in the Configure > Security > TACACS+ page. TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system. Enabling this feature is optional. You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Configure > Security > General Security Settings page. For details on configuring RADIUS and TACACS+ servers to accept login requests from the Mobile ler, see the SteelHead Deployment Guide. To set a TACACS+ server 1. Choose Configure > Security > TACACS+ to display the TACACS+ page. Figure 4-5. TACACS+F Page 68 SteelCentral ler for SteelHead Mobile User s Guide

. Configuring TACACS+ Access Configuring Security Settings 2. Under Default TACACS+ Settings, complete the configuration as described in this table. Set a Global Default Key Global Key Confirm Global Key Enables a global server key for the server. Specify the global server key. Confirms the global server key. Timeout Specify the time-out period in seconds (1 to 60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1. 3. Click Apply to apply your changes to the running configuration. 4. To add or remove a TACACS+ server, complete the configuration as described in this table. Add a TACACS+ Server Hostname or IP Address Displays the controls for defining a new TACACS+ server. Specify the hostname or server IP address. Authentication Port Specify the port for the server. The default value is 49. Authentication Type Override the Global Default Key Server Key Confirm Server Key Select either PAP or ASCII as the authentication type. The default value is PAP. Specify this option to override the global server key for the server. Specify the override server key. Confirm the override server key. Timeout Specify the time-out period in seconds (1 to 60). The default is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1. Enables the new server. Adds the TACACS+ server to the list. Select the check box next to the name and click Remove Selected. 5. If you add a new server to your network and you do not specify these values, the system automatically applies the default settings. 6. Click Save to save your settings permanently. Related Topic Configuring General Security Settings on page 61 SteelCentral ler for SteelHead Mobile User s Guide 69

Configuring Security Settings Unlocking the Secure Vault Unlocking the Secure Vault You can unlock and change the password for the secure vault in the Configure > Security > Secure Vault page. The secure vault contains sensitive information from your Mobile ler configuration, including SSL private keys. These configuration settings are encrypted on the disk at all times, using AES 256-bit encryption. Initially the secure vault is keyed with a default password known only to the Mobile ler software. This allows the Mobile ler to automatically unlock the vault during system startup. You can change the password, but when you do, the secure vault does not automatically unlock on startup. To optimize SSL connections, the secure vault must be unlocked. To unlock or change the password of the secure vault 1. Choose Configure > Security > Secure Vault to display the Secure Vault page. Figure 4-6. Secure Vault Page 2. Under Unlock Secure Vault, complete the configuration as described in this table. Password Unlock Secure Vault Specify a password and click Unlock Secure Vault. Initially the secure vault is keyed with a default password known only to the SteelCentral ler for SteelHead Mobile software. This allows the Mobile ler to automatically unlock the vault during system startup. You can change the password, but the secure vault does not automatically unlock on startup. To optimize SSL connections, you must unlock the secure vault. Unlocks the vault. 70 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Web Settings Configuring Security Settings 3. Under Change Secure Vault Password, complete the configuration as described in this table. Current Password New Password New Password Confirm Change Password Specify the current password. If you are changing the default password that ships with the product, leave the text box blank. Specify a new password for the secure vault. Confirm the new password for the secure vault. Changes the password for the secure vault. 4. Click Save to save your settings permanently. Related Topic Configuring General Security Settings on page 61 Configuring Web Settings You can modify Management Console Web user interface and certificate settings in the Configure > Security > Web Settings page. To modify Web settings 1. Choose Configure > Security > Web Settings to display the Web Settings page. Figure 4-7. Web Settings Page SteelCentral ler for SteelHead Mobile User s Guide 71

Configuring Security Settings Configuring Web Settings 2. Under Web Settings, complete the configuration as described in this table. Default Web Login ID Specify the username that appears in the authentication page. The default value is admin. Web Inactivity Timeout Specify the number of idle minutes before time-out. The default value is 15. A value of 0 disables time-out. Allow Session Timeouts When Viewing Auto- Refreshing Pages By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear the Allow box to disable the session time-out, remain logged-in indefinitely, and automatically refresh the report pages. Note: Disabling this feature poses a security risk. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Managing Web SSL Certificates SteelCentral ler for SteelHead Mobile provides the following additional security features to manage SSL certificates used by the Management Console Web user interface using HTTPS. Generate the certificate and key pairs on the Mobile ler. This overwrites the existing certificate and key pair, regardless of whether the previous certificate and key pair was self-signed or user added. The new self-signed certificate lasts for one year (365 days). Create certificate signing requests from the certificate and key pairs. Replace a signed certificate with one created by an administrator or generated by a third-party certificate authority. Note: The Web certificate applies only to connections made to the HTTP and HTTPS services of the Mobile ler and is not used for connections between the SteelHead Mobiles and the Mobile ler. To modify Web certificates 1. Choose Configure > Security > Web Settings to display the Web Settings page. 72 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Web Settings Configuring Security Settings 2. Under Web Certificate, select the Details tab. The Mobile ler identity certificate details appear, as described in this table. Issued To/Issued By Common Name - Specifies the common name of the certificate authority. Organization - Specifies the organization name (for example, the company). Organization Unit - Specifies the organization unit name (for example, section or department). Locality - Specifies the city. State - Specifies the state. Country - Specifies the country. Serial Number - Specifies the serial number (Issued To, only). Validity Issued On - Specifies the date the certificate was issued. Expires On - Specifies the date the certificate expires. Fingerprint Key Specifies the SSL fingerprint. Type - Specifies the key type. Size - Specifies the size in bytes. 3. To replace an existing certificate, under Web Certificate, select the Replace tab and complete the configuration as described in this table. Import Certificate and Private Key Certificate Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. Or, you can use the text box to copy and paste a PEM file. The private key is required regardless of whether you are adding or updating the certificate. Upload - Browse to the local file in PKCS-12, PEM, or DER formats. Paste it here (PEM) - Copy and then paste the contents of a PEM file. Private Key Separate Private Key Select the private key origin. The Private Key is in a separate file (see below) - you can either upload it or copy and paste it. This file includes the Certificate and Private Key The Private Key for this Certificate was created with a CSR generated on this appliance. Upload (PEM or DER formats) - Browse to the local file in PEM or DER formats. Paste it here (PEM only) - Paste the contents of a PEM file. Decryption Password - Specify the decryption password, if necessary. Passwords are required for PKCS-12 files, optional for PEM files, and never needed for DER files. SteelCentral ler for SteelHead Mobile User s Guide 73

Configuring Security Settings Configuring Web Settings 4. To generate a CSR, under Web Certificate, select the Generate CSR tab and complete the configuration as described in this table. Common Name Organization Name Organization Unit Name Locality State Country Email Address Generate CSR Specify the common name (hostname). Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Do not abbreviate. Specify the country (2-letter code only). Specify the email address of the contact person. Generates the Certificate Signing Request. 5. Click Apply to apply your changes to the running configuration. 6. Click Save to save your settings permanently. 74 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 5 Managing Mobile lers This chapter describes the tasks you perform for routine management of the Mobile ler. It includes the following sections: Configuring Scheduled Jobs on page 75 Managing Licenses on page 76 Upgrading Your Software on page 78 Rebooting and Shutting Down the Mobile ler on page 80 Configuring Mobile ler Clusters on page 81 Managing Configurations on page 85 To use this chapter, you must know how to install, configure, and manage WAN optimization using the SteelHead. For details about the SteelHead, see the SteelHead Installation and Configuration Guide, the SteelHead Management Console User s Guide, and the SteelHead Deployment Guide. Configuring Scheduled Jobs You can view completed, pending, and inactive jobs as well as jobs that were not completed because of an error in the Configure > Maintenance > Scheduled Jobs page. You can also delete a job, change its status, or modify its properties. Jobs are commands that are scheduled to run at a time you specify. You can use the Management Console to: schedule a software upgrade. generate multiple TCP dumps on a specific date and time. To schedule all other jobs, you must use the Riverbed CLI. For details on scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual. SteelCentral ler for SteelHead Mobile User s Guide 75

Managing Mobile lers Managing Licenses To configure scheduled jobs 1. Choose Configure > Maintenance > Scheduled Jobs to display the Scheduled Jobs page. Figure 5-1. Scheduled Jobs Page 2. Select the Job ID number to display details about the job. 3. Select Enabled or Disabled from the drop-down list to enable or disable the job. 4. Under Details for Job <#>, complete the configuration as described in this table. Name Comment Interval (seconds) Executes on Enable/Disable Job Apply Changes Cancel/Remove This Job Execute Now Remove Selected Jobs Specify a name for the job. Specify a comment. Specify the number of seconds between job recurrences. Specify 0 to run the job onetime only. Specify the start time and end time using the format YYYY/MM/DD HH:MM:SS. Select the check box to enable the job, clear the check box to disable the job. Applies the changes to the current configuration. Cancels and removes the job. Runs the job. Select the check box next to the name and click Remove Selected Jobs. 5. Click Save to save your settings permanently. Managing Licenses After you purchase SteelCentral ler for SteelHead Mobile, Riverbed Support emails to you the license keys, required on the Licenses page. A single license key can contain more than 2000 licenses. Licensing can affect how you configure your SteelCentral ler for SteelHead Mobile deployment. The Mobile ler comes with concurrent licenses. Concurrent licenses are not limited to specific users. Any of your users can utilize the licenses, provided that the number of connected users does not exceed the number of licenses that you purchased. SteelCentral ler for SteelHead Mobile does not support the use of more than 4000 endpoint licenses at any one time. You add or remove license keys in the Licenses page. The page always displays a list of active licenses. 76 SteelCentral ler for SteelHead Mobile User s Guide

Managing Licenses Managing Mobile lers Installing a License This section describes how to request and fetch a license manually from the Riverbed license portal or install a license manually after receiving it from Riverbed Support or Sales. Mobile ler v4.0 and later simplifies license management by providing an automated way to fetch and activate licenses for Riverbed products. You no longer have to manually activate individual appliances and install the licenses. Fetching a license is restricted for read-only users such as monitor and RBM users with read-only access for General Settings (permissions are granted on the Configure > Security > User Permissions page). To install a license on a new Mobile ler Connect a new Mobile ler to the network. The Mobile ler automatically contacts the Riverbed license portal and downloads the licenses. The Licensing page displays a success message, or the Alarm Status page reports an actionable error message. To replace expired licenses Purchase new downloadable licenses to replace the expired license. At the time of the next scheduled automatic license fetch, the Mobile ler automatically contacts the Riverbed license portal and downloads the new licenses. The Licensing page displays a success message, or the Alarm Status page reports an actionable error message. To fetch a license on demand 1. Choose Configure > Maintenance > Licenses to display the Licenses page. 2. Click Fetch Updates Now. The Licensing page displays a success message, or the Alarm Status page reports an actionable error message. To install a license 1. Choose Configure > Maintenance > Licenses to display the Licenses page. Figure 5-2. Licenses Page The Licenses page includes a table of licenses with a column showing the date and time the license was installed. The next column shows whether the installation was done manually or automatically. 2. Click Fetch Updates Now (below the license table) to update the status of the existing licenses. After you click the Fetch Updates Now button, a note displays the date and time of the last update. Normal update results appear in black, and any errors appear in red. SteelCentral ler for SteelHead Mobile User s Guide 77

. Managing Mobile lers Upgrading Your Software 3. Complete the configuration as described in this table. Add a New License Licenses Text Box Displays the controls to add a new license. Copy and paste the license key provided by Riverbed Support or Sales into the text box. Note: Separate multiple license keys with a space, Tab, or Enter. Add Fetch Updates Now Adds the license. Contacts the Riverbed license portal and downloads all applicable licenses for the SteelHead. 4. Click Save to save your settings permanently. Upgrading Your Software You can upgrade or revert to a backup version of the software in the Configure > Maintenance > Software Upgrade page. The bottom of the page displays the software version history of the SteelHead Mobile, which includes the version number and the software installation date. 78 SteelCentral ler for SteelHead Mobile User s Guide

Upgrading Your Software Managing Mobile lers To revert software version 1. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page. Figure 5-3. Software Upgrade Page 2. Under Software Upgrade, complete the configuration as described in this table. Switch to Backup Version Cancel Version Switch Switches to the backup version on the next reboot. Cancels the software version switch on the next reboot. To upgrade software version 1. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page. SteelCentral ler for SteelHead Mobile User s Guide 79

Managing Mobile lers Rebooting and Shutting Down the Mobile ler 2. Under Install Upgrade, complete the configuration as described in this table. From URL From Riverbed Support Site From Local File Schedule Upgrade for Later Install Cancel Select this option and specify the URL. Use one of the following formats: http://host/path/to/file https://host/path/to/file ftp://user:password@host/path/to/file scp://user:password@host/path/to/file Click this option and select the target release number from the drop-down list. The system uploads and installs the new image immediately after you click Install. To upload and install the image later, schedule another date or time before you click Install. Optionally, in SteelCentral 4.7 and later, you can download a delta image directly from the Riverbed Support site to the SteelHead appliance. The downloaded image includes only the incremental changes. The smaller file size means a faster download and less load on the network. Select this option and specify the path, or click Browse to go to the local file directory. If you specify a file to upload in the Local File text box, the image is uploaded immediately; however the image is installed and the system is rebooted at the time you specify. Schedules the upgrade process. Specify the date and time to run the upgrade: YYYY/MM/DD, HH:MM:SS. Click to install the software upgrade on your system, unless you schedule it for later. The software image can be quite large; uploading the image to the appliance and installing it can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes. As the upgrade progresses, status messages appear. After the installation is complete, the system reminds you to reboot the appliance to switch to the new version of the software. Cancels your changes. 3. Reboot the Mobile ler. For details, see Rebooting and Shutting Down the Mobile ler on page 80. Related Topic Configuring Scheduled Jobs on page 75 Rebooting and Shutting Down the Mobile ler You can reboot or shut down the system in the Configure > Maintenance > Reboot/Shutdown page. To restart the system, you must manually turn on the Mobile ler appliance. 80 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Mobile ler Clusters Managing Mobile lers To reboot or shut down the system 1. Choose Configure > Maintenance > Reboot/Shutdown to display the Reboot/Shutdown page. Figure 5-4. Reboot/Shutdown Page 2. Click Reboot. After you click Reboot, you are logged out of the system and it is rebooted. 3. Click Shutdown to shut down the system. After you click Shutdown, the system turns off. To restart the system, you must manually turn on the Mobile ler. Configuring Mobile ler Clusters You can create a cluster, or join an existing cluster of two or more Mobile lers, on the Cluster page. Mobile ler clusters simplify the process of configuring Mobile lers for large deployments or high availability deployments with multiple Mobile lers. You can join two or more Mobile lers to provide a pool for available licenses. This means that the entire pool of available licenses remains available to SteelHead Mobiles, even if one Mobile ler uses all of its installed licenses or one Mobile ler fails. SteelHead Mobiles can connect to any Mobile ler in a cluster and have the same configuration and administrative experience. Clusters provide SteelHead Mobiles with the same experience regardless of the Mobile ler to which they connect by synchronizing the policies and other configuration settings across a set of member Mobile lers. You can configure cluster-wide settings on any member of the cluster, and these settings propagate across the cluster. However, node-specific settings must be configured locally on each Mobile ler in the cluster. Note: Peering certificates can be clustered, but the Signing CA and other settings under SSL are node-specific. Other node-specific settings include the Mobile ler hostname and IP address. Clustered Mobile lers pool their licenses, making the set of all base licenses available even if one or more Mobile lers in the cluster is not available. Although licenses are pooled between all members in a cluster, you must install base licenses on each Mobile ler. SteelCentral ler for SteelHead Mobile User s Guide 81

Managing Mobile lers Configuring Mobile ler Clusters The Mobile ler connects to a cluster in steps. First it sends a request to join the cluster to any existing cluster member. If accepted, it begins the process of joining a cluster. Settings of the Mobile ler joining the cluster are deleted during the joining process, and the joining Mobile ler synchronizes its configurations with that of the cluster. When the connection process finishes and synchronization is complete, the Mobile ler is a member of the cluster. Note: For clusters with more than three nodes, Riverbed recommends that you do not use extra-small Virtual Mobile lers (with 2 GB in the /data partition size). You work with clusters on the Manage > Clusters page. This page shows the number of desktop licenses installed and in use. Figure 5-5. Cluster Settings Page Prerequisites Before you can add a Mobile ler to a cluster, you must complete the following prerequisites: Have a valid IP address for the Mobile ler. Know the fully qualified domain name (FQDN) of the Mobile ler. Be able to connect to the other members in the cluster. Have the same set of base licenses installed on all the members of the cluster: for example CIFS, MAPI, SSL, and so forth. For details on managing Mobile ler licenses, see Managing Licenses on page 76. Ensure that SSL trust can be established between all Mobile lers in the cluster. Generally, this is done by sharing the Signing CA certificate of members of the cluster. Prior to joining the cluster, you can export the existing signing CA, including the private key for the Mobile ler. For details on exporting signing CAs, see To export an existing certificate on page 96. Import the signing CA and private key of the other members of the cluster to the Mobile ler. Prior to joining the cluster, you must replace (import) the existing signing CA, including the private key, for the Mobile lers in the cluster (One File in PEM or PKCS12 formats). For details on replacing (importing) existing signing CAs, see To replace a Mobile ler signing CA on page 93. 82 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Mobile ler Clusters Managing Mobile lers Configuration Settings in Your Clusters After you join a cluster, the configuration settings on your Mobile ler are replaced by those shared in the cluster. When you change those settings on your Mobile ler, those changes are made to the configuration of each Mobile ler in the cluster. The following table lists the features that are shared by each Mobile ler in the cluster. Feature Policies Packages Assignments and Group Settings Adapter List Endpoint Report License Pooling Peering Certificates Port Labels Monitored Ports All policy settings propagate throughout the cluster. Packages created on any member Mobile ler are available to all clients and Mobile lers in the cluster. All group assignments and settings propagate throughout the cluster. List of available interfaces. The Endpoint report for any cluster member shows all endpoints connected to the cluster. For detailed information about Endpoint reports, see Viewing Reports for Endpoints on page 151. Base licenses must be installed on each Mobile ler in the cluster. Cluster members share licenses. Establishes a trust relationship for the SSL peering certificates of all Mobile lers in the cluster. Port labels created on any member Mobile ler are available to all clients and Mobile lers in the cluster. Monitored port configuration settings made on any member Mobile ler are applied to all clients and Mobile lers in the cluster. To join a cluster 1. Choose Configure > Cluster to display the Cluster page. 2. Specify, in the Host name text box, the IP address or hostname of any Mobile ler that is a member of the cluster. 3. Optionally, specify a port number. 4. Click Attach to join the cluster. After your Mobile ler has joined the cluster, the Attach button becomes the Detach button. To leave a cluster, click Detach. You can remove any Mobile ler in the cluster from any cluster member. To remove a Mobile ler from the cluster 1. Click the box next to any cluster member listed under lers in the cluster. Figure 5-6. Remove from Cluster 2. Click Remove from cluster. SteelCentral ler for SteelHead Mobile User s Guide 83

Managing Mobile lers Configuring Mobile ler Clusters You can check the status of any cluster member in the Status column. The possible values for the Status column are defined in this table. Status Joining Connecting Connected, Syncing Connected, Synced Disconnected Disconnected, Denied The Mobile ler is joining a cluster member. The Mobile ler is connecting to a cluster member. The Mobile ler is connected to a cluster member and is configuring its settings to match the cluster s settings. The Mobile ler is connected to a cluster member and has finished changing its settings to match the cluster s settings. The Mobile ler cannot connect with the specified cluster member. The cluster member is actively denying connections to the local Mobile ler. Troubleshooting Cluster Connections The following situations can cause your Mobile ler to become disconnected from the cluster: The Mobile ler that your Mobile ler is connected to has become unreachable for some reason. The trust settings on your Mobile ler or the peer to which you are connected have changed and no longer match. Check your SSL settings; see Configuring Mobile ler Peering on page 89. If your Mobile ler is disconnected from the cluster, and attempts to reconnect are denied, detach and rejoin the cluster. For details, see Configuring Mobile ler Clusters on page 81. Make sure that you have your logs configured at Error level. Cluster error messages appear at this level. For details on filtering log messages, see Viewing and Downloading Logs on page 179. Troubleshooting Mobile ler Connectivity The following topologies can cause problems with Mobile ler connectivity: Firewalls between the endpoint and the Mobile ler - To more easily manage the Mobile ler, be sure to open the firewall to allow access to ports 22, 80, 443, and 7870. For more information about firewalls and firewall requirements, see the SteelCentral ler for SteelHead Mobile Installation Guide. Mixed mode clustering - In this topology, the Mobile lers use different versions of the software. Mix mode clustering can occur when not all the Mobile lers are updated to the latest software release. Making policy, configuration, and cluster changes in mixed mode can be challenging. Therefore, Riverbed recommends that all the Mobile lers be updated to the same version of the software. For more information, see the Riverbed Knowledge Base for any known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at https://support.riverbed.com. 84 SteelCentral ler for SteelHead Mobile User s Guide

Managing Configurations Managing Mobile lers License Pooling In Mobile ler clusters, licenses for all members are shared and available to each member of the cluster. Members of the cluster can check out licenses from the license pool in small batches and return them when no longer needed, such as when SteelHead Mobiles disconnect from the Mobile ler or no longer require a license. When the Mobile ler fails, other members detect the failure and all licenses are returned to the free pool. The Mobile ler checks out a new batch of licenses when it comes back up. Initially, by default, the Mobile ler collects up to 100 licenses (if they are available), and then acquires more if needed. If no licenses are available when the Mobile ler comes back online, it is not able to check out licenses until they are released from other Mobile lers. Managing Configurations You can save, activate, and import configurations in the Configure > Configurations page. Each Mobile ler has an active, running configuration and written, saved configurations. When you apply your settings in the Mobile ler, the values are applied to the active running configuration, but the values are not written to disk and saved permanently. When you save your configuration settings, the values are written to disk and saved permanently. Each time you save your configuration settings, they are written to the current running configuration, and a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is backed up to myconfig.bak and myconfig is overwritten with the current configuration settings. The Configuration Manager is a utility that enables you to save configurations as backups or active configuration backups. SteelCentral ler for SteelHead Mobile User s Guide 85

Managing Mobile lers Managing Configurations To manage configurations 1. Choose Configure > Configurations to display the Configurations page. Figure 5-7. Configurations Page 2. Use the controls to manage configurations as described in this table. Current Configuration Save Configuration - To save settings that have been applied to the running configuration, click Save Configuration. Revert - To revert your settings to the running configuration, click Revert. Save Current Configuration New Configuration Name - To save settings that have been applied to the running configuration as a new filename, type a name in the Name text box. Save - To save the current configuration name, click Save. Configurations Change Active Configuration Remove Selected Configuration - To remove an entry from the list, select the check box next to the entry and click Remove Selected Configuration. To activate an alternative configuration, select a configuration in the list and click Activate. Note: Click the configuration name to display the configuration settings in a new browser window. 86 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 6 Configuring SSL for Mobile lers This chapter describes how to configure SSL support for the Mobile ler. It includes the following sections: Configuring SSL for Mobile lers on page 87 Configuring Mobile ler Peering on page 89 Modifying SSL Server Certificate Settings on page 90 Configuring SSL Certificate Authorities on page 98 Configuring SSL Bulk Import and Export on page 99 Configuring SSL for Mobile lers Each Mobile ler is manufactured with its own self-signed certificate and private key that uniquely identifies that Mobile ler. For detailed information about SSL, see the SteelHead Management Console User s Guide. The Mobile ler provides you with the following SSL options. SSL Task Enable SSL in Mobile ler policies Create SSL peering relationships View Mobile ler certificate details Add chain certificates View certificates in Privacy Enhanced Mail (PEM) format Reference You can enable SSL in your SteelHead Mobile polices. For details, see Configuring SSL for Policies on page 130. You can create peering relationships between the Mobile ler and the SteelHeads in your network. You must have a trusted peer relationship to create Mobile ler clusters. For details about Mobile ler clusters, see To configure SSL Peering on page 89. You can view the current Mobile ler certificate details. For details, see To view signing CA details on page 91. If your organization uses internal CAs to sign its SSL server certificates, you must import each of the certificates (in the chain) onto the Mobile ler. For details, see To add a chain certificate on page 92. You can view the certificate in Privacy Enhanced Mail (PEM) format. For details, see To view a CA in PEM format on page 93. SteelCentral ler for SteelHead Mobile User s Guide 87

. Configuring SSL for Mobile lers Configuring SSL for Mobile lers SSL Task Replace (import) certificates Export certificates Generate certificate signing requests (CSR) Reference By default, the Mobile ler ships with a default peer certificate. Riverbed recommends that you replace the default peer certificate with a certificate with a matching common name and security parameters (key length). For details, see To replace a Mobile ler signing CA on page 93. You can export the signing CA of the Mobile ler to the peer SteelHead and then import it to establish the peer relationship. For details, see To export an existing certificate on page 96. You can generate a CSR for the current private key. For details, see To generate a CSR on page 97. Basic Steps for Configuring SSL The following table describes the basic steps for configuring SSL in the Mobile ler and the SteelHead. The table lists the tasks to be completed at the Mobile ler and the SteelHead, along with the section where you can find details about the task. Mobile ler Task Reference 1. Add the root CA to the CAs. Choose Configure > SSL > Certificate Authorities. For details, see To add SSL certificate authorities on page 98. 2. Add the signing CA. Choose Configure > SSL > Signing CA. For details, see To view signing CA details on page 91. 3. Add the root CA as a chain certificate. Choose Configure > SSL > Signing CA. For details, see To add a chain certificate on page 92. SteelHead Task Reference 1. Add the root CA to the CA list. Choose Configure > Optimization > Certificate Authorities. For details, see the SteelHead Management Console User s Guide. 2. Create a trust relationship with the root CA. Choose Configure > Optimization > Secure Peering. Make sure that you select Trust Existing CA and select the root CA from the drop-down list. For details, see the SteelHead Management Console User s Guide. 3. Add the signing CA to the SteelCentral ler for SteelHead Mobile trust list. Choose Configure > Optimization > Secure Peering. Make sure that you select Add a New Mobile Entity and navigate to the local file. For details, see the SteelHead Management Console User s Guide. 4. Add the server certificate. Choose Configure > Optimization > SSL Main Settings. Make sure that you select Import Existing Private Key and CA-Signed Public Certificate. For details, see the SteelHead Management Console User s Guide. 88 SteelCentral ler for SteelHead Mobile User s Guide

Configuring Mobile ler Peering Configuring SSL for Mobile lers Configuring Mobile ler Peering You configure secure peers between the Mobile ler and the SteelHead in the Configure > SSL > Peering page. For basic steps for configuring SSL in the Mobile ler and the SteelHead, see Basic Steps for Configuring SSL on page 88. For details about SSL peering, see the SteelHead Management Console User s Guide. To configure SSL Peering 1. Choose Configure > SSL > Peering to display the Peering page. Figure 6-1. Peering Page 2. To add or remove a trusted entity, under Peering Trust, complete the configuration as described in this table. Add a New Trusted Entity Trust Existing CA Trust New Certificate Optional Local Name Local File Displays the controls for adding trusted entities. Select an existing CA from the drop-down list. Adds a new CA or peer certificate. The SteelHead supports RSA and DSA for peering trust entities. Optionally, specify a local name for the entity (for example, the fully qualified domain name). Browse to the local file. SteelCentral ler for SteelHead Mobile User s Guide 89

Configuring SSL for Mobile lers Modifying SSL Server Certificate Settings Cert Text Add Remove Selected Paste the content of the certificate text file into the text box. Adds the trusted entity (or peer) to the trusted peers list. Select the check box next to the name and click Remove Selected. Modifying SSL Server Certificate Settings You can modify Mobile ler certificate authority (CA) settings in the Configure > SSL > Signing CA page. You can perform the following tasks on the Signing CA page: To view signing CA details on page 91 To add a chain certificate on page 92 To view a CA in PEM format on page 93 To replace a Mobile ler signing CA on page 93 To export an existing certificate on page 96 To generate a CSR on page 97 For basic steps for configuring SSL in the Mobile ler and the SteelHead, see Basic Steps for Configuring SSL on page 88. 90 SteelCentral ler for SteelHead Mobile User s Guide

Modifying SSL Server Certificate Settings Configuring SSL for Mobile lers To view signing CA details 1. Choose Configure > SSL > Signing CA to display the Signing CA page. Figure 6-2. Signing CA - Details Page 2. Click the Details tab to display the Signing CA - Details page. The Signing CA - Details page displays the following information for the Mobile ler CA. Field Issued To/Issued By Common Name - Specifies the common name of the certificate authority. Organization - Specifies the organization name (for example, the company). Organization Unit - Specifies the organization unit (optional). Locality - Specifies the city. State - Specifies the state. Country - Specifies the country. Serial Number - Specifies the serial number (Issued To, only). SteelCentral ler for SteelHead Mobile User s Guide 91

Configuring SSL for Mobile lers Modifying SSL Server Certificate Settings Field Validity Issued On - Specifies the date the certificate was issued. Expires On - Specifies the date the certificate expires. Fingerprint SHA1 - Specifies the SSL fingerprint. To add a chain certificate 1. Choose Configure > SSL > Signing CA to display the Signing CA page. Figure 6-3. Signing CA - Details Page 2. Complete the configuration as described in this table. Add a New Chain Certificate Use Existing CA Use New Certificate(s) PEM or DER formats Optional Local Name Local File Cert Text Displays the controls to add a chain certificate. Select to use an existing certificate authority, and then select the certificate authority from the drop-down list. Select to use a new certificate. Optionally, specify a local name for the certificate. Browse to the local file. Paste the contents of the certificate text file into the text box. 92 SteelCentral ler for SteelHead Mobile User s Guide

Modifying SSL Server Certificate Settings Configuring SSL for Mobile lers Add Remove Selected Adds the chain certificate to the chain certificate list. Select the check box next to the name and click Remove Selected. 3. Click Save to save the settings permanently. To view a CA in PEM format 1. Choose Configure > SSL > Signing CA to display the Signing CA page. 2. Under SMC Signing CA Key/Certificate, select PEM to display the CA in the PEM format. Figure 6-4. Signing CA Page To replace a Mobile ler signing CA 1. Choose Configure > SSL > Signing CA to display the Signing CA page. SteelCentral ler for SteelHead Mobile User s Guide 93

Configuring SSL for Mobile lers Modifying SSL Server Certificate Settings 2. Under SMC Signing CA Key/Certificate, select Replace to display the import CA options. Figure 6-5. Signing CA - Replace CA Page 3. Complete the configuration as described in this table. Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats) Click this option if the existing private key and CA-signed certificate are located in one file. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate files, or a text box for copying and pasting the key and certificate. Note: The private key is required. Local File - Browse to the local file. Text - Paste the text content of the file into the text box. Decryption Password - Specify the decryption password, if necessary. Import Existing Private Key and CA-Signed Public Certificate (Two Files in PEM or DER formats) Select this option if the existing private key and CA-signed certificate are located in two files. The page displays a Private Key and CA-Signed Public Certificate control for browsing to the key and certificate, or a text box for copying and pasting the key and certificate. Note: Importing the private key is optional. 94 SteelCentral ler for SteelHead Mobile User s Guide

Modifying SSL Server Certificate Settings Configuring SSL for Mobile lers Generate New Private Key and Self-Signed Public Certificate Select to generate a new private key and self-signed public certificate. Cipher Bits - Select the key length from the drop-down list. The default value is 1024. 4. Click Import Key and Certificate to import the key and certificate (for imported keys), or Generate Key and Certificate to generate the key and certificate (for new keys). 5. Click Save to save the settings permanently. Common Name (required) - Specify the hostname of the peer. Organization Name - Specify the organization name (for example, the company). Organization Unit Name - Specify the organization unit name (for example, the section or department). Locality - Specify the city. State (no abbreviations) - Specify the state. Country (2-letter code) - Specify the country (two-letter code only). Email Address - Specify the email address of the contact person. Validity Period (Days) - Specify how many days the certificate is valid. The default value is 730. SteelCentral ler for SteelHead Mobile User s Guide 95

Configuring SSL for Mobile lers Modifying SSL Server Certificate Settings To export an existing certificate 1. Choose Configure > SSL > Signing CA to display the Signing CA page. Figure 6-6. Signing CA - Export Page 2. Under SMC Signing CA Key/Certificate, select Export to display the export CA options. 3. Complete the configuration as described in this table. Password/Password Confirm Include Private Key Export Specify and confirm the encrypted password if you are including the private key (required if including key). The password must be at least four characters long. Includes the private key in the export. Exports the SteelHead appliance peering certificate and key. 4. Click Save to save the settings permanently. 96 SteelCentral ler for SteelHead Mobile User s Guide

Modifying SSL Server Certificate Settings Configuring SSL for Mobile lers To generate a CSR 1. Choose Configure > SSL > Signing CA to display the Signing CA page. Figure 6-7. Signing CA - Generate CSR Page 2. Click the Generate CSR tab to display the CSR options. 3. Complete the configuration as described in this table. Common Name (required) Organization Name Organization Unit Name Locality State Country (2-letter code) Email Address Generate CSR Specify the common name (hostname) of the peer. Specify the organization name (for example, the company). Specify the organization unit name (for example, the section or department). Specify the city. Specify the state. Do not abbreviate. Specify the country (2-letter code only). Specify the email address of the contact person. Generates the Certificate Signing Request. 4. Click Save to save the settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 97

Configuring SSL for Mobile lers Configuring SSL Certificate Authorities Configuring SSL Certificate Authorities You add SSL certificate authorities (CA) in the Configure > SSL > Certificate Authorities page. A CA is a third-party entity in a network that issues digital certificates and manages security credentials and public keys for message encryption. A CA issues a public key certificate that states the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. The CA verifies applicant credentials, so that relying parties can trust the information in the CA certificates. If you trust the CA and can verify the CA signature, you can also verify that a certain public key does indeed belong to whomever is identified in the certificate. Note: With the Client Authorization Certification (CAC) feature (Release 4.6 and later), clients can be certified using a variety of authentication certificates, depending on the browser or application they are using to connect to the SSL server. Each certificate can serve a specific function, such as Key Exchange or Signature. For the Mobile ler to successfully optimize traffic, the recommended certificate function is Key Exchange. However, based on the inherent Windows-based cryptography settings (the Cryptographic Service Provider [CSP] installed on the Windows client) the certificate with the Signature function can also be used for authentication. Thus, the Mobile ler can successfully optimize traffic with the Signature authorization certificate. This optimization is controlled by the host machine and the host machine settings. Note: Before adding a CA, it is critical to verify that it is genuine; a malicious CA can compromise network security by signing fake certificates. To add SSL certificate authorities 1. Choose Configure > SSL > Certificate Authorities to display the Certificate Authorities page. Figure 6-8. Certificate Authorities Page 2. Under Certificate Authorities, complete the configuration as described in this table. Add a New Certificate Authority Optional Local Name (ignored if importing multiple certificates) - Specify the local name. Local File - Browse to the local certificate authority file. Cert Text - Paste the certificate authority into the text box and click Add. 98 SteelCentral ler for SteelHead Mobile User s Guide

Configuring SSL Bulk Import and Export Configuring SSL for Mobile lers Add Remove Selected Adds the certificate authority. Select the check box next to the name and click Remove Selected. 3. Click Save to save the settings permanently. Note: Select the Certificate Authority name to display details. Configuring SSL Bulk Import and Export You configure SSL bulk import and export settings in the Configure > SSL > Advanced Settings page. If you use self-signed peering certificates and have multiple Mobile lers (including multiple serverside appliances), you can use the bulk import feature to avoid configuring each peering trust relationship between the pairs of Mobile lers. The bulk data that you import contains the serial number of the exporting Mobile ler. The Mobile ler importing the data compares its own serial number with the serial number contained in the bulk data. The following rules apply to bulk data when importing and exporting the data: Peering Certificate and Key Data - If the serial numbers match, the Mobile ler importing the bulk data overwrites its existing peering certificates and keys with that bulk data. If the serial numbers do not match, the Mobile ler importing the bulk data does not overwrite its peering certificate and key. Certificate Authority, Peering Trust, and SSL Server Configuration Data - For all other configuration data, such as certificate authorities, peering trusts, and server configurations (if included), if there is a conflict, the imported configuration data takes precedence (that is, the imported configuration data overwrites any existing configurations). Note: Bulk data importing operations do not delete configurations; they can only add or overwrite them. Bulk importing does not require a service restart. SteelCentral ler for SteelHead Mobile User s Guide 99

Configuring SSL for Mobile lers Configuring SSL Bulk Import and Export To perform bulk import operations 1. Choose Configure > SSL > Advanced Settings to display the Advanced Settings page. Figure 6-9. Advanced Settings Page 2. Under Bulk Import, complete the configuration as described in this table. Upload File Password to Decrypt Import Signing Certificate and Key Allow import of Signing Certificate and Key from a different SteelCentral ler for SteelHead Mobile Import Browse to the previously exported bulk file that contains the certificates and keys. Specify the password used to decrypt the file. Import the signing certificate and private key. Import the signing certificate and key from a different Mobile ler. Imports your SSL configuration, keys, and certificates, so that all the Mobile lers trust one another as peers. 3. Click Save to save your settings permanently. To perform bulk export operations 1. Select one Mobile ler (A) and trust all the Mobile lers peering certificates. Make sure that you include the peering certificate for Mobile ler A. For details on configuring trusted peers, see Configuring Mobile ler Peering on page 89. 2. Choose Configure > SSL > Advanced Settings to display the Advanced Settings page. 100 SteelCentral ler for SteelHead Mobile User s Guide

Configuring SSL Bulk Import and Export Configuring SSL for Mobile lers 3. Under Bulk Export, complete the configuration as described in this table. Password Export Specify and confirm the password used for the export file. Exports your SSL configuration and optionally your server private keys and certificates. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 101

Configuring SSL for Mobile lers Configuring SSL Bulk Import and Export 102 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 7 Managing SteelHead Mobiles This chapter describes how to manage SteelHead Mobiles using policies, packages, and group assignments. It includes the following sections: Managing SteelHead Mobile Policies on page 103 Managing SteelHead Mobile Packages on page 139 Managing SteelHead Mobile Assignments on page 146 Managing SteelHead Mobile Policies A policy is a set of optimization, security, location awareness, storage, and other configuration settings that determine the optimization rules for SteelHead Mobiles. SteelHead Mobiles must have a policy and other endpoint-specific settings for optimization. Packages deployed to SteelHead Mobiles must contain a policy. The Mobile ler ships with a default policy, Initial, that is suitable for standard in-path deployments. You can install and deploy the Mobile ler without modifying this default policy. For details on default-policy Initial settings, see Appendix A, Default Policy Settings. Note: You have the option to set a customized policy as the default policy in the Mobile ler. If a policy is unassigned to a group, by default it uses the default policy that you specify. You can create policies as configuration templates to configure groups of SteelHead Mobiles that have the same performance requirements. For example, you might use the default policy for the majority of your SteelHead Mobiles and create another policy for a group of SteelHead Mobiles that need to pass through a specific type of traffic. When you modify a policy, the SteelHead Mobile is updated automatically by the Mobile ler when the policy is saved and the SteelHead Mobile is connected, or when the SteelHead Mobile next connects. If you install the SteelHead Mobile software so that your users have access to the Mobile ler, your users are able to modify some administrator-defined policy settings. If a new policy is sent to the Mobile ler whose settings have been overridden by the user, the user s settings remain in effect until the user clicks Reset under Settings > Reset to Administrator Policy in the client, or until the user returns the modified client setting to Auto (if applicable). SteelCentral ler for SteelHead Mobile User s Guide 103

Managing SteelHead Mobiles Managing SteelHead Mobile Policies To deploy the SteelHead Mobile software with the default settings, you simply make the default package available to your SteelHead Mobiles. For details about packages, see Basic Steps for Deploying the SteelHead Mobile Package on page 15. Policies affect the optimization experience for SteelHead Mobiles. Policies include settings for the following optimization features. Feature In-path rules Task For details, see Configuring In-Path Optimization Rules for Policies on page 106. Protocol settings For details, see Configuring Protocol Settings on page 112. SSL optimization For details, see Configuring SSL for Policies on page 130. Location awareness Endpoint settings For details, see Configuring Location Awareness for Policies on page 133. For details, see Configuring Endpoint Settings for Policies on page 136. For details about default policy settings, see Appendix A, Default Policy Settings. For details about features in policies, see the SteelHead Management Console User s Guide. Creating New Policies You create new policies on the Manage > Policies page. To create a new policy 1. Choose Manage > Policies to display the Policies page. Figure 7-1. Policies Page 2. To create a new policy, click Create New Policy and complete the configuration as described in this table. Create New Policy Policy Name Displays the controls to create a new policy. Specify the policy name. 104 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Set Default Copy Contents From Policy Add Set the default policy for the Mobile ler. If a policy is unassigned to a group, by default the Mobile ler will use the default policy assigned here. Specify a description of the policy. Optionally, select a policy from the drop-down list to copy settings from an existing policy. Adds the policy to the policy list. To modify policy name and description 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the General Settings tab. Figure 7-2. Policies - General Settings Page 3. Complete the configuration as described in this table. Policy Name Update Policy Specify the policy name. Specify a description of the policy. Updates the policy general settings. SteelCentral ler for SteelHead Mobile User s Guide 105

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Configuring In-Path Optimization Rules for Policies You configure in-path optimization rules for your SteelHead Mobile in the In-Path Rules tab of the Manage > Policies page. In-path rules determine SteelHead Mobile behavior with SYN packets. In-path rules are an ordered list of fields a SteelHead Mobile uses to match with Viewing Endpoint SYN packet fields (for example, source or destination subnet, IP address, VLAN, or TCP port). Each in-path rule has an action field. When a SteelHead Mobile finds a matching in-path rule for a SYN packet, the SteelHead Mobile treats the packet according to the action specified in the in-path rule. In-path rule configurations differ depending on the action. For example, both the fixed-target and the autodiscovery actions allow you to choose what type of optimization is applied, what type of data reduction is used, what type of latency optimization is applied, and so on. For details about in-path rules, see the SteelHead Management Console User s Guide. To configure in-path rule policies 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the policy tabs and select In-Path Rules Figure 7-3. Policies - In-Path Rules Page 106 SteelCentral ler for SteelHead Mobile User s Guide

. Managing SteelHead Mobile Policies Managing SteelHead Mobiles 3. Complete the configuration as described in this table. Add a New In-Path Rule Type Position Displays the controls for adding a new rule. Select one of the following rule types from the drop-down list: Auto-Discover - Auto-discover is the process by which the SteelHead Mobile automatically intercepts and optimizes traffic on all IP addresses and ports. By default, auto-discover is applied to all IP addresses and ports that are not secure, interactive, or default Riverbed ports. Defining in-path rules modifies this default setting. For details, see the SteelHead Management Console User s Guide. Fixed-Target - Fixed-target rules specify that a SteelHead Mobile always goes to a specific SteelHead first. This can be used if the SteelHead is located out-of-path, or for troubleshooting purposes. In addition to the settings available for auto-discovery rules, you also must set a target SteelHead. You can also specify a backup SteelHead. Target Appliance IP Address - Enter the IP address and port number for your target SteelHead. Backup Appliance IP Address - Enter the IP address and port number for your backup SteelHead. Pass-Through - Pass-through rules identify traffic that is passed through the network unoptimized. You define pass-through rules to exclude subnets from optimization. Traffic is also passed through when the SteelHead is in bypass mode. Traffic may be passed through by the SteelHead Mobile because of pass through rule, because the connection was established before the Mobile ler was put in place or before the service was enabled. Discard - Drops the SYN packets silently. The SteelHead Mobile filters out traffic that matches the discard rules. This process is similar to how routers and firewalls drop disallowed packets: the connection-initiating application has no knowledge of the fact that its packets were dropped until the connection times out. Deny - Drops the SYN packets, sends a message back to its source, and resets the TCP connection being attempted. Using an active reset process rather than a silent discard allows the connection initiator to know that its connection is disallowed. Select Start, End, or a rule number from the drop-down list. The SteelHead Mobile evaluates rules in numerical order starting with rule 1. If the conditions set in the rule match, the rule is applied and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. In general, list rules in the following order: 1. Deny 2. Discard 3. Pass-through 4. Fixed-target 5. Auto-Discover Note: The default rule, Auto-Discover, which optimizes all remaining traffic that has not been selected by another rule, cannot be removed and is always listed last. SteelCentral ler for SteelHead Mobile User s Guide 107

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Source Subnet Destination Subnet Specify the subnet IP address and netmask for the source network. Use the following format for an individual subnet IP address and netmask: XXX.XXX.XXX.XXX/XX (IPv4) You can also specify 0.0.0.0/0 as the wildcard for all traffic. Specify the subnet IP address and netmask for the destination network. Use the following format for an individual subnet IP address and netmask: XXX.XXX.XXX.XXX/XX (IPv4) You can also specify 0.0.0.0/0 as the wildcard for all traffic. Port or Port Label - Specify the destination port number, port label, or All. Click Port Label to go to the Configure > Networking > Port Labels page for reference. Target Appliance IP Address Specify the target appliance address for a fixed-target rule. Port - Specify the target port number for a fixed-target rule. Backup Appliance IP Address Specify the backup appliance address for a fixed-target rule. Port - Specify the backup destination port number for a fixed-target rule. Preoptimization Policy Select a traffic type from the drop-down list: None - If the Oracle Forms, SSL, or Oracle Forms-over-SSL preoptimization policy is turned on and you want to turn it off for a port, select None. This is the default setting. Oracle Forms - Enables preoptimization processing for Oracle Forms. Oracle Forms over SSL - Enables preoptimization processing for both the Oracle Forms and SSL encrypted traffic through SSL secure ports on the client-side SteelHead. You must also set the Latency Optimization Policy to HTTP. Note: If the server is running over a standard secure port for example, port 443 the Oracle Forms over SSL in-path rule needs to be before the default secure port pass-through rule in the in-path rule list. SSL - Enables preoptimization processing for SSL encrypted traffic through SSL secure ports on the SteelHead Mobile. Optimization Policy Optionally, if you have selected Auto-Discover or Fixed Target, you can configure the following types of optimization policies: SDR-Only - Performs SDR; do not perform LZ compression. Compression-Only - Performs LZ compression; do not perform SDR. None - Does not perform SDR or LZ compression. 108 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Latency Optimization Policy Select one of the following policies from the drop-down list: Normal - Performs all latency optimizations (HTTP is activated for ports 80 and 8080). This is the default setting. HTTP - Activates HTTP optimization on connections matching this rule. Outlook Anywhere - Enables Outlook Anywhere latency optimization. Outlook Anywhere is a feature of Microsoft Exchange Server 2003, 2007, and 2010 that allows Microsoft Office Outlook 2003, 2007, and 2010 clients to connect to their Exchange servers over the Internet using the Microsoft RPC tunneling protocol. For details about Outlook Anywhere, see the SteelHead Management Console User s Guide. None - Do not activate latency optimization on connections matching this rule. For Oracle Forms-over-SSL encrypted traffic, you must set the Latency Optimization Policy to HTTP. Note: Setting the Latency Optimization Policy to None excludes all latency optimizations, such as HTTP, MAPI, and SMB. Neural Framing Mode Optionally, if you have selected Auto-Discover or Fixed Target, you can select a neural framing mode for the in-path rule. Neural framing enables the system to select the optimal packet framing boundaries for Scalable Data Referencing (SDR). Neural framing creates a set of heuristics to intelligently determine the optimal moment to flush TCP buffers. The system continuously evaluates these heuristics and uses the optimal heuristic to maximize the amount of buffered data transmitted in each flush, while minimizing the amount of idle time that the data sits in the buffer. You can specify the following neural framing settings: Never - Do not use the Nagle algorithm. The Nagle algorithm is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. It works by combining a number of small outgoing messages and sending them all at once. All the data is immediately encoded without waiting for timers to fire or application buffers to fill past a specified threshold. Neural heuristics are computed in this mode but are not used. In general, this setting works well with time-sensitive and chatty or real-time traffic. Always - Use the Nagle algorithm. This is the default setting. All data is passed to the codec which attempts to coalesce consume calls (if needed) to achieve better fingerprinting. A timer (6 ms) backs up the codec and causes leftover data to be consumed. Neural heuristics are computed in this mode but are not used. For different types of traffic, one algorithm might be better than others. The considerations include: latency added to the connection, compression, and SDR performance. To configure neural framing for an FTP data channel, define an in-path rule with the destination port 20 and set its data reduction policy. To configure neural framing for a MAPI data channel, define an in-path rule with the destination port 7830 and set its data reduction policy. SteelCentral ler for SteelHead Mobile User s Guide 109

Managing SteelHead Mobiles Managing SteelHead Mobile Policies WAN Visibility Mode Enables WAN visibility, which pertains to how packets traversing the WAN are addressed. WAN visibility mode is configurable for Auto-Discover and Fixed-Target rules. To configure WAN Visibility for Fixed-Target rules, you must use CLI commands. For details on WAN Visibility CLI commands, see the Riverbed Command-Line Interface Reference Manual. You configure WAN visibility on the client-side SteelHead Mobile (where the connection is initiated). The server-side SteelHead must also support WAN visibility. Select one of the following modes from the drop-down list: Correct Addressing - Turns WAN visibility off. Correct addressing uses SteelHead IP addresses and port numbers in the TCP/IP packet header fields for optimized traffic in both directions across the WAN. This is the default setting. Port Transparency - Port address transparency preserves your server port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. Traffic is optimized while the server port number in the TCP/IP header field appears to be unchanged. Routers and network monitoring devices deployed in the WAN segment between the communicating SteelHeads can view these preserved fields. Use port transparency if you want to manage and enforce QoS policies that are based on destination ports. If your WAN router is following traffic classification rules written in terms of client and network addresses, port transparency enables your routers to use existing rules to classify the traffic without any changes. Port transparency enables network analyzers deployed within the WAN (between the SteelHeads) to monitor network activity and to capture statistics for reporting by inspecting traffic according to its original TCP port number. Port transparency does not require dedicated port configurations on your Mobile lers. Note: Port transparency only provides server port visibility. It does not provide server IP address visibility. For SteelCentral ler for SteelHead Mobile, the client IP address and port numbers are preserved. Full Transparency - Full address transparency preserves your client and server IP addresses and port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. It also preserves VLAN tags. Traffic is optimized while these TCP/IP header fields appear to be unchanged. Routers and network monitoring devices deployed in the WAN segment between the communicating SteelHeads can view these preserved fields. If both port transparency and full address transparency are acceptable solutions, port transparency is preferable. Port transparency avoids potential networking risks that are inherent to enabling full address transparency. For details, see the SteelHead Deployment Guide. However, if you must see your client or server IP addresses across the WAN, full transparency is your only configuration option. 110 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles WAN Visibility Mode (continued) Note: Enabling full address transparency requires symmetrical traffic flows between the client and server. If any asymmetry exists on the network, enabling full address transparency might yield unexpected results, up to and including loss of connectivity. For details, see the SteelHead Deployment Guide. Add Remove Selected Rules Move Selected Rules Edit Rule RiOS includes an option for using Full Transparency with a stateful firewall. A stateful firewall examines packet headers, stores information, and then validates subsequent packets against this information. If your system uses a stateful firewall, the following option is available: Full Transparency with Reset - Enables full address and port transparency and also sends a forward reset between receiving the probe response and sending the transparent inner channel SYN. This ensures the firewall does not block inner transparent connections because of information stored in the probe connection. The forward reset is necessary because the probe connection and inner connection use the same IP addresses and ports and both map to the same firewall connection. The reset clears the probe connection created by the SteelHead and allows for the full transparent inner connection to traverse the firewall. Notes: For details on configuring WAN visibility and its implications, see the SteelHead Deployment Guide. To turn full transparency on globally by default, create an in-path autodiscover rule, select Full, and place it above the default in-path rule and after the Secure, Interactive, and RBT-Proto rules. You can configure a SteelHead for WAN visibility even if the server-side SteelHead does not support it, but the connection is not transparent. You can enable full transparency for servers in a specific IP address range and you can enable port transparency on a specific server. For details, see the SteelHead Deployment Guide. The Top Talkers report displays statistics on the most active, heaviest users of WAN bandwidth, providing some WAN visibility without enabling a WAN Visibility Mode. Describe the rule to facilitate administration. Adds the rule to the list. The Management Console redisplays the In-Path Rules table and applies your modifications to the running configuration, which is stored in memory. Select the check box next to the name and click Remove Selected Rules. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Select an existing rule number from the table and expand it. Make required changes and click Edit Rule to update an existing rule. 4. Click Update Policy to save your settings. Note: Mobile ler will cache the changes you make to a policy across multiple tabs, until you click Update Policy or go to a different page. 5. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 111

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Configuring Protocol Settings You configure the following protocol settings in the Protocol Settings tab of the Manage > Policies page: CIFS (SMB1) - CIFS SMB1 optimization performs latency and SDR optimizations on SMB1 traffic. Without this feature, the SteelHead Mobile performs only SDR optimization without improving CIFS latency. Typically, you disable CIFS optimization only to troubleshoot the system. SMB2/3 - Performs SMB2 or SMB3 latency optimization in addition to the existing bandwidth optimization features. These optimizations include cross-connection caching, read-ahead, writebehind, and batch prediction among several other techniques to ensure low latency transfers. SteelCentral ler for SteelHead Mobile maintains the data integrity and the client always receives data directly from the servers. MAPI - MAPI does not require a separate license and is enabled by default. When encrypted MAPI support is enabled on SteelCentral ler for SteelHead Mobile, it uses a secure inner channel to ensure that all MAPI traffic sent between SteelHead Mobiles and the server-side SteelHeads is secure. Only disable MAPI if you are experiencing an issue with Outlook traffic. HTTP - Enable HTTP optimization to prefetch and store objects embedded in Web pages to improve HTTP traffic performance. By default, HTTP optimization is disabled. You can choose the extensions to store, such as css, gif, jpg, js, and png, or configure the SteelHead Mobile to store all allowable objects. NFS - Provides latency optimization improvements for NFS operations by prefetching data, storing it on the client for a short amount of time, and using it to respond to client requests. Oracle Forms - A platform for developing user interface applications to interact with an Oracle database. It uses a Java applet to interact with the database in either native, HTTP, or HTTPS mode. The SteelHead and SteelCentral ler for SteelHead Mobile decrypts, optimizes, and then reencrypts the Oracle Forms traffic. Lotus Notes - A client-server collaborative application that provides email, instant messaging, calendar, resource, and file sharing. SteelCentral ler for SteelHead Mobile provides latency and bandwidth optimization for Lotus Notes v6.5 and later traffic across the WAN, accelerating email attachment transfers. Lotus Notes is only supported on Windows SteelHead Mobiles. Citrix - To consolidate operations, some organizations install thin clients in their branch offices and install a Citrix Presentation Server in the data center to front-end the applications. The proprietary protocol that Citrix uses to move updates between the client and the server is called ICA (Independent Computing Architecture). The thin clients at the branch offices have a Citrix ICA client accessing the services at the data center, which are front-ended by a Citrix Presentation Server (also called Citrix Metaframe Server in earlier versions). 112 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure protocol settings 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the policy tabs and select Protocol Settings to display another set of tabs for the various protocol settings. Figure 7-4. Policies - Protocol Settings Page 3. Complete the configuration for each protocol as described in the following sections. To configure CIFS (SMB1) settings on page 114 To configure SMB2/3 settings on page 117 To configure MAPI settings on page 119 To configure HTTP settings on page 121 To configure NFS settings on page 126 To configure Oracle Forms settings on page 127 To configure Lotus Notes settings on page 128 To configure Citrix settings on page 129 To configure Connection settings on page 130 SteelCentral ler for SteelHead Mobile User s Guide 113

Managing SteelHead Mobiles Managing SteelHead Mobile Policies To configure CIFS (SMB1) settings 1. With the Protocol Settings tab open, click the CIFS (SMB1) tab to display the settings. Figure 7-5. CIFS (SMB1) Settings 2. Complete the configuration as described in this table. Enable Latency Optimization CIFS SMB1 optimization performs latency and SDR optimizations on SMB1 traffic. Without this feature, the SteelHead Mobile performs only SDR optimization without improving CIFS latency. Latency optimization is enabled by default. Typically, you disable latency optimization to troubleshoot problems with the system. Note: To disable CIFS optimization, it must also be disabled on the server-side SteelHead. Disable Write Optimization Specify this option to disable write optimization. Disable write optimization only if you have applications that assume and require write-through in the network. If you disable write optimization, the SteelHead Mobile still provides optimization for CIFS reads and for other protocols, but you might experience a slight decrease in overall optimization. Most applications operate safely with write optimization because CIFS allows you to explicitly specify write-through on each write operation. However, if you have an application that does not support explicit write-through operations, you must disable it on the SteelHead Mobile. If you do not disable write-through, the SteelHead Mobile acknowledges writes before they are fully committed to disk, to speed up write operation. The SteelHead Mobile does not acknowledge the file close until the file is safely written. 114 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Optimize Connections with Security Signatures (that do not require signing) Enable Server Side Dynamic Write Throttling Enable Applock Optimization Prevents Windows SMB signing. This is the default setting. The Secure-CIFS feature enables you to automatically disable Windows SMB signing. SMB signing prevents the appliance from applying full optimization on CIFS connections and significantly reduces the performance gain from a SteelCentral ler for SteelHead Mobile deployment. Because many enterprises already take additional security precautions (such as firewalls, internal-only reachable servers, and so forth), SMB signing adds little additional security, at a significant performance cost (even without Riverbed optimization). Before you enable Secure-CIFS, consider the following factors: If the client machine has Required signing, enabling Secure-CIFS prevents the client from connecting to the server. If the server-side machine has Required signing, the client and server connect but you cannot perform full latency optimization with the appliance. Domain controllers default to Required. For details about SMB signing and the performance cost associated with it, see the SteelHead Management Console User s Guide. Enables the CIFS dynamic throttling mechanism, which replaces the current static buffer scheme. If you enable CIFS dynamic throttling, it is activated only when there are suboptimal conditions on the server side causing a backlog of writes messages; it does not have a negative effect under normal network conditions. Enables CIFS latency optimizations to improve read and write performance for Microsoft Word (.doc) and Excel (.xls) documents when multiple users have the file open. This setting is enabled by default in RiOS v6.0 and later. This feature enhances the Enable Overlapping Open Optimization feature by identifying and obtaining locks on read write access at the application level. The overlapping open optimization feature handles locks at the file level. Note: Applock Optimization is a client-side setting only. To enable this feature on SteelCentral ler for SteelHead Mobile clients, select Applock Optimization on the Mobile ler policy assigned to the clients. SteelCentral ler for SteelHead Mobile User s Guide 115

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Enable Overlapping Open Optimization Overlapping Open Optimization is disabled by default. To prevent any compromise to data integrity, the appliance optimizes only data to which exclusive access is available (in other words, when locks are granted). When an oplock is not available, the SteelHead Mobile does not perform application-level latency optimizations but still performs SDR and compression on the data, as well as TCP optimizations. Enabling this feature on applications that perform multiple opens of the same file to complete an operation results in a performance improvement (for example, CAD applications). Note: If a remote user opens a file that is optimized using the overlapping open feature and a second user opens the same file, the second user might receive an error if the file fails to go through a SteelHead Mobile, or if it does not go through a SteelHead (for example, certain applications that are sent over the LAN). If this occurs, disable overlapping opens for those applications. Optimize only the following extensions Optimize all except the following extensions Specify a list of extensions you want to optimize using overlapping opens. Specify a list of extensions you do not want to optimize using overlapping opens. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. 116 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure SMB2/3 settings 1. With the Protocol Settings tab open, click the SMB2/3 tab to display the settings. Figure 7-6. SMB2/3 Settings SteelCentral ler for SteelHead Mobile User s Guide 117

Managing SteelHead Mobiles Managing SteelHead Mobile Policies 2. Complete the configuration as described in this table. Enable SMB2 Optimization Performs SMB2 optimization in addition to the existing bandwidth optimization features. These optimizations include cross-connection caching, read-ahead, write-behind, and batch prediction among several other techniques to ensure low latency transfers. SteelCentral ler for SteelHead Mobile maintains the data integrity, and the client always receives data directly from the servers. By default, SMB2 optimization is enabled. Enable SMB3 Optimization - Specify this option to enable SMB3 optimization. Note: You must enable (or disable) SMB2 or SMB3 (if applicable) optimization on both the SteelHead Mobile and server-side SteelHead. After enabling SMB2 or SMB3 optimization, you must restart the optimization service. Down-Negotiation Specify this option so that connections that can be successfully downnegotiated will be optimized according to the settings in the CIFS (SMB1) section. If down-negotiation is enabled, select one of the following options: None - Do not down-negotiate connections. No connections can be down negotiated. SMB2 and SMB3 to SMB1 - Down-negotiate SMB2 and SMB3 connections to SMB1. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. 118 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure MAPI settings 1. With the Protocol Settings tab open, click the MAPI tab to display the settings. Figure 7-7. MAPI Settings 2. Complete the configuration as described in this table. Enable MAPI Optimization MAPI optimization is enabled by default. Only clear this check box this box if you want to disable MAPI optimization. Only disable MAPI if you are experiencing an issue with Outlook traffic. Exchange Port Specify the MAPI Exchange port. The default value is 7830. Enable Encrypted Optimization Specify this option to enable encrypted optimization. SteelCentral ler for SteelHead Mobile User s Guide 119

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Enable Outlook Anywhere Optimization Enables Outlook Anywhere latency optimization. Outlook Anywhere is a feature of Microsoft Exchange Server 2003, 2007, and 2010 that allows Microsoft Office Outlook 2003, 2007, and 2010 clients to connect to their Exchange servers over the Internet using the Microsoft RPC tunneling protocol. Outlook Anywhere allows for a VPN-less connection as the MAPI RPC protocol is tunneled over HTTP or HTTPS. RPC over HTTP can transport regular or encrypted MAPI. If you use encrypted MAPI, the server-side SteelHead must be a member of the Windows domain. By default, this feature is disabled. To use this feature, you must also enable HTTP Optimization on the SteelHead Mobile and server-side SteelHeads (HTTP optimization is enabled by default). If you are using Outlook Anywhere over HTTPS, you must enable SSL and the IIS certificate must be installed on the server-side SteelHead: When using HTTP, Outlook can only use NTLM proxy authentication. When using HTTPS, Outlook can use NTLM or Basic proxy authentication. When using encrypted MAPI with HTTP or HTTPS, you must enable and configure encrypted MAPI in addition to this feature. Note: Outlook Anywhere optimized connections cannot start MAPI prepopulation. After you apply your settings, you can verify that the connections appear in the Endpoint report as a MAPI-OA or an emapi-oa (encrypted MAPI) application. The Outlook Anywhere connection entries appear in the system log with an RPCH prefix. Note: Outlook Anywhere can create twice as many connections on the SteelHead as regular MAPI (depending on the versions of the Outlook client and Exchange server). This effect results in the SteelHead entering admission control twice as fast with Outlook Anywhere as with regular MAPI. For details and troubleshooting information, see the SteelHead Deployment Guide. For details about enabling Outlook Anywhere, see http://technet.microsoft.com/en-us/library/bb123513(exchg.80).aspx Auto-Detect Outlook Anywhere Connections Automatically detects the RPC over HTTPS protocol used by Outlook Anywhere. This feature is dimmed and unavailable until you enable Outlook Anywhere optimization. By default, these options are enabled. You can enable automatic detection of RPC over HTTPS using this option or you can set in-path rules. Auto-detect is best for simple SteelCentral ler for SteelHead Mobile configurations and when the IIS server is also handling Web sites. If the IIS server is only used as RPC Proxy, and for configurations with asymmetric routing, connection forwarding or Interceptor installations, add inpath rules that identify the RPC Proxy server IP addresses and select the Outlook Anywhere latency optimization policy. After adding the in-path rule, disable the auto-detect option. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. 120 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure HTTP settings 1. With the Protocol Settings tab open, click the HTTP tab to display the settings. Figure 7-8. HTTP Settings (with HTML Tags to Prefetch and Server Subnet Settings Sections Expanded) SteelCentral ler for SteelHead Mobile User s Guide 121

Managing SteelHead Mobiles Managing SteelHead Mobile Policies 2. Complete the configuration as described in this table. Enable HTTP Optimization Store All Allowable Objects Store Objects With The Following Extensions: Object Prefetch Table Extensions Disable the Object Prefetch Table Minimum Object Prefetch Table Time Maximum Object Prefetch Table Time Extensions to Prefetch HTML Tags to Prefetch Add a Prefetch Tag Enable this feature to prefetch and store objects embedded in Web pages to improve HTTP traffic performance. By default, HTTP optimization is disabled. Examines the control header to determine which objects to store. When enabled, SteelCentral ler for SteelHead Mobile does not limit the objects to those listed in Extensions to prefetch but rather prefetches all objects that the control header indicates are storable. This is useful to store Web objects encoded into names without an object extension: for example, Sharepoint objects. By default, Store All Allowable Objects is enabled. Specify object extensions to prefetch and store in the local object prefetch table. Separate extensions with a comma. By default, the SteelHead prefetches.jpg,.gif,.js,.png, and.css object extensions. Stores nothing. Sets the minimum number of seconds the objects are stored in the local object prefetch table. The default is 60 seconds. This setting specifies the minimum lifetime of the stored object. During this lifetime, any qualified If-Modified-Since (IMS) request from the client receives an HTTP 304 response, indicating that the resource for the requested object has not changed since stored. Sets the maximum number of seconds the objects are stored in the local object prefetch table. The default is 86,400 seconds (24 hours). This setting specifies the maximum lifetime of the stored object. During this lifetime, any qualified If-Modified-Since (IMS) request from the client receives an HTTP 304 response, indicating that the resource for the requested object has not changed since stored. Specifies object extensions to prefetch, separated by commas. By default the SteelHead prefetches.jpg,.gif,.js,.png, and.css object extensions. Selects which HTML tags to prefetch. By default, the following tags are prefetched: base/href, body/background, img/src, link/href, and script/ src. Configures a new prefetch tag with the following controls: Tag Name - Specifies the tag name. Attribute - Specifies the tag attribute. Note: These tags are for the Parse and Prefetch feature only and do not affect other prefetch types, such as object extensions. 122 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Server Subnet and Host Settings Add a Subnet or Host Server Subnet Basic Tuning Under Server Subnet and Host Settings, you can enable URL Learning, Parse and Prefetch, and Object Prefetch Table in any combination for any server subnet. You can also enable authorization optimization to tune a particular subnet dynamically with no service restart required. The default settings are URL Learning for all traffic with automatic configuration disabled. The default setting applies when HTTP optimization is enabled, regardless of whether there is an entry in the Subnet list. In the case of overlapping subnets, specific list entries override any default settings. Suppose the majority of your Web servers have dynamic content applications but you also have several static content application servers. You could configure your entire server subnet to disable URL Learning and enable Parse and Prefetch and Object Prefetch Table, optimizing HTTP for the majority of your Web servers. Next, you could configure your static content servers to use URL Learning only, disabling Parse and Prefetch and Object Prefetch Table. Displays the controls for adding a server subnet or host. The server must support keepalive. Specify an IP address and mask pattern for the server subnet on which to set up the HTTP optimization scheme. Use the format: XXX.XXX.XXX.XXX/XX. Strip Compression - Removes the accept-encoding lines from the HTTP compression header. An accept-encoding directive compresses content rather than using raw HTML. Enabling this option improves the performance of the SteelCentral ler for SteelHead Mobile data reduction algorithms. By default, strip compression is enabled. Insert Cookie - Adds a cookie to HTTP applications that do not already have one. HTTP applications frequently use cookies to keep track of sessions. SteelCentral ler for SteelHead Mobile uses cookies to distinguish one user session from another. If an HTTP application does not use cookies, the SteelHead Mobile inserts one so that it can track requests from the same client. By default, this setting is disabled. Insert Keep Alive - Uses the same TCP connection to send and receive multiple HTTP requests and responses, as opposed to opening a new one for every single request and response. Specify this option when using the URL Learning or Parse and Prefetch features with HTTP v1.0 or HTTP v1.1 applications using the Connection Close method. By default, this setting is disabled. SteelCentral ler for SteelHead Mobile User s Guide 123

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Prefetch Schemes URL Learning - Enables URL Learning, which learns associations between a base URL request and a follow-on request. Stores information about which URLs have been requested and which URLs have generated a 200 OK response from the server. This option fetches the URLs embedded in style sheets or any JavaScript associated with the base page and located on the same host as the base URL. URL Learning works best with nondynamic content that does not contain session-specific information. URL Learning is enabled by default. Your system must support cookies and persistent connections to benefit from URL Learning. If your system has cookies turned off and depends on URL rewriting for HTTP state management, or is using HTTP v1.0 (with no keepalives), you can force the use of cookies using the Add Cookie option and force the use of persistent connections using the Insert Keep Alive option. Parse and Prefetch - Enables Parse and Prefetch, which parses the base HTML page received from the server and prefetches any embedded objects to the SteelHead Mobile. This option complements URL Learning by handling dynamically generated pages and URLs that include state information. When the browser requests an embedded object, SteelCentral ler for SteelHead Mobile serves the request from the prefetched results, eliminating the round-trip delay to the server. The prefetched objects contained in the base HTML page can be images, style sheets, or any Java scripts associated with the base page and located on the same host as the base URL. Parse and Prefetch requires cookies. If the application does not use cookies, you can insert one using the Insert Cookie option. Object Prefetch Table - Enables the Object Prefetch Table, which stores HTTP object prefetches from HTTP GET requests for cascading style sheets, static images, and Java scripts in the Object Prefetch Table. When the browser performs If-Modified-Since (IMS) checks for stored content or sends regular HTTP requests, the SteelHead Mobile responds to these IMS checks and HTTP requests, cutting back on round trips across the WAN. 124 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Authentication Tuning Reuse Auth - Allows an unauthenticated connection to serve prefetched objects, as long as the connection belongs to a session whose base connection is already authenticated. This option is most effective when the Web server is configured to use per-connection NTLM or Kerberos authentication. Force NTLM - In the case of negotiated Kerberos and NTLM authentication, forces NTLM. Kerberos is less efficient over the WAN because the client must contact the Domain ler to answer the server authentication challenge and tends to be employed on a perrequest basis. Riverbed recommends enabling Strip Auth Header along with this option. Strip Auth Header - Removes all credentials from the request on an already authenticated connection. This works around Internet Explorer behavior that reauthorizes connections that have previously been authorized. This option is most effective when the Web server is configured to use per-connection NTLM authentication. Note: If the Web server is configured to use per-request NTLM authentication, enabling this option might cause authentication failure. Gratuitous 401 - Prevents a WAN round trip by issuing the first 401 containing the realm choices from the SteelHead Mobile. Riverbed recommends enabling Strip Auth Header along with this option. This option is most effective when the Web server is configured to use per-connection NTLM authentication or per-request Kerberos authentication. Note: If the Web server is configured to use per-connection Kerberos authentication, enabling this option might cause additional delay. SharePoint Add FPSE (FrontPage Server Extensions) - FPSE is an application-level protocol used by SharePoint. FPSE allows a Web site to be presented as a file share. FPSE initiates its communication with the server by requesting well-defined URLs for further communication and determining the version of the server. WebDAV (Web-based Distributed Authoring and Versioning) - WebDAV is a set of extensions to the HTTP/1.1 protocol that allows users to collaboratively edit and manage files on remote Web servers. WebDAV is an IETF Proposed Standard (RFC 4918) that provides the ability to access the document management system as a network file system. Adds the server subnet or host. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 125

Managing SteelHead Mobiles Managing SteelHead Mobile Policies To configure NFS settings 1. With the Protocol Settings tab open, click the NFS tab to display the settings. Figure 7-9. NFS Settings 2. Complete the configuration as described in this table. Enable NFS Optimization Enables NFS optimization. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. 126 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure Oracle Forms settings 1. With the Protocol Settings tab open, click the Oracle Forms tab to display the settings. Figure 7-10. Oracle Forms Settings 2. Complete the configuration as described in this table. Enable Oracle Forms Optimization Enables Oracle Forms optimization in native mode, also known as socket mode. Oracle Forms native mode optimization is enabled by default. Disable this option only to turn off Oracle Forms optimization; for example, if your network users do not use Oracle applications. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 127

Managing SteelHead Mobiles Managing SteelHead Mobile Policies To configure Lotus Notes settings 1. With the Protocol Settings tab open, click the Lotus Notes tab to display the settings. Figure 7-11. Lotus Notes Settings 2. Complete the configuration as described in this table. Enable Lotus Notes Optimization Lotus Notes Port Enables latency and bandwidth optimization for Lotus Notes v6.0 and later traffic across the WAN. This feature accelerates email attachment transfers and server-to-server or client-to-server replications. Lotus Notes is only supported on SteelHead Mobiles running on Windows PCs. Specify the Lotus Notes port for optimization. Typically, you do not need to modify the default value of 1352. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. 128 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles To configure Citrix settings 1. With the Protocol Settings tab open, click the Citrix tab to display the settings. Figure 7-12. Citrix Settings 2. Complete the configuration as described in this table. Citrix ICA Port Session Reliability (CGP) Port Enable SecureICA Encryption Optimizes the native Citrix traffic bandwidth. Specify the port on the Presentation Server for inbound traffic. The default port is 1494. Specify the port number for Common Gateway Protocol (CGP) connections. CGP uses the session reliability port to keep the session window open even if there is an interruption on the network connection to the server. By default, this setting is 2598. Uses the RC5 algorithm to encrypt the ICA protocol, securing communication sent between a MetaFrame Presentation Server and a client. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. SteelCentral ler for SteelHead Mobile User s Guide 129

Managing SteelHead Mobiles Managing SteelHead Mobile Policies To configure Connection settings 1. With the Protocol Settings tab open, click the Connection Settings tab to display the settings. Figure 7-13. Connection Settings 2. Complete the configuration as described in this table. Maximum Connection Pool Size Specify the maximum number of TCP connections in a connection pool. Connection pooling enhances network performance by reusing active connections instead of creating a new connection for every request. Connection pooling is useful for protocols which create a large number of short-lived TCP connections, such as HTTP. To optimize such protocols, a connection pool manager maintains a pool of idle TCP connections, up to the maximum pool size. When a client requests a new connection to a previously visited server, the pool manager checks the pool for unused connections and returns one if available. Thus, the SteelHead Mobile and the SteelHead do not have to wait for a three-way TCP handshake to finish across the WAN. If all connections currently in the pool are busy and the maximum pool size has not been reached, the new connection is created and added to the pool. When the pool reaches its maximum size, all new connection requests are queued until a connection in the pool becomes available or the connection attempt times out. The default value is 5. A value of 0 specifies no connection pool. 3. Click Update Policy to save your settings. 4. Click Save to save your settings permanently. Configuring SSL for Policies You configure SSL for your SteelHead Mobile in the SSL tab of the Manage > Policies page. SSL is a cryptographic protocol that provides secure communications between two parties over the Internet. 130 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles For detailed information about configuring SSL for the SteelCentral ler for SteelHead Mobile, see Chapter 6, Configuring SSL for Mobile lers. For detailed information about configuring SSL in the SteelHead, see the SteelHead Management Console User s Guide. To configure SSL for policies 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the policy tabs and select SSL. Figure 7-14. Policies - SSL Page 3. Complete the configuration as described in this table. General SSL Settings Client Authentication Enable SSL Optimization - Enables SSL optimization, which accelerates applications that use SSL to encrypt traffic. This option is disabled by default. You can choose to enable SSL optimization only on certain sessions (based on source and destination addresses, subnets, and ports), or on all SSL sessions, or on no SSL sessions at all. An SSL session that is not optimized simply passes through the SteelHead Mobile unmodified. Enable Client Certificate Support - Enables use of client-side SSL certificates to authenticate clients. SteelCentral ler for SteelHead Mobile User s Guide 131

Managing SteelHead Mobiles Managing SteelHead Mobile Policies SSL Secure Peering Settings Traffic Type Traffic Type - Select one of the following traffic types from the drop-down list: SSL Only - The peer Mobile ler and the server-side SteelHead authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting. SSL and Secure Protocols - The peer Mobile ler and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic traveling over the following secure protocols: Citrix, SSL, SMB-signed, and encrypted MAPI. SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the Mobile ler and server-side SteelHeads when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic. Enabling this option requires an optimization service restart. All - The peer Mobile ler and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart. Fallback to No Encryption - Specifies that the SteelCentral ler for SteelHead Mobile optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart. Note: Riverbed strongly recommends enabling this setting on both the Mobile ler and the server-side SteelHeads, especially in mixed deployments. This option applies only to non-ssl traffic and is unavailable when you select SSL Only as the traffic type. Clear the check box to pass through connections that do not have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly do not want traffic optimized between nonsecure appliances. When this setting is disabled on the server-side SteelHead and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and might drop it. SSL Peering Trust All Pre-configured Peering Certificates - Enables a trust relationship for all pre-configured Mobile ler certificates listed in Effective List of all the Peering Certificates. 4. Click Update Policy to save your changes. 5. Click Save to save your changes permanently. Trust Selected Peering Certificates - Enables a trust relationship only with selected peering certificates in the Selected Peering Certificates list. Add Peering Certificate - Click to add a peering certificate from the drop-down list. Add - Adds the selected peering certificate to the Selected Peerings Certificates list. Remove Peering Certificate - Select the check box next to the name and click Remove Peering Certificate to remove the peering certificate. 132 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Configuring Location Awareness for Policies Location Awareness enables SteelHead Mobiles to detect that they are in a branch office with a SteelHead, and allow the branch office SteelHead to optimize their traffic. You configure location awareness for your SteelHead Mobiles on the Location Awareness tab of the Manage > Policies page. When a SteelHead Mobile is in a branch office that has a SteelHead, the location awareness settings determine whether optimization is performed by the SteelHead Mobile or by the SteelHead. SteelHead Mobiles can be configured to operate in any one of three modes when in the branch office: 1. If latency-based location awareness is disabled (which also means that branch warming is unavailable), the SteelHead Mobile performs optimization. The SteelHead Mobile does not experience improved performance when accessing data segments that have been previously accessed by other users at the branch office, and the client warms only its own SteelHead Mobile RiOS data store. The branch office SteelHead does not warm its RiOS data store with data segments accessed by the SteelHead Mobile, so when another user at the branch office transfers the same data, the second user experiences cold performance. 2. If latency-based location awareness is enabled but branch warming is not, then the branch office SteelHead performs optimization. In this case, the SteelHead Mobile experiences warm performance while in the branch office. The branch office SteelHead warms its RiOS data store with segments previously accessed by the SteelHead Mobile and by other users at the branch office. This is the default setting. 3. If latency-based location awareness and branch warming are both enabled, the SteelHead Mobile will perform optimization with the server-side SteelHead, and it will also pull data segments from the branch-side SteelHead if another user in the branch has already accessed the same data. The SteelHead Mobile will also push all of its newly acquired data segments to the branch SteelHead so other users may experience warm performance when they access that same data, whether the optimization is performed directly by the branch-side SteelHead or by another SteelHead Mobile that is in Branch Warming mode. When the user leaves the branch office, the SteelHead Mobile provides warm performance. Branch warming co-operates with and optimizes transfers for a server-side SteelHead. New data transfers between the client and server are populated in the SteelCentral ler for SteelHead Mobile RiOS data store, the branch SteelHead RiOS data store, and the server-side SteelHead RiOS data store. When data is downloaded from the server, the server-side SteelHead checks if either the SteelHead Mobile or the branch SteelHead has the data in its RiOS data store. If either device already has the data segments, the server-side SteelHead sends only references to the data. The SteelHead Mobile and the branch SteelHead communicate with each other to resolve the references. The following requirements must be met for location awareness and branch warming to function properly: The SteelHeads must be running RiOS v6.0 or later. The SteelHead Mobile and Mobile ler must be running SteelCentral ler for SteelHead Mobile v3.0 or later. Enable latency-based location awareness and branch warming on the Mobile ler. Enable branch warming on both the client-side and server-side SteelHeads. Both the client-side and server-side SteelHeads must be deployed in-path or virtual in-path (that is, no fixed-target rules). Enable enhanced auto-discovery on both the client-side and server-side SteelHeads. SteelCentral ler for SteelHead Mobile User s Guide 133

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Branch warming might not improve performance for configurations using SteelHead Mobiles that communicate with multiple server-side appliances in different scenarios. For example, if a SteelHead Mobile home user peers with one server-side SteelHead after logging in through a VPN network and peers with a different server-side SteelHead after logging in from the branch office, branch warming does not improve performance. To configure location awareness 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the policy tabs and select Location Awareness. Figure 7-15. Policies - Location Awareness Page 3. Complete the configuration as described in this table. Enable Latency-based location awareness Optimize over adapters specified above if latency to SteelHead is more than: ( ) ms Enable Branch Warming Click the check box only if you want to enable latency-based location awareness. Latency-based location awareness is disabled by default. Specify the value of latency to the SteelHead (in milliseconds) above which optimization over the specified adapters occurs. Select the check box only if you want to enable branch warming. Branch warming is disabled by default. 134 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles Adapters to Optimize: Add New Rule Position - Select start, end, or a rule number from the drop-down list. SteelCentral ler for SteelHead Mobiles evaluate rules in numerical order, starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. 4. Click Update Policy to save your changes. 5. Click Save to save your settings permanently. Enabling Branch Warming on SteelHead Appliances For branch warming to work on the SteelHead Mobile, branch warming must be enabled on both the clientside and server-side SteelHeads. For your convenience, instructions are provided here for configuring the SteelHeads. To configure branch warming on the client-side and server-side SteelHead appliances 1. Connect to the client-side and server-side SteelHead appliances. 2. On both the client-side and the server-side SteelHeads, choose Configure > Optimization > Data Store to display the Data Store page. 3. Under General Settings, select Enable Branch Warming for SteelHead Mobiles. 4. Click Apply to apply your settings. 5. Click Save to save your settings permanently. 6. Restart the optimization service. Adapter - Determines the adapter. Select the adapter from the drop-down list. You can also add a new adapter when you add a new rule. Select Other Adapter(s) from the drop-down list and enter the adapter name in the Other - Please specify field. Optimize - Determines the optimization. Select one of the following options from the drop-down list: Yes - Enables optimization. No - Disables optimization. Add - Click Add to add the rule to the rules list. Note: To enable branch warming, ensure that the client-side and server-side SteelHeads are deployed as in-path or virtual in-path devices. SteelCentral ler for SteelHead Mobile User s Guide 135

Managing SteelHead Mobiles Managing SteelHead Mobile Policies Configuring Endpoint Settings for Policies You configure endpoint settings for SteelHead Mobiles on the Endpoint Settings tab of the Manage > Policies page. Endpoint settings include the SteelHead Mobile RiOS data store size, log size, adding additional Mobile lers, Windows-only settings, and enabling visibility of the SteelHead Mobile in the system tray. When you configure endpoint settings, you must remove the Mobile ler labeled with the (localhost) suffix. This special Mobile ler is the localhost, and when the policy is created, it is replaced by the Mobile ler sending the policy, leading to an incorrect IP address. Instead of using the Mobile ler labeled (localhost), use only the fully qualified domain name or the IP address for that Mobile ler. Note: Carefully consider the RiOS data store size of your SteelHead Mobile appliances. You can modify the SteelHead Mobile RiOS data store size at any time in a policy in the Manage > Policies > Endpoint Settings page. However, changing the RiOS data store size requires clearing the data store, which can temporarily slow performance. To configure endpoint settings 1. Choose Manage > Policies to display the Policies page. 2. Click the policy name to display the policy tabs and select Endpoint Settings. The Endpoint Settings page appears with the ler Settings tab displayed. Figure 7-16. Policies - Endpoint Settings - ler Settings 136 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Policies Managing SteelHead Mobiles 3. Configure the controller settings as described in this table. ler Options Add a New ler - Displays the controls for adding a new Mobile ler to the list. Insert At - Select start, end, or a Mobile ler number from the drop-down list. The default value is end. Specify the order in which endpoint clients connect with Mobile lers. Mobile lers connect according to the number you specify, starting with 1. If the system is unable to connect to 1 in the list, the system moves on to the next Mobile ler in the list. For example, if the system is unable to connect to Mobile ler 1, then Mobile ler 2 is attempted. If Mobile ler 2 is successful, no further Mobile lers in the list are attempted. Hostname/Port - Specify a fully qualified hostname or IP address and port for a Mobile ler that the client connects to. You can specify more than one Mobile ler. The default port value is 7870. Use Random Ordering of lers when Connecting - Select the check box to disregard the Mobile ler priority list and randomly connect to Mobile lers in the group. The default setting is disabled. Add - Adds a new Mobile ler. Remove Selected lers - To remove an entry, select the check box next to the entry and click Remove Selected lers. By default, a value for the local Mobile ler is already in the list. In a clustered deployment, the entry should be removed and replaced with an explicit entry for the local Mobile ler. 4. Click the Desktop Settings tab to configure endpoint settings for desktop licenses. SteelCentral ler for SteelHead Mobile User s Guide 137

Managing SteelHead Mobiles Managing SteelHead Mobile Policies 5. Configure the desktop license settings as described in this table. General Settings Show Client in the System Tray - Select the check box to display the SteelHead Mobile in your client machine system tray. The default setting is enabled. Note: When you enable Show Client in the System Tray, the endpoint user can override policy settings made by the system administrator. Even if a new policy is sent to the client, the settings in the client remain in effect until the endpoint user clicks Reset under Settings > Reset to Administrator policy. Allow User to Modify Optimization Settings - Select the check box to enable the SteelHead Mobile user to modify optimization settings. The default setting is enabled. Data Store Settings Data Store Size - Select one of the following options from the dropdown list. The minimum value is 256 MB. The default value is 10 GB. 256 MB = 81 MB RAM 512 MB = 81 MB RAM 1 GB = 81 MB RAM 2 GB = 100 MB RAM 5 GB = 112 MB RAM 10 GB = 161 MB RAM 15 GB = 171 MB RAM 20 GB = 228 MB RAM The amount of RAM used by the optimization service on the SteelHead Mobile is related to the SteelHead Mobile RiOS data store size that you select. If the SteelHead Mobile is visible on the client computer, the Data Store Size Auto setting for RiOS data store size means the client is using the size specified in the policy. Note: Carefully consider the RiOS data store size for your SteelHead Mobiles. Changing the size later requires emptying the RiOS data store, which temporarily slows performance. Log Settings Maximum Log Size - Specify the maximum size for your log files to be stored on your client machine. The default value is 5000 KB. Windows-Only Settings Disable TCP/IP Checksum Offloading (Requires client reboot) - For Windows only. Select the check box to disable TCP/IP checksum offloading. 6. Click Update Policy to save your changes. 138 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Packages Managing SteelHead Mobiles 7. Click Save to save your settings permanently. Note: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. After this verification, you can write the active configuration that is stored in memory to the active configuration file (or you can save it as any filename you choose). For details on saving configurations, see Managing Configurations on page 85. Managing SteelHead Mobile Packages The following section describes how to deploy SteelCentral ler for SteelHead Mobile optimization settings to your SteelHead Mobiles using packages. It includes the following sections: Creating Packages on page 139 Viewing Package Details on page 141 Deploying SteelHead Mobile Packages on page 143 Creating Packages You create packages in the Manage > Packages page to deploy SteelCentral ler for SteelHead Mobile optimization settings to your SteelHead Mobiles. The Mobile ler is shipped with a default package, called Default, which contains endpoint settings from the default Initial policy. The default package is designed to be suitable for basic deployments. After you create a package it cannot be edited. However, you can create and deploy new packages for software and configuration updates. To move a user from one group to another, you must uninstall the SteelHead Mobile software on the endpoint and then install the package with the new group. A simple approach is to move users to new groups when you upgrade their SteelHead Mobile software to a higher version. SteelCentral ler for SteelHead Mobile User s Guide 139

Managing SteelHead Mobiles Managing SteelHead Mobile Packages To create a package 1. Choose Manage > Packages to display the Packages page. Figure 7-17. Packages Page 2. Complete the configuration as described in this table. Create New Package Package Name - Specify a unique name for the package. The package name can be three or more characters, and can contain alphanumeric characters (0-9, a-z, A-Z), spaces, dashes ( - ), and underscores ( _ ). Group - Specify a unique group for the package. The package name can be three or more characters, and can contain alphanumeric characters (0-9, a-z, A-Z), spaces, dashes ( - ), and underscores ( _ ). For details on groups, see Managing SteelHead Mobile Assignments on page 146. Comments - Specify a short comment to help you identify the package. This comment is displayed with the name of the package and the version number of the software contained in the package, on the Manage Packages page. Install Directory - Specify the installation directory for the package. The default directory in Windows is %PROGRAMFILES%\Riverbed\Steelhead Mobile. Datastore Directory - Specify the SteelHead Mobile RiOS data store directory. The default directory in Windows is %ALLUSERSAPPDATA%\Riverbed\Steelhead_mobile\Datastore. Use Endpoint Settings from Policy - Select a policy from the drop-down list. 140 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Packages Managing SteelHead Mobiles Options (Windows only) Show Installer UI - Specify this option to display the Microsoft Windows Installer UI upon initial installation. The default value is enabled. To install the package silently (without the Microsoft Windows Installer UI), disable the Show Installer UI option. Note: The Microsoft Windows Installer is visible to the endpoint client if the Show Installer UI option is enabled. If so, the system prompts you to specify your SteelHead Mobile RiOS data store size and Mobile ler configurations. 3. Click Add to save your package. Place Icon on Desktop - Specify this option to display the Microsoft Windows Installer icon on the desktop of the client machine. The default value is enabled. Place Entry in Start Menu - Specify this option to list the Microsoft Windows Installer in the Start menu of the client machine. The default value is enabled. Restart if Reboot is Needed - Specify this option to prompt the user to reboot the machine after installing the SteelHead Mobile. The default value is disabled. Increment MaxNumFilters if Needed - Specify this option to increment automatically to the maximum number of filter drivers in the Windows Vista or Windows 7 registry, if the maximum number of filters is already installed on the system. Add - Adds a new package to the package list. Packages are displayed according to their assigned group. Each group has a list of associated packages belonging to that group. Remove Selected Packages - To remove an entry, select the check box next to the name and click Remove Selected Packages. 4. Click Save to permanently save your settings. Viewing Package Details You can view package details in the Manage > Packages page. To view package details 1. Choose Manage > Packages to display the Packages page. A list of packages residing on the Mobile ler displays according to the assigned group. Each group has a list of packages belonging to it. SteelCentral ler for SteelHead Mobile User s Guide 141

Managing SteelHead Mobiles Managing SteelHead Mobile Packages 2. Click the group name to display a list of packages, the version, and any comments associated with the package. Figure 7-18. Packages Page 3. Click the package name to display package details. Figure 7-19. Package Details Page The following information is displayed for the package. Name Group Comments Created Build Details The unique name for the package. The unique group for the package. A short comment to help you identify the package. The SteelCentral ler for SteelHead Mobile software version and package code. The date and time the package was created. 142 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Packages Managing SteelHead Mobiles Software Version Install Directory Datastore Directory Endpoint Settings Installer UI Desktop Icon Start Menu Restart if Reboot is Needed Increase MaxNumFilters if Needed 32-bit Package Download URL 64-bit Package Download URL Mac Package Download URL The SteelCentral ler for SteelHead Mobile software version. The installation directory for the package. The default directory in Windows is %PROGRAMFILES%\Riverbed\Steelhead Mobile. The SteelHead Mobile RiOS data store directory. The default directory in Windows is %ALLUSERSAPPDATA%\Riverbed\Steelhead_Mobile\Datastore. The following endpoint settings are displayed: Data Store Size - Displays the size allotted of the SteelHead Mobile RiOS data store. Log File Size -Displays the size allotted for log files. Number of Log Files -Displays the maximum number of log files allowed. Driver Order - Displays the current driver order. Disable Checksum Offload - Displays the current setting for Checksum Offload: true or false Driver Order Enabled - Displays the current setting for driver order: true or false The Microsoft Windows Installer UI option: true or false The Microsoft Windows Installer icon option on the desktop of the SteelHead Mobile: true or false The Microsoft Windows Installer option appears in the Start menu of the of the SteelHead Mobile: true or false Reboot the machine after installing the SteelHead Mobile: true or false Increment automatically to the maximum number of filter drivers in the Windows Vista or Windows 7 registry, if the maximum number of filters is already installed on the system: true or false Download URL for the 32-bit Windows package. Download URL for the 64-bit Windows package. Download URL for the Mac package. Deploying SteelHead Mobile Packages The following section describes how to deploy SteelHead Mobile packages using the Microsoft Windows Installer for Windows clients and the Apple PackageMaker for Mac OS X clients. You can use any of the following methods to deploy packages to the endpoint clients in your network: Deployment Tools - Typically, in larger organizations, you might use deployment tools to install the SteelHead Mobile client software (for example, Microsoft SMS and GPO, Altiris, Tivoli, Radia, and Zenworks). Deployment of SteelHead Mobile software has been tested with Microsoft SMS, Active Directory, and GPO (Group Policy Object). Consult your vendor s documentation for information about its products. SteelCentral ler for SteelHead Mobile User s Guide 143

Managing SteelHead Mobiles Managing SteelHead Mobile Packages Email - You can use email to send the link provided on the Mobile ler. Manual Installation - If your deployment is small, you might want to install each package manually on the client machines. Scripts - You can use login scripts or batch files to trigger an installation when users log in to their systems. After you save the SteelHead Mobile package to your computer, double-click the package to install the package on your computer. Note: If the package is to be downloaded by more than 50 SteelHead Mobiles, Riverbed recommends that you put the package on a file server so the Mobile ler is not overloaded with requests. Basic Steps for Deploying Packages Perform the following basic steps to deploy packages to your SteelHead Mobiles. 1. Choose Manage > Packages to display the Packages page. 2. Click the group name to display a list of packages. 3. Click the package name to view package details, including the download URL for Windows and Mac packages. 4. Click the URL for the Windows or Mac package and save it to your local machine. 5. Distribute your package using a deployment tool of your choice: You use a deployment tool, for example, you can use Microsoft GPO or SMS. You can deploy your package from an internal Web site, by email, or manually. If you use one of these methods, you must install the SteelHead Mobiles manually by double-clicking on the SteelHead Mobile package to install the package on your computer. 6. Verify SteelHead Mobile connections and optimization in the Reports > Endpoints > Endpoints report on the Mobile ler. Installing the SteelHead Mobile Packages on Windows and Mac Clients Perform the following steps to install the SteelHead Mobile package on a Windows Client. For details on Microsoft Windows Installer Properties (MSI) properties, see Appendix C, Windows Installer Properties. The SteelHead Mobile installer for the Mac OS X is a standard Apple PackageMaker installer. Perform the following steps to install the SteelHead Mobile package on Mac clients. To install the SteelHead Mobile package on a Windows client 1. After you have saved the SteelHead Mobile package to your computer, double-click the msi file to execute the package. 2. Accept the license agreement. 3. Choose the installation destination folder. 144 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Packages Managing SteelHead Mobiles 4. Specify whether to have a Desktop icon or a Start menu icon. 5. Choose a Typical or Advanced installation. If you select Advanced, set your SteelHead Mobile RiOS data store size and configure your Mobile ler. 6. Click the desktop icon to launch the SteelHead Mobile. 7. Reboot your machine, if prompted. To install the SteelHead Mobile package on a Mac client 1. After you have saved the SteelHead Mobile package to your computer, double-click the tgz file to run it. 2. Accept the license agreement. 3. Select the installation Destination disk. 4. Specify an administrator name and password, and click OK. 5. Click Close to complete the installation. If the Show Client in the System Tray option is enabled in the policy, the SteelHead Mobile software icon is now shown in the system tray. The SteelHead Mobile runs in the background and optimizes traffic transparently. After approximately thirty seconds, the client is visible on the Mobile ler. To verify your client connections and optimization, navigate to the Reports > Endpoints > Endpoint Report page on the Mobile ler. For details, see Viewing Endpoint Reports on page 152. Updating SteelHead Mobile Software You use packages to provide automatic software updates to your SteelHead Mobiles. After a package is created, it cannot be edited. Note: HTTP access must be enabled on the Mobile ler for automatic updates to be downloaded to your SteelHead Mobiles. When the SteelHead Mobile software is installed a client is assigned a group ID based on the package that was installed. If you used the Default package, then the client will be in the Default group. Using groups allows you to assign upgrades and policies to several SteelHead Mobiles at a time. For details on groups, see Managing SteelHead Mobile Assignments on page 146. Note: If you want to change a SteelHead Mobile s group while still having the client using the same version, you must manually uninstall the SteelHead Mobile software to install the package with the new group. The SteelHead Mobile s group can also be changed using the Group Policy Object (GPO) template. For details, see Changing an Endpoint Group for Clients Using a GPO on page 149. SteelCentral ler for SteelHead Mobile User s Guide 145

Managing SteelHead Mobiles Managing SteelHead Mobile Assignments Basic Steps for Creating a Package for SteelHead Mobile Software Updates The following list describes the basic steps for creating a package for SteelHead Mobile software updates. Task Reference 1. Create new packages for each group. Creating Packages on page 139. 2. Modify the package assigned to the current group or assign your policies to group. 3. Deploy the package to the endpoint clients in your network using the deployment tool of your choice. When using the upgrade method built into the Mobile ler, the endpoint user will be prompted to install the update. 4. Verify your connection and optimization in the Reports > Endpoints > Endpoint Report page. 5. You can also make individual assignments to Active Directory users based on their username identified by SteelCentral ler for SteelHead Mobile without using a group. Managing SteelHead Mobile Assignments on page 146. Deploying SteelHead Mobile Packages on page 143 and Installing the SteelHead Mobile Packages on Windows and Mac Clients on page 144. Viewing Endpoint Reports on page 152. Working with Group Assignments on page 147. Note: Upgrading can terminate existing connections on the client. Client connections are terminated each time the policies are updated. Managing SteelHead Mobile Assignments On the Manage > Assignments page, you configure two types of assignments: Default policy assignments for desktop devices. Group assignments for SteelHead Mobiles 146 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Assignments Managing SteelHead Mobiles Figure 7-20. Assignments Page Changing Default Policy Assignments You can configure default policy assignments for the desktop. The default policy is Initial. To change a default policy assignment: 1. Choose Manage > Assignments to display the Assignments page. 2. Click the device type that you want to edit. (You can also click the search icon next to the device type.) Clicking the device type displays its details, and the search icon changes to an x. Click the x to collapse the details. 3. Under Edit Assignment, select a policy from the drop-down list. 4. Click Update SMC Default Assignment to make the change effective. Working with Group Assignments Typically, you use Group assignments to link policies and packages to your SteelHead Mobiles. Group assignments enable you to create different packages that are associated with different policies and assign them to groups of SteelHead Mobiles. When you deploy a package, the SteelHead Mobile reports its group to be that of the package that was installed. The Mobile ler uses the group to identify the SteelHead Mobiles associated with that group and automatically provides policy and software updates to them. Your group assignments can be based on your endpoint client computers, such as applications used, computer memory, or disk space. Your group assignments can also be based on department, job function, geographic location, and so forth. Finally, they can be based on the type of SteelCentral ler for SteelHead Mobile deployment you want, such as whether to optimize SteelHead Mobiles when they are in the office. SteelCentral ler for SteelHead Mobile User s Guide 147

Managing SteelHead Mobiles Managing SteelHead Mobile Assignments For example, suppose your SteelHead Mobiles have two types of computers: one with a minimal amount of disk space and another that has substantially larger amounts of disk space. You can deploy two packages: You can deploy the default package (which has a group assignment, Default and default policy, Initial) to your SteelHead Mobiles with minimal disk space. This requires no additional configuration. After these SteelHead Mobiles install the package, their computer is associated with the Default group and automatically receives policy and software updates assigned to the Default group. You can create a policy called, for example, high_end. The high_end policy would allot more disk space for data optimization. You would create a package and give it a unique group called, for example, graphics_department. You would assign the high_end policy to the graphics_department group, and deploy the associated package to those users with the larger disk space. After your users install the package, their computers become associated with the graphics_department group and, subsequently, receive policy and software updates assigned to the graphics_department group. You could also use the high_end policy for clients associated with a different group. You can also make individual assignments to Active Directory users without using a group. Riverbed recommends that you use a group to assign policies to packages. If your network environment requires the deployment of multiple packages, create the packages you need before deploying the default package. For details, see the SteelCentral ler for SteelHead Mobile Installation Guide. To manage group assignments 1. Choose Manage > Assignments to display the Assignments page. 2. Complete the configuration as described in this table. s Add Group Assignments Specify the group assignments. Group - Specify a new, unique group. If you are updating endpoint clients, specify an existing group. Package - Specify a name for the package from the drop-down list. Policy - Specify the policy from the drop-down list. The default is Initial. Note: In Mobile ler v4.7, you can select Inherit from Default as an option. Add Adds the group assignment. Remove Selected Assignments Add AD Path Assignments Removes the selected assignment. Specify the Active Directory path assignment. Active Directory Path Assignment - Specify a new, unique active directory path assignment. Package - Specify a name for the package from the drop-down list. Policy - Specify the policy from the drop-down list. 148 SteelCentral ler for SteelHead Mobile User s Guide

Managing SteelHead Mobile Assignments Managing SteelHead Mobiles s Add GPO Custom Administrative Template Adds the active directory path assignment. Complete the following tasks: Click the link to download the GPO template (SteelheadMobile.adm) to your local machine. On the Active Directory Server, in the Group Policy Editor, under Computer Configuration or User Configuration, right-click Administrative Templates and select Add/Remove Templates. Click Add. Navigate to the location of the SteelheadMobile.adm file downloaded above, select it, and click Open. The SteelheadMobile.adm file is listed under Current Policy Templates. The GPO now contains a SteelCentral ler for SteelHead Mobile section with a list of the available SteelCentral ler for SteelHead Mobile policy settings. Note: On Windows Server 2008 R2 or later, the new template appears under a subsection of Current Policy Templates labeled Classic Administrative Templates. 3. Click Save to save your settings permanently. For details about changing a group, and disabling and enabling optimization using a GPO, see Changing an Endpoint Group for Clients Using a GPO on page 149 and Enabling or Disabling Optimization Using a GPO Template on page 150. Changing an Endpoint Group for Clients Using a GPO You can also use the Group Policy Object (GPO) custom administrative template to configure SteelCentral ler for SteelHead Mobile deployment settings in the Manage > Assignments page. The GPO custom administrative template adds SteelCentral ler for SteelHead Mobile specific policy settings to existing GPOs. After the template is added, you can configure these policy settings to deploy to clients SteelCentral ler for SteelHead Mobile installations. The GPO template can be added to the computer-specific or to the user-specific section of a GPO, depending on whether you want to apply settings based on computer name or username. To change a client endpoint group with GPO 1. Double-click Group. 2. Select the option to enable the policy setting. 3. Type the group name. When the policy is applied, the affected client begins using the specified group when communicating with the Mobile ler, downloading policies, and so on. SteelCentral ler for SteelHead Mobile User s Guide 149

Managing SteelHead Mobiles Managing SteelHead Mobile Assignments Enabling or Disabling Optimization Using a GPO Template In Windows Server you can enable or disable optimization using a GPO template. To enable or disable optimization using a GPO Template 1. Double-click Enable Optimization. 2. Select the policy that you want to enable. 3. To disable optimization, uncheck Enable Optimization. When the policy is applied, optimization on the client is disabled. 150 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 8 Viewing Reports and Logs This chapter describes how to view reports and logs on the Mobile ler and SteelHead Mobile. Reports provide you with detailed information about network, health, and diagnostics. The chapter includes the following sections: Viewing Reports for Endpoints on page 151 Viewing Endpoint User Information on page 156 Viewing Diagnostics Reports on page 168 Viewing and Downloading Logs on page 179 Viewing Diagnostic Reports for Endpoints on page 183 Viewing ler Reports on page 186 Exporting Logs on page 197 To use this chapter, you must know how to install, configure, and manage WAN optimization using the SteelHead. For details about the SteelHead, see the SteelHead Installation and Configuration Guide, the SteelHead Management Console User s Guide, and the SteelHead Deployment Guide. Note: To print any report or log, choose File > Print in your Web browser to open the Print dialog box. Viewing Reports for Endpoints The following section describes how to view and customize endpoint client reports. It includes the following sections: Viewing Endpoint Reports on page 152 Viewing Desktop Bandwidth Reports on page 158 Viewing Branch Warming Reports on page 160 Viewing SSL Reports on page 162 Viewing Endpoint History Reports on page 164 Viewing Desktop Traffic Reports on page 166 SteelCentral ler for SteelHead Mobile User s Guide 151

Viewing Reports and Logs Viewing Reports for Endpoints For all reports, data collection is the same. The Mobile ler receives bandwidth and connection metrics from currently connected SteelHead Mobiles every five minutes, and aggregates statistical data by hour and day. If the Mobile ler is part of a cluster, the report only shows data from the current Mobile ler. The Mobile ler stores the SteelHead Mobile data for three months or longer, depending on your network environment. The Desktop Bandwidth reports, Branch Warming reports, and SSL reports for endpoints show graphs. In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as gigabytes (GBs) of bandwidth, percent (%) of data reduction, and connection counts. The Desktop Traffic reports show pie charts. Pie chart graphs do not indicate peaks or averages, but represent the aggregate for the time period selected. The LAN and WAN statistics reported on an Endpoint report might differ from those shown in the Desktop Bandwidth or Desktop Traffic graphs. For example, an endpoint client might switch Mobile lers if the controllers are in a cluster, or a user might manually change the Mobile ler. The statistics shown on the Endpoint report are an aggregate of the LAN or WAN data across all the Mobile lers that the endpoint client connected to during the selected time frame. However, the statistics shown on the Desktop Bandwidth and Desktop Traffic graphs are only for the Mobile ler currently in use. Viewing Endpoint Reports The Reports > Endpoints > Endpoint Report page provides information about the Mobile ler s endpoints. An Endpoint report lists every endpoint client that has connected to the Mobile ler and any other controllers in the same cluster. The report summarizes the overall status of your SteelHead Mobiles: username, connection status, controller, IP address, software version, group, policy, percent of data reduction, amount of data sent over the LAN and WAN, warmed data, and time connected. The Endpoint report provides statistics that describe endpoint client activity for the time period you specify, as shown in the bottom right of the report. The Endpoint report displays icons for both types of clients: Windows or Mac. The icons are dimmed if the client is unlicensed, and bright orange if the client is licensed. The Endpoint report for Mobile ler v4.7 and later also has a Settings tab that lets you choose the columns that appear in the report. In addition, on the Endpoints tab, three sub-tabs let you filter the report contents, perform system operations on endpoints, and remove one or more selected endpoints, as shown here: Figure 8-1. Endpoint Report Page 152 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs What This Report Tells You The Endpoint report answers the following questions: What is the current connection status of my SteelHead Mobile? What is the health and Mobile ler connection status? How much data was transmitted for each SteelHead Mobile? To view an endpoint report or change the report display 1. Choose Reports > Endpoints > Endpoint Report to display the Endpoint Report page. 2. To change the columns displayed in the report, click the Settings tab. 3. Select or clear the check boxes for the report columns, based on this table. Group Policy Total Reduction LAN Data WAN Data Warmed Data Connected At Displays the SteelHead Mobile group. Displays the policy assigned to the SteelHead Mobile. Displays the amount of data reduction for the SteelHead Mobile. Displays the amount of data transmitted over the LAN during the selected time period. Displays the amount of data transmitted over the WAN during the selected time period. Displays the total warmed data from the local Mobile ler for the period specified when branch warming is turned on. Displays the connection time for the SteelHead Mobile. 4. Click Apply to make your changes. Filtering Endpoint Reports Use the Filters tab on the Endpoint report page to set or change the list of endpoint clients displayed, based on a variety of factors. Figure 8-2. Endpoint Report Page - Filters Tab To filter endpoint reports 1. On the Endpoint Reports page, click Filters (if it is not already highlighted). SteelCentral ler for SteelHead Mobile User s Guide 153

Viewing Reports and Logs Viewing Reports for Endpoints 2. Use the controls to customize the report as described in this table. User Type License Connection duration Statistics posted Endpoints per page Status Version Group ler Policy Add Specify one or more usernames. Separate multiple usernames with commas. Select All or Desktop. Select All, Licensed, or Unlicensed. Select All Connections Intervals, or an interval ranging from five minutes to one month Select an interval ranging from the last hour to last month Select All Endpoints, or 20, 50, or 100 endpoints Specify the current state of the SteelHead Mobile from the drop-down list: All - Indicates that all data is requested. Connected - Indicates the Mobile ler is connected to the SteelHead Mobile. Healthy - Indicates that all systems are functioning properly. Degraded - Indicates that system has detected an error when communicating with an endpoint. Critical - Indicates that the optimization service is not running. Contact your system administrator. Disabled - Indicates that the optimization service is turned off. Disconnected - Indicates that the connection to the endpoint is down. Select All to filter on all software versions, or select one or more particular software versions. This filter only appears when more than one value is present among the currently connected SteelHead Mobiles. Specifies one or more groups of SteelHead Mobiles to display. This filter only appears when more than one value is present among the currently connected SteelHead Mobiles. Select or clear All, or one or more Mobile lers. This filter only appears when more than one value is present among the currently connected SteelHead Mobiles. Select or clear All, or specific policies assigned to the SteelHead Mobile. This filter only appears when more than one value is present among the currently connected SteelHead Mobiles. Adds filters. 3. Select or clear one or more endpoints on the endpoint list below the Filters pane. 4. Click Apply Filter to make your changes. 154 SteelCentral ler for SteelHead Mobile User s Guide

. Viewing Reports for Endpoints Viewing Reports and Logs Removing Endpoint Information Use the Remove Selected Endpoints tab to remove the current information stored in the Endpoint report for one or more endpoints. Under normal circumstances, this information is replaced periodically with new information from the SteelHead Mobile. Note: Clicking Remove Endpoint does not disable or remove the SteelHead Mobile on the end user s machine. To remove information for endpoints 1. Click the Remove Selected Endpoints tab. 2. Select the check box next to one or more endpoint usernames. 3. Click Remove Endpoint to make your changes. Performing Endpoint Operations Use the Endpoint Operation tab to perform system tasks such as resetting connections and requesting dump files, on selected endpoint clients. To perform system tasks on endpoint clients 1. On the Endpoint Reports page, click the Endpoint Operations tab. 2. Use the controls on this tab to perform any of the tasks described in this table. Reset Client-SMC Connection Request System Dump Select the check box next to one or more endpoint usernames, and click Reset Client- SMC Connection to reset the connection between the Mobile ler and the endpoint client. Select the check box next to one or more endpoint usernames and click Request System Dump to upload the files. A system dump contains endpoint logs, configuration information, process information, and other diagnostic information to use for troubleshooting. Note: HTTP must be enabled on the Mobile ler to upload files from your SteelHead Mobile. To view system dump files, see Viewing Diagnostic Reports for Endpoints on page 183. SteelCentral ler for SteelHead Mobile User s Guide 155

Viewing Reports and Logs Viewing Reports for Endpoints Request Memory Dump Uploads the memory dump files. Note: A memory dump can be very large and can take time to upload. Note: HTTP must be enabled on the Mobile ler to upload files from your SteelHead Mobile. To view memory dump files, see Viewing the Memory Dumps List on page 183. TCP Dump Duration Select the check box next to one or more endpoint usernames, specify a time interval, and click Request TCP Dump to upload the TCP dump files. Note: HTTP must be enabled on the Mobile ler to upload TCP dump files from your SteelHead Mobile. To view TCP dump files, see Capturing and Uploading TCP Dumps on page 188. Request TCP Dump Select the check box next to one or more endpoint usernames and click Request TCP Dump to upload the files. 3. Select or clear one or more endpoints on the endpoint list below the Operations pane. 4. Click Apply Action to produce the desired results. Viewing Endpoint User Information On the Endpoint Reports page, you can display additional detailed information about an individual endpoint. The information is organized across several tabs. 156 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs Figure 8-3. Endpoint User Page To view endpoint user details 1. Click an entry in the User column to expand details for that user. 2. Click the tabs at the top of the expanded user detail information to view detailed information about the endpoint user. The following tabs are available: General Information - Includes general information about the endpoint user, the user s computer, and the user s SteelHead Mobile, including client health, health description, computer name, IP address, policy, package, SteelHead Mobile software version, license status, memory, free disk space, and data store size. Bandwidth Summary - Includes the amount of WAN data, warmed data, LAN data, total data reduction, number of SSL requests, and how many SSL requests were optimized. Current Connections - Lists the endpoint s current connections by the running process with the source and destination port and information about the percent of data reduction. Adapters - Lists the ethernet and other network adapters currently in use on the endpoint. Assignments - Lists the package and policy currently assigned to the endpoint, and provides dropdown lists for selecting a different policy or package. Diagnostics - Provides links to any memory dumps, system dumps, and TCP dumps that have been run for the endpoint with a timestamp, file size, and MD5 sum for the dump file. Admin privileges are required to view the Diagnostics tab. SteelCentral ler for SteelHead Mobile User s Guide 157

Viewing Reports and Logs Viewing Reports for Endpoints Viewing Desktop Bandwidth Reports These reports summarize the overall inbound and outbound bandwidth improvements for the SteelHead Mobiles of each type connected to the Mobile ler. You can create reports according to the time period of your choice, application, and type of traffic. For details about adding ports to be monitored, see Configuring Monitored Ports on page 39. The Desktop Bandwidth report includes the following table of statistics that describe bandwidth utilization for the time period you specify. Field WAN Data LAN Data Total Data Reduction Peak Data Reduction Occurred At Optimized Bandwidth Capacity Increase Specifies the bytes transmitted over the WAN. Specifies the bytes transmitted over the LAN. Specifies the percent decrease of data transmitted over the WAN as a result of optimization, according to the following calculation: (Data In Data Out)/(Data In) Specifies the time that the peak data reduction occurred. Specifies the increase in the amount of data transmitted over the WAN as a result of optimization, according to the following calculation: 1/(1-Reduction Rate) What This Report Tells You The Desktop Bandwidth report answers the following questions: How much bandwidth optimization has occurred on SteelHead Mobiles as a result of data optimization? What was the average and peak reduction of data sent by SteelHead Mobiles? What was the overall increase in the amount of data that can be transmitted as a result of data optimization? 158 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs To view a Desktop Bandwidth report 1. Choose Reports > Endpoints > Desktop Bandwidth to display the desktop bandwidth page. Figure 8-4. Desktop Bandwidth Page 2. Manipulate the report as you like: Mouse over the data points. To hide or show a data type (WAN or LAN), click that type in the graph legend. 3. Use the controls to customize the report as described in this table. Period Endpoints Network Select Last Hour, Last Day, Last Week, Last Month, or Custom from the dropdown list. If you select Custom, specify a Start Time and End Time to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/DD HH:MM:SS. Select All from the drop-down list for a report on all endpoints connected to the Mobile ler, or select a specific endpoint from the list. Select All from the drop-down list for a report on all networks or select WiFi, 3G/4G, or Roaming. SteelCentral ler for SteelHead Mobile User s Guide 159

Viewing Reports and Logs Viewing Reports for Endpoints Application Refresh For desktop endpoints - Select All from the drop-down list for a report on all applications connected to the Mobile ler, or select a specific application from the list. Select a refresh rate option for the report display: 5, 10, or 15 Minutes. Or, select Off to turn off refresh. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 4. Click Go to display the customized report. Viewing Branch Warming Reports The Reports > Endpoints > Branch Warming report summarizes the overall bi-directional warming benefits to and from the branch SteelHead for every SteelHead Mobile connected to the Mobile ler. The Branch Warming report includes the following table of statistics that describe branch warming utilization for the time period you specify. Field Warmed bytes sent to local SteelHeads Warmed bytes pulled from local SteelHead Total Branch Warming Bytes generated Specifies the count of warmed bytes sent to local SteelHead from SteelHead Mobiles. Specifies the bytes pulled from the local SteelHead rather than transferred over WAN because of branch warming. In addition, it indicates the percentage share of warmed bytes in total bytes generated by the client. Specifies the sum of bytes sent to local SteelHead from SteelHead Mobiles plus the bytes pulled by SteelHead Mobiles from local SteelHeads. What This Report Tells You The Branch Warming report answers this question: how many bytes were pushed and pulled to warm the branch SteelHead and SteelHead Mobile data stores? 160 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs To view a Branch Warming report 1. Choose Reports > Endpoints > Branch Warming to display the Branch Warming page. Figure 8-5. Branch Warming Page 2. Manipulate the report as you like: Drag your cursor over an area of interest to zoom. After dragging, click the Reset Zoom link that appears to return to normal view. To hide or show a data type (Branch In or Branch Out), click that type in the graph legend. 3. Use the controls to customize the report as described in this table. Period Select Last Hour, Last Day, Last Week, Last Month, or Custom from the dropdown list. If you select Custom, specify a Start Time and End Time, and to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/DD HH:MM:SS. SteelCentral ler for SteelHead Mobile User s Guide 161

Viewing Reports and Logs Viewing Reports for Endpoints Endpoints Refresh Select All from the drop-down list for a report based on all endpoints connected to the Mobile ler, or select a specific endpoint from the list. You can also perform a search on a substring, such as the IP address subnet. Select a refresh rate option for the report display: 5, 10, or 15 Minutes. Or, select Off to turn off refresh. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 4. Click Go to display the customized report. Viewing SSL Reports The Reports > Endpoints > SSL report summarizes the SSL connection requests and connection rate for the time period specified. You can create reports according to the time period of your choice, application, and type of traffic. The SSL report includes the following statistics for the time period you specify. SSL Connections Optimized SSL Connections Not Optimized Total Optimized Connections Requested Overall connections optimized Peak # connections optimization Peak connection optimization at Specifies the number of SSL connections that were optimized. Specifies the number of SSL connections that were not optimized. Specifies the number of SSL requests. Specifies the overall number optimized connections, including SSL connections. Specifies the number of peak connections for SSL. Specifies the peak connection-optimization time. What This Report Tells You The SSL report answers the following questions: What was the peak number of optimized connections? How many SSL connections were not optimized? 162 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs To view an SSL report 1. Choose Reports > Endpoints > SSL to display the SSL page. Figure 8-6. SSL Page 2. Manipulate the report as you like: Drag your cursor over an area of interest to zoom. After dragging, click the Reset Zoom link that appears to return to normal view. To hide or show a data type (Optimized or Unoptimized SSL Connections), click that type in the graph legend. 3. Use the controls to customize the report as described in this table. Period Select Last Hour, Last Day, Last Week, Last Month, or Custom from the dropdown list. If you select Custom, specify a Start Time and End Time, and to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/DD HH:MM:SS. SteelCentral ler for SteelHead Mobile User s Guide 163

Viewing Reports and Logs Viewing Reports for Endpoints Endpoints Refresh Select All from the drop-down list for a report based on all endpoints connected to the Mobile ler, or select a specific endpoint from the list. You can also perform a search on a substring, such as the IP address subnet. Select a refresh rate option for the report display: 5, 10, or 15 Minutes. Or, select Off to turn off refresh. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 4. Click Go to display the customized report. Viewing Endpoint History Reports The Reports > Endpoints > Endpoint History report displays the following statistics, which describe connected endpoint activity for the time period you specify. Field Average Connected Endpoints Maximum Connected Endpoints Average Licensed Endpoints Maximum Licensed Endpoint Peak Connection Time Specifies the average number of endpoint clients connected to the Mobile ler for the time period specified. Specifies the maximum number of endpoint clients connected to the Mobile ler for the time period specified. Specifies the average number of endpoint clients licensed. Specifies the maximum number of endpoint clients licensed. Specifies the time at which point the greatest number of endpoint clients were connected to the Mobile ler for the time period specified. What This Report Tells You The Endpoint History report answers the following questions: How many endpoints connected, over time? When were the most endpoints connected? How many licenses were added in a given period? 164 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs To view the Endpoint History report 1. Choose Reports > Endpoints > Endpoint History to display the Endpoint History page. Figure 8-7. Endpoint History Page 2. Manipulate the report as you like: Drag your cursor over an area of interest to zoom. After dragging, click the Reset Zoom link that appears to return to normal view. To hide or show an endpoint type, click that type in the graph legend. 3. Use the controls to customize the report as described in this table. Period Refresh Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. If you select Custom, specify a Start Time and End Time to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/DD HH:MM:SS. Select a refresh rate option for the report display: 5, 10, or 15 Minutes. Or, select Off to turn off refresh. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. SteelCentral ler for SteelHead Mobile User s Guide 165

Viewing Reports and Logs Viewing Reports for Endpoints 4. Click Go to display the customized report. Viewing Desktop Traffic Reports The Reports > Endpoints > Desktop Traffic report provides a percentage breakdown, by port and by application, of the amount of SteelHead Mobile traffic being transmitted. The Mobile ler automatically discovers all the ports in the system that have desktop traffic. The discovered port, along with a label (if one exists), is added to the report. If a label does not exist, an Unknown label is added to the discovered port. If you want to change the Unknown label to a name representing the port, you must add the port with a new label. All statistics for this new port label are preserved from the time the port was discovered. For details about adding ports to be monitored, see Configuring Monitored Ports on page 39. Note: The Endpoints > Desktop Traffic report displays a maximum of 16 colors for ports. If you have more than 16 ports, the colors in the report wrap from the beginning. The Desktop Traffic report provides the following statistics that describe data transmission by port and by application (MAPI, HTTP, CIFS, and so forth), for the time period you specify. Field Port Reduction LAN WAN Traffic % Specifies the TCP/IP port number and type of traffic for each row of statistics. Specifies the amount of data reduction as a result of data optimization. Specifies the amount of traffic on the LAN. Specifies the amount of traffic on the WAN. Specifies the percentage of the total traffic each port represents. What This Report Tells You The Desktop Traffic report answers the following questions: How much benefit from data reduction is a specific endpoint client enjoying? How much network traffic is each endpoint transferring? 166 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Reports for Endpoints Viewing Reports and Logs To view the Desktop Traffic report 1. Choose Reports > Endpoints > Desktop Traffic to display the Desktop Traffic page. Figure 8-8. Desktop Traffic Page 2. Use the controls to customize the report as described in this table. Period Endpoints Refresh Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. If you select Custom, specify a Start Time and End Time to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/DD HH:MM:SS. Select All from the drop-down list for a report based on all endpoints connected to the Mobile ler, or select a specific endpoint from the list. You can also perform a search on a substring, such as the IP address subnet. Select a refresh rate option for the report display: 5, 10, or 15 Minutes. Or, select Off to turn off refresh. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 3. Click Go to display the customized report. SteelCentral ler for SteelHead Mobile User s Guide 167

Viewing Reports and Logs Viewing Diagnostics Reports Viewing Diagnostics Reports The following section describes how to create and view diagnostics reports for the Mobile ler. It includes the following sections: Viewing Alarm Status Reports on page 168 Viewing CPU Utilization Reports on page 173 Viewing Memory Paging Reports on page 175 Viewing Interface Counters on page 177 Viewing Alarm Status Reports The Reports > Diagnostics > Alarm Status report provides status for the SteelCentral ler for SteelHead Mobile alarms. The Mobile ler tracks key hardware and software metrics and alerts you to any potential problems so that you can quickly discover and diagnose issues. Mobile ler v4.0 and later features alarm reporting using hierarchical alarms. The system groups certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information: for example, the System Disk Full top-level alarm aggregates over multiple partitions. If a specific partition is full, the System Disk Full alarm triggers and the Alarm Status report displays more information regarding which partition caused the alarm to trigger. The alarm status falls into one of the following states: OK - Signifies that no problems have been found. Needs Attention - Accompanies a healthy state to indicate management-related issues not affecting the ability of the Mobile ler to optimize traffic. Degraded - Indicates that the Mobile ler is optimizing traffic, but the system has detected an issue. Admission - Indicates that the Mobile ler is optimizing traffic but has reached its connection limit. Critical - Indicates that the Mobile ler might or might not be optimizing traffic; you must address a critical issue. Suppressed - Appears after a child alarm when its parent alarm is disabled on the Configure > System Settings > Alarms page. Disabled - Appears when a child alarm is disabled even though its parent alarm is enabled. 168 SteelCentral ler for SteelHead Mobile User s Guide

. Viewing Diagnostics Reports Viewing Reports and Logs The Alarm Status report includes the following alarm information. Alarm Configuration Mobile ler State Reason Indicates whether a configuration error was detected. CPU Utilization Degraded Indicates that the system has reached the CPU threshold for any of the CPUs in the Mobile ler. If the system has reached the CPU threshold, check your settings. For details, see Configuring Alarm Settings on page 32. If your alarm thresholds are correct, reboot the Mobile ler. For details, see Rebooting and Shutting Down the Mobile ler on page 80. Note: If more than 100 MB of data is moved through a Mobile ler while performing PFS synchronization, the CPU utilization might become high and result in a CPU alarm. This CPU alarm is not cause for concern. Disk Full Endpoint Datastore Endpoint Filesystem Full Endpoint Firewall Endpoint Gen Id Error Endpoint License Endpoint NFS Endpoint Service Endpoint SSL Error Endpoint Version Indicates that the system partitions (not the SteelCentral ler for SteelHead Mobile RiOS data store) are full or almost full. Indicates whether the number of endpoint clients with data store errors has reached the rising threshold. By default, this alarm is enabled. Indicates whether the number of endpoint clients with File System Full errors has reached the rising threshold. By default, this alarm is enabled. Indicates whether the number of endpoints with firewall status has reached the rising threshold. By default, this alarm is enabled. Indicates whether an Endpoint Gen Id error was detected. By default, this alarm is enabled. Indicates whether the number of connected endpoint licenses has exceeded the licensed limit. For details about updating licenses, see Managing Licenses. Indicates whether there has been an NFS error. By default, this alarm is enabled. Indicates whether the number of endpoint clients with service errors has reached the rising threshold. By default, this alarm is enabled. Indicates whether there has been an SSL error. By default, this alarm is enabled. Indicates whether there is a mismatch between software versions in your network. If a software mismatch is detected, resolve the mismatch by upgrading or reverting to a previous version of the software. By default, this alarm is enabled. SteelCentral ler for SteelHead Mobile User s Guide 169

Viewing Reports and Logs Viewing Diagnostics Reports Alarm Hardware Mobile ler State Either Critical or Degraded, depending on the state Reason Fan Error - Indicates that a fan is failing or has failed and must be replaced. Flash Error - Flash Error - Indicates an error with the flash drive hardware. At times, the USB flash drive that holds the system images might become unresponsive; the Mobile ler continues to function normally. When this error occurs, you cannot perform a software upgrade, as the Mobile ler is unable to write a new upgrade image to the flash drive without first power-cycling the system. To reboot the appliance, go to the Configure > Maintenance > Reboot/ Shut Down page or enter the CLI reload command to automatically power-cycle the Mobile ler and restore the flash drive to its proper state. IPMI - Indicates an Intelligent Platform Management Interface (IPMI) event. (Not supported on all appliance models.) This alarm triggers when there has been a physical security intrusion. The following events trigger this alarm: chassis intrusion (physical opening and closing of the appliance case) memory errors (correctable or uncorrectable ECC memory errors) hard drive faults or predictive failures power cycle, such as turning the power switch on or off, physically unplugging and replugging the cable, or issuing a power cycle from the power switch controller By default, this alarm is enabled. Memory Error - Indicates a memory error: for example, when a system memory stick fails. Power Supply - Indicates that an inserted power supply cord does not have power, as opposed to a power supply slot with no power supply cord inserted. RAID - Indicates that the system has encountered RAID errors (for example, missing drives, pulled drives, drive failures, and drive rebuilds). Provides status information for individual drives on the system. RAID Disk 0 Status RAID Disk 1 Status For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Note: Rebuilding a disk drive can take 4 to 6 hours. 170 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostics Reports Viewing Reports and Logs Alarm Mobile ler State Reason Licensing Critical Indicates whether a license on the Mobile ler is removed, is about to expire, has expired, or is invalid. This alarm triggers if the Mobile ler has no license installed for its currently configured model. Licenses Expired - This alarm triggers if one or more features has at least one license installed, but all of them are expired. Licenses Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. Licensing - This alarm triggers if the Mobile ler has no BASE or MSPEC license installed for its currently configured model. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, LK1-FOOxxx (expired) and LK1-FOO-yyy (not expired), the alarms do not trigger, because the feature has one valid license. Link State Degraded Indicates that the system has detected a link that is down. You are notified through SNMP traps, email, and alarm status. Interface aux Link Error - Indicates that an Ethernet link is lost with the aux interface. Interface primary Link Error - Indicates that an Ethernet link is lost with the primary interface. Memory Paging Degraded Indicates that the system has reached the memory paging threshold. If 100 pages are swapped approximately every two hours, the SteelHead is functioning properly. If thousands of pages are swapped every few minutes, then reboot the Mobile ler. For details, see Rebooting and Shutting Down the Mobile ler on page 80. If rebooting does not solve the problem, contact Riverbed Support at https://support.riverbed.com. Process Dump Staging Directory Inaccessible Degraded Indicates that the system has detected an error while trying to create a process dump. This alarm indicates an abnormal condition in which RiOS cannot collect the core file after three retries. It can be caused when the /var directory, which is used to hold system dumps, is reaching capacity or other conditions. When this alarm is raised, the directory is blacklisted. Contact Riverbed Support to correct the issue. Secure Vault Degraded Indicates a problem with the secure vault. Secure Vault Locked - Needs Attention - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked. Go to Configure > Security > Secure Vault and unlock the secure vault. For details, see Unlocking the Secure Vault on page 70. SSL Indicates that an error has been detected in your SSL configuration. SSL Certificates - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SSL Signing Certificate Validity - Indicates that an SSL peering certificate has failed to reenroll automatically within the Simple Certificate Enrollment Protocol (SCEP) polling interval. SteelCentral ler for SteelHead Mobile User s Guide 171

Viewing Reports and Logs Viewing Diagnostics Reports Alarm Temperature Underprovisioned VM Valid Platform Valid VM Mobile ler State Critical or Warning Reason Indicates that the CPU temperature has exceeded or is approaching the critical threshold: Critical - Indicates that the CPU temperature has exceeded the critical threshold. The default value for the rising threshold temperature is 70ºC; the default reset threshold temperature is 67ºC. Warning - Indicates that the CPU temperature is about to exceed the critical threshold. Does not apply to Virtual Mobile ler products. Memory, data storage, or CPU resources are insufficient for the maximum number of endpoints, Does not apply to Mobile ler. Indicates that the hardware platform does not support SteelCentral ler for SteelHead Mobile - Virtual Edition (SMC-VE). By default, this alarm is enabled. Indicates that the virtual machine is unavailable. What This Report Tells You The Alarm Status report answers the following question: what is the current status of the Mobile ler? 172 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostics Reports Viewing Reports and Logs To view the Alarm Status report Choose Reports > Diagnostics > Alarm Status to display the Alarm Status page. Alternately, you can select the current system status that appears in the status box in the upper-right corner of each screen (Healthy, Admission, Degraded, or Critical) to display the Alarm Status page. Figure 8-9. Alarm Status Page Viewing CPU Utilization Reports The Reports > Diagnostics > CPU Utilization report summarizes the percentage of the CPU used within the time period specified. Typically, a Mobile ler operates on approximately 5 to 10 percent CPU capacity during nonpeak hours and approximately 25 to 30 percent capacity during peak hours. No single Mobile ler CPU usage should exceed 90 percent. What This Report Tells You The CPU Utilization report answers the following questions: How much of the CPU is being used? What is the average and peak percentage of the CPU being used? SteelCentral ler for SteelHead Mobile User s Guide 173

Viewing Reports and Logs Viewing Diagnostics Reports About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection counts, and the like. Drag your cursor over an area of interest to zoom. Click Reset Zoom to return to normal view. To display only one data type (for example, WAN, LAN) click the name of the data in the graph legend. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. To view the CPU Utilization report 1. Choose Reports > Diagnostics > CPU Utilization to display the CPU Utilization page. Figure 8-10. CPU Utilization Page 174 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostics Reports Viewing Reports and Logs 2. Use the controls to customize the report as described in this table. Period Refresh Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. If you select Custom, specify a Start Time and End Time to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/ DD HH:MM:SS. Select one of the following options to set a rate to refresh the report display: To refresh your report every 5 minutes, select 5 Minute. To refresh your report every 10 minutes, select 10 Minutes. To refresh your report every 15 minutes, select 15 Minutes. To turn off refresh, select Off. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 3. Click Go to display your report. Viewing Memory Paging Reports The Reports > Diagnostics > Memory Paging report provides the total number of memory pages, per second, utilized in the time period specified. It includes the following table of statistics that describe memory paging activity for the time period you specify. Note: If the Memory Paging report shows that thousands of pages are swapped every few minutes, contact Riverbed Support at https://support.riverbed.com. Field Total Pages Swapped Out Average Pages Swapped Out Maximum Pages Swapped Out At <time> on <date> Specifies the total number of pages swapped. If 100 pages are swapped approximately every two hours the Mobile ler is functioning properly. Specifies the average number of pages swapped. If 100 pages are swapped every couple of hours the Mobile ler is functioning properly. Specifies the date and time that the maximum number of pages were swapped. What This Report Tells You The Memory Paging report answers the following questions: How much memory is being used? What is the average and maximum amount of memory pages swapped? SteelCentral ler for SteelHead Mobile User s Guide 175

Viewing Reports and Logs Viewing Diagnostics Reports About Report Graphs In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select. The y-axis plots the metric of interest, such as gigabytes (GBs) of bandwidth, percent (%) of data reduction, connection counts, and the like. Drag your cursor over an area of interest to zoom. Click Reset Zoom to return to normal view. To display only one data type (for example, WAN, LAN) click the name of the data in the graph legend. Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time period selected. To view the Memory Paging report 1. Choose Reports > Diagnostics > Memory Paging to display the Memory Paging page. Figure 8-11. Memory Paging Page 176 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostics Reports Viewing Reports and Logs 2. Use the controls to customize the report as described in this table. Period Refresh Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. If you select Custom, specify a Start Time and End Time to configure a customized time interval report. Use the following format for specifying a start and end time: YYYY/MM/ DD HH:MM:SS. Select one of the following options to set a rate to refresh the report display: To refresh your report every 5 minutes, select 5 Minutes. To refresh your report every 10 minutes, select 10 Minutes. To refresh your report every 15 minutes, select 15 Minutes. To turn off refresh, select Off. Note: The refresh rate sets the rate at which the results of polling are displayed, not the polling rate itself. Polling occurs every five minutes. 3. Click Go to display your report. Viewing Interface Counters The Reports > Diagnostics > Interface Counters report summarizes the statistics for the primary and auxiliary interfaces. It also displays the IP address, speed, duplex, MAC address, and current status of each interface. For automatically negotiated speed and duplex settings, the Interface Counters report displays the speed at which they are negotiated. The Interface Counters report displays the statistics described in this table. Counter Interface IP Ethernet Link Receive Packets Transmit Packets Identifies the interface for which statistics are displayed for each row of the report. Primary - Displays statistics for the primary interface. Auxiliary Interface - Displays statistics for the auxiliary interface. Specifies the IP address for the interface. Specifies the MAC address, speed, and duplex setting for the interface. Use this information to troubleshoot speed and duplex problems. Make sure the speed for the SteelHead matches the WAN or LAN interfaces. Riverbed recommends setting the speed to 100 and duplex to full. Specifies true or false to indicate whether the link is up or down. Specifies the total number of packets, packets discarded, errors encountered, packets overrun, frames sent, and multicast packets sent. Specifies the total number packets, packets discarded, errors encountered, packets overrun, carriers used, and collisions encountered. SteelCentral ler for SteelHead Mobile User s Guide 177

Viewing Reports and Logs Viewing Diagnostics Reports What This Report Tells You The Interface Counters report answers the following questions: How many packets are being transmitted? Are there any errors occurring during the packet transmissions? What is the current status of the interface? To view interface counters 1. Choose Reports > Diagnostics > Interface Counters to display the Interface Counters page. Figure 8-12. Interface Counters Page 2. To clear all statistics, click Clear All Interface Statistics. 178 SteelCentral ler for SteelHead Mobile User s Guide

Viewing and Downloading Logs Viewing Reports and Logs Viewing and Downloading Logs Mobile ler log reports provide a high-level view of network activity. Logs can be viewed within Mobile ler or downloaded, as described in the sections below. Viewing Logs on page 179 Downloading Log Files on page 182 Viewing Logs You can view both user and system logs. Viewing User Logs on page 179 Viewing System Logs on page 180 Viewing User Logs You can view user logs in the Reports > Diagnostics > View User Logs page. The user log filters messages from the system log to display messages that are of immediate use to the system administrator. View user logs to monitor system activity and to troubleshoot problems. For example, you can monitor who logged in, who logged out, and who entered particular CLI commands, alarms and errors. The most recent log events are listed first. To view and customize user logs 1. Choose Reports > Diagnostics > View User Logs to display the View User Logs page. Figure 8-13. View User Logs Page SteelCentral ler for SteelHead Mobile User s Guide 179

Viewing Reports and Logs Viewing and Downloading Logs 2. Use the controls to customize the log as described in this table. Show Lines per Page Jump to Filter Select one of the archived logs or Current Log from the drop-down list. Specify the number of lines you want to display in the page. Select one of the following options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the time for the log you want to display. Select one of the following filtering options from the drop-down list: Regular expression - Specify a regular expression on which to filter the log. Error or higher - Displays Error level logs or higher. Warning or higher - Displays Warning level logs or higher. Notice or higher - Displays Notice level logs or higher. Info or higher - Displays Info level logs or higher. Go You can continuously display new lines as the log grows and appends new data. To view a continuous log 1. Choose Reports > Diagnostics > View User Logs to display the View User Logs page. 2. Customize the log as described in To view and customize user logs on page 179. 3. Click Launch Continuous Log in the upper-right corner of the page. Viewing System Logs Displays the report. You can view system logs in the Reports > Diagnostics > View System Logs page. Use System logs to monitor system activity and to troubleshoot problems. The most recent log events are listed first. 180 SteelCentral ler for SteelHead Mobile User s Guide

Viewing and Downloading Logs Viewing Reports and Logs To customize system logs 1. Choose Reports > Diagnostics > View System Logs to display the View System Logs page. Figure 8-14. View System Logs Page 2. Use the controls to customize the report as described in this table. Show Lines per page Jump to Regular Expression Filter Go Select one of the archived logs or Current Log from the drop-down list. Specify the number of lines you want to display in the page. Select one of these options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the time for the log you want to display. Select one of these filtering options from the drop-down list: Regular expression - Specify a regular expression on which to filter the log. Error or higher - Displays Error level logs or higher. Warning or higher - Displays Warning level logs or higher. Notice or higher - Displays Notice level logs or higher. Info or higher - Displays Info level logs or higher. Displays the report. Note: To print the log, choose File > Print in your Web browser to open the Print dialog box. SteelCentral ler for SteelHead Mobile User s Guide 181

Viewing Reports and Logs Viewing and Downloading Logs To view a continuous log 1. Choose Reports > Diagnostics > View System Logs to display the View System Logs page. 2. Customize the log as described in To customize system logs on page 181. 3. Click Launch Continuous Log in the upper-right corner of the page. Downloading Log Files You can download both user and system logs. Downloading User Log Files on page 182 Downloading System Log Files on page 182 Downloading User Log Files You can download user logs in the Reports > Diagnostics > Download User Logs page. Download user logs to monitor system activity and to troubleshoot problems. To download user logs 1. Choose Reports > Diagnostics > Download User Logs to display the Download User Logs page. Figure 8-15. Download User Logs Page 2. Click the name of the log to display the dialog box to display or save the log to disk. 3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so that it is empty again. Downloading System Log Files You can download system logs in the Reports > Diagnostics > Download System Logs page. Download system logs to monitor system activity and to troubleshoot problems. 182 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostic Reports for Endpoints Viewing Reports and Logs To download system logs 1. Choose Reports > Diagnostics > Download System Logs to display the Download System Logs page. Figure 8-16. Download System Logs Page 2. Click the name of the log to display the dialog box to display or save the log to disk. 3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so that it is empty again. Viewing Diagnostic Reports for Endpoints Display the diagnostic reports for endpoint clients from the Reports > Diagnostics > Endpoint page. This section describes the following reports: Viewing the Memory Dumps List on page 183 Viewing the System Dumps List on page 184 Downloading Endpoint TCP Dumps on page 185 Viewing the Memory Dumps List You can display and download endpoint memory dumps in the Reports > Diagnostics > Endpoint > Memory Dumps page. A memory dump contains a copy of the memory data on the system. Memory dump files can help you diagnose problems in the system. SteelCentral ler for SteelHead Mobile User s Guide 183

Viewing Reports and Logs Viewing Diagnostic Reports for Endpoints To view memory dump files 1. Choose Reports > Diagnostics > Endpoint > Memory Dumps to display the Memory Dumps page. Figure 8-17. Memory Dumps Page 2. Click the filename to open a file or save the file to disk. 3. Click Include Statistics (this option is enabled by default). 4. Optionally, click the box next to Download Link to select all previously saved system dumps and enable Remove Selected. 5. Click Generate System Dump to generate a new system dump. Note: To remove an entry, select the box next to the name and click Remove Selected. Viewing the System Dumps List You can display and download endpoint system dumps in the Reports > Diagnostics > Endpoint > System Dumps page. A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose problems in the system. 184 SteelCentral ler for SteelHead Mobile User s Guide

Viewing Diagnostic Reports for Endpoints Viewing Reports and Logs To view system dump files 1. Choose Reports > Diagnostics > Endpoint > System Dumps to display the System Dumps page. Figure 8-18. System Dumps Page 2. Select Download Link to save all system dump files to disk, or select particular filenames to save only those files to disk. 3. Click Include Statistics (this option is enabled by default). 4. Optionally, click Include All Logs. 5. Click Generate System Dump to generate a new system dump. Note: To remove an entry, select the check box next to the name and click Remove Selected. Downloading Endpoint TCP Dumps You can download endpoint TCP dumps in the Reports > Diagnostics > Endpoint > TCP Dumps page. TCP dump files contain summary information for every Internet packet received or transmitted on the interface. TCP dump files can help diagnose problems in the system. To download TCP dumps 1. Choose Reports > Diagnostics > Endpoint > TCP Dumps to display the TCP Dumps page. Figure 8-19. TCP Dumps Page 2. Click the TCP dump name to open a file save dialog box and download the file. Note: To remove an entry, select the check box next to the name and click Remove Selected Files. SteelCentral ler for SteelHead Mobile User s Guide 185

Viewing Reports and Logs Viewing ler Reports Viewing ler Reports The following section describes how to view Mobile ler system files to help diagnose problems. It includes the following sections: Viewing the System Dumps List on page 186 Viewing Process Dump Files on page 187 Capturing and Uploading TCP Dumps on page 188 Stopping a TCP Dump After an Event Occurs on page 195 Viewing the System Dumps List You can display and download Mobile ler system dumps in the Reports > Diagnostics > ler > System Dumps page. A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose problems in the system. To view system dump files 1. Choose Reports > Diagnostics > ler > System Dumps to display the System Dumps page. Figure 8-20. System Dumps Page 2. Click Include Statistics (this option is enabled by default). 3. Optionally, click Include All Logs to create logs regardless of size. Typically, system dumps are limited to 50 MB of compressed logs. 186 SteelCentral ler for SteelHead Mobile User s Guide

Viewing ler Reports Viewing Reports and Logs 4. Under Generate System Dump, click Generate System Dump to generate a new system dump. Note: To remove an entry, select the check box next to the name and click Remove Selected. Note: To print the report, choose File > Print in your Web browser to open the Print dialog box. To upload a system dump file to Riverbed support 1. Choose Reports > Diagnostics > ler> System Dumps to display the System Dumps page. 2. Select the filename. 3. Optionally, specify a case number that corresponds to the system dump. Riverbed Support recommends using a case number: for example, 194170. You can also enter the CLI command file debug dump upload URL to specify a URL instead of a case number. When you specify a URL, the dump file goes directly to the URL. If the URL points to a directory on the upload server, it must have a trailing backslash (/). For example: ftp://ftp.riverbed.com/incoming/ (not ftp://ftp.riverbed.com/incoming) The filename as it exists on the appliance will then match the filename on the upload server. For details, see the Riverbed Command-Line Interface Reference Manual. 4. Click Upload. Because uploading a system dump can take a while (especially when including ESXi information on a SteelHead EX), the status appears during the upload. When the system dump finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red). An explanation appears for uploads that fail. Viewing Process Dump Files The Reports > Diagnostics > ler > Process Dumps report displays a list of process files and size. To view process dump files 1. Choose Reports > Diagnostics > ler > Process Dumps to display the Process Dumps page. SteelCentral ler for SteelHead Mobile User s Guide 187

Viewing Reports and Logs Viewing ler Reports 2. Under ler Diagnostic in the left menu, click Process Dumps to display the ler Diagnostic > Process Dumps page. Figure 8-21. ler Diagnostic > Process Dumps Page To upload a process dump file to Riverbed support 1. Choose Reports > Diagnostics > ler> Process Dumps to display the Process Dumps page. 2. Select the filename. 3. Optionally, specify a case number that corresponds to the system dump. Riverbed Support recommends using a case number: for example, 194170. You can also enter the CLI command file debug dump upload URL to specify a URL instead of a case number. When you specify a URL, the dump file goes directly to the URL. If the URL points to a directory on the upload server, it must have a trailing backslash (/). For example: ftp://ftp.riverbed.com/incoming/ (not ftp://ftp.riverbed.com/incoming) The filename as it exists on the appliance will then match the filename on the upload server. For details, see the Riverbed Command-Line Interface Reference Manual. 4. Click Upload. Because uploading a system dump can take a while, the status appears during the upload. When the system dump finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red). An explanation appears for uploads that fail. Capturing and Uploading TCP Dumps You can capture, download, and upload TCP dumps in the Reports > Diagnostics > ler > TCP Dumps page. TCP dump files contain summary information for every Internet packet received or transmitted on the interface. TCP dump files can help diagnose problems in the system. Mobile ler provides an easy way to capture and retrieve multiple TCP dumps from the Management Console. You can generate TCP dumps from multiple interfaces at the same time, limit the size of the TCP dump, and schedule a specific date and time to generate a TCP dump. Scheduling and limiting a TCP dump by time or size allows unattended captures. The top of the TCP Dumps page displays a list of existing TCP dumps and the bottom of the page displays controls to create a new TCP dump. It also includes the TCP dumps that are currently running. The Running Capture Name list includes TCP dumps running at a particular time. It includes TCP dumps started manually and also any dumps that were scheduled previously and are now running. 188 SteelCentral ler for SteelHead Mobile User s Guide

Viewing ler Reports Viewing Reports and Logs To capture TCP dumps 1. Choose Reports > Diagnostics > ler > TCP Dumps to display the TCP Dumps page. Figure 8-22. TCP Dumps Page 2. Complete the configuration as described in this table. Add a New TCP Dump Capture Name Displays the controls for creating a capture file. Specify the name of the capture file. Use a unique filename to prevent overwriting an existing capture file. The default filename uses this format: hostname_interface_timestamp.cap hostname is the hostname of the SteelHead, interface is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and timestamp is in the YYYY-MM-DD-HH- MM-SS format. If this capture file relates to an open Riverbed Support case, specify the capture filename case_number where number is your Riverbed Support case number: for example, case_12345. Note: The.cap file extension is not included with the filename when it appears in the capture queue. Endpoints Specify IP addresses and port numbers to capture packets between them: IPs - Specify IP addresses of endpoints on one side. Separate multiple IP addresses using commas. You can enter IPv6 addresses separated by commas. The default setting is all IP addresses. Ports - Specify ports on one side. Separate multiple ports using commas. The default setting is all ports. and IPs - Specify IP addresses of endpoints on the other side. Separate multiple IP addresses using commas. You can enter IPv6 addresses separated by commas. The default setting is all IP addresses. Ports - Specify ports on the other side. Separate multiple ports using commas. The default setting is all ports. To capture traffic flowing in only one direction or to enter a custom command, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Manual. SteelCentral ler for SteelHead Mobile User s Guide 189

Viewing Reports and Logs Viewing ler Reports Capture Interfaces Capture Parameters Captures packet traces on the selected interfaces. You can select all interfaces or a base, inpath, or RSP interface. The default setting is none. You must specify a capture interface. If you select several interfaces at a time, the data is automatically placed into separate capture files. When path selection is enabled, Riverbed recommends that you collect packet traces on all LAN and WAN interfaces. These parameters let you capture information about dot1q VLAN traffic. You can match traffic based on VLAN-tagged or untagged packets, or both. You can also filter by port number or host IP address and include or exclude ARP packets. Select one of these parameters for capturing VLAN packets: Capture Untagged Traffic Only - Select this option for the following captures: All untagged VLAN traffic. Untagged 7850 traffic and ARP packets. You must also specify or arp in the custom flags field on this page. Only untagged ARP packets. You must also specify and arp in the custom flags field on this page. Capture VLAN-Tagged Traffic Only - Select this option for the following captures: Only VLAN-tagged traffic. VLAN-tagged packets with host 10.11.0.6 traffic and ARP packets. You must also specify 10.11.0.6 in the IPs field, and specify or arp in the custom flags field on this page. VLAN-tagged ARP packets only. You must also specify and arp in the custom flags field on this page. Capture both VLAN and Untagged Traffic - Select this option for the following captures: All VLAN traffic. Both tagged and untagged 7850 traffic and ARP packets. You must also specify the following in the custom flags field on this page: (port 7850 or arp) or (vlan and (port 7850 or arp)) Both tagged and untagged 7850 traffic only. You must also specify 7850 in one of the port fields on this page. No custom flags are required. Both tagged and untagged ARP packets. You must also specify the following in the custom flags field on this page: (arp) or (vlan and arp) Capture Duration (Seconds) Maximum Capture Size Buffer Size Specify a positive integer to set how long the capture runs, in seconds. The default value is 30. Specify 0 or continuous to initiate a continuous trace. For continuous capture, Riverbed recommends specifying a maximum capture size and a nonzero rotate file number to limit the size of the TCP dump. Specify the maximum capture file size, in MB. The default value is 100. After the file reaches the maximum capture size, TCP dump starts writing capture data into the next file, limited by the Number of Files to Rotate field. Riverbed recommends a maximum capture file size of 1024 MB (1 GB). Optionally, specify the maximum amount of data, in KB, allowed to queue while awaiting processing by the capture file. The default value is 154 KB. 190 SteelCentral ler for SteelHead Mobile User s Guide

Viewing ler Reports Viewing Reports and Logs Snap Length Number of Files to Rotate Custom Flags Schedule Dump Start Date Start Time Add Optionally, specify the snap length value for the capture file, which equals the number of bytes captured for each packet. Having a snap length smaller than the maximum packet size on the network enables you to store more packets, but you might not be able to inspect the full packet content. Specify 0 for a full packet capture (recommended for CIFS, MAPI, and SSL captures). The default value is 1518 bytes. Specify how many capture files to keep for each interface before overwriting the oldest file. To stop file rotation, you can specify 0; however, Riverbed recommends rotating files, because stopping the rotation can fill the disk partition. This limits the number of files created to the specified number, and begins overwriting files from the beginning, thus creating a rotating buffer. The default value is five files per interface. The maximum value is a 32-bit integer. Specify custom flags as additional statements within the filter expression. Custom flags are added to the end of the expression created from the Endpoints fields and the Capture Parameters radio buttons (pertaining to VLANs). If you require an and statement between the expression created from other fields and the expression that you are entering in the custom flags field, you must include the and statement at the start of the custom flags field. Do not use host, src, or dst statements in the custom flags field. Although it is possible in trivial cases to get these to start without a syntax error, they do not capture GREencapsulated packets that some modes of SteelHead communications use, such as WCCP deployments or Interceptor connection-setup traffic. Riverbed recommends using bidirectional filters by specifying endpoints. For complete control of your filter expression, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Manual. For examples, see Custom Flag Use Examples on page 194. Schedules the capture to run at a later date and time. Specify a date to initiate the capture, in this format: YYYY/MM/DD. Specify a time to initiate the capture, in this format: HH:MM:SS. Adds the capture request to the capture queue. SteelCentral ler for SteelHead Mobile User s Guide 191

Viewing Reports and Logs Viewing ler Reports Add a New TCP Dump Name Displays the controls for creating a TCP dump. Capture Name - Specify the name of the capture file. The default filename uses the following format: hostname_interface_timestamp.cap Where hostname is the hostname of the SteelHead, interface is the name of the interface selected for the TCP dump (for example, lan0_0, wan0_0), and timestamp is in the YYYY- MM-DD-HH-MM-SS format. If this TCP dump relates to an open Riverbed Support case, specify the capture filename case_number where number is your Riverbed Support case number: for example, case_12345. Note: The.cap file extension is not included with the filename when it appears in the capture queue. Endpoints Capture Interfaces Specify the source and destination IP addresses and ports for the traffic to capture in the TCP dump: Specify source information: IPs - Specify the source IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses. Ports - Specify the source ports. Separate multiple ports with a comma. The default setting is all ports. Specify destination information: IPs - Specify the destination IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses. Ports - Specify the destination ports. Separate multiple ports with a comma. The default setting is all ports. Captures the TCP dump on the selected interface(s). You can select all interfaces or choose the primary or aux interface. The default setting is none. You must specify a capture interface. If you select several interfaces at a time, the data is automatically placed into separate capture files. 192 SteelCentral ler for SteelHead Mobile User s Guide

Viewing ler Reports Viewing Reports and Logs Capture Parameters Schedule Dump Add Specify the capture parameters: Capture Duration - Specify how long the capture runs, in seconds. The default value is 30. Specify 0 to initiate a continuous TCP dump. When a continuous TCP dump reaches the maximum space allocation of 100 MB, the oldest file is overwritten. Maximum Capture Size (MB) - Specify the maximum capture file size, in MB. The default value is 100. The recommended maximum capture file size is 1024 MB (1 GB). Buffer Size - Optionally, specify the maximum amount of data, in KB, allowed to queue up while awaiting processing by the TCP dump. The default value is 154 KB. Snap Length - Optionally, specify the snap length value for the TCP dump. Specify 0 for a full packet capture (recommended for CIFS, MAPI, and SSL). The default value is 1518. Number of Files to Rotate - Specify the number of TCP dump files to rotate. The default value is 5. Only Capture VLAN-Tagged Traffic - Captures only VLAN-tagged packets within a TCP dump for a trunk port (802.1Q). Enabling this setting filters the TCP dump by capturing only VLAN-tagged packets. This setting applies to physical interfaces only because logical interfaces (inpath0_0, mgmt0_0) do not recognize VLAN headers. Custom Flags - Specify custom flags to capture unidirectional traces. Examples: To capture all traffic to or from a single host: host x.x.x.x To capture all traffic between a pair of hosts: host x.x.x.x and host y.y.y.y To capture traffic between two hosts and two SteelHead inner channels: (host x.x.x.x and host y.y.y.y) or (host a.a.a.a and host b.b.b.b) Specify the TCP dump to run at a specific date and time: Schedule Dump - Specify to schedule the TCP dump at a specific time. Start Date - Specify a SteelHead Mobile date to initiate the TCP dump in the following format: YYYY/MM/DD Start Time - Specify a time to initiate the TCP dump in the following format: HH:MM:SS Adds the TCP dump to the capture queue. Note: If a problem occurs with an immediate or scheduled TCP dump, a warning message appears. Check the system log for details about the error and check the TCP dump for syntax errors. SteelCentral ler for SteelHead Mobile User s Guide 193

. Viewing Reports and Logs Viewing ler Reports Custom Flag Use Examples The examples in this table focus on the custom flag entry but rely on other fields to create a complete filter. Filter Purpose To capture all traffic on VLAN 10 between two specified endpoints: 1.1.1.1 and 2.2.2.2 Custom Flag and vlan 10 To capture any packet with a SYN or an ACK tcp[tcpflags] & (tcp-syn tcp-ack)!= 0 To capture any packet with a SYN tcp[tcpflags] & (tcp-syn)!= 0 or tcp[13] & 2 == 2 To capture any SYN to or from host 1.1.1.1 and (tcp[tcpflags] & (tcp-syn)!= 0) or and (tcp[13] & 2 == 2) IPv6 Custom Flag Use Examples The examples in this table focus on the custom flag entry, but rely on other fields to create a complete filter. To build expressions for TCP dump, IPv6 filtering does not currently support the TCP, UDP, and other upper-layer protocol types that IPv4 does. Also, these IPv6 examples are based on the assumption that only a single IPv6 header is present. Filter Purpose Custom Flag To capture all FIN packets to or from host 2001::2002 and (ip6[53] & 1!=0) To capture all IPv6 SYN packets ip6 or proto ipv6 and (ip6[53] & 2 == 2) To upload a TCP dump file to Riverbed support 1. Choose Reports > Diagnostics > ler > TCP Dumps to display the TCP Dumps page. 2. Select the filename. 3. Optionally, specify a case number that corresponds to the system dump. Riverbed Support recommends using a case number: for example, 194170. You can also enter the CLI command file debug dump upload URL to specify a URL instead of a case number. When you specify a URL, the dump file goes directly to the URL. If the URL points to a directory on the upload server, it must have a trailing backslash (/). For example: ftp://ftp.riverbed.com/incoming/ (not ftp://ftp.riverbed.com/incoming) The filename as it exists on the appliance will then match the filename on the upload server. For details, see the Riverbed Command-Line Interface Reference Manual. 194 SteelCentral ler for SteelHead Mobile User s Guide

Viewing ler Reports Viewing Reports and Logs 4. Click Upload. Because uploading a system dump can take a while, the status appears during the upload. When the system dump finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red). An explanation appears for uploads that fail. Stopping a TCP Dump After an Event Occurs Capture files offer visibility into intermittent network issues, but the amount of traffic they capture can be overwhelming. Also, because rotating logs is common, after a capture logs an event, the SteelHead appliance log rotation can overwrite debugging information specific to the event. Mobile ler v4.7 and later makes troubleshooting easier because it provides a trigger that can stop a continuous capture after a specific log event occurs. The result is a smaller file to help pinpoint what makes the event happen. The stop trigger continuously scans the system logs for a search pattern. When it finds a match, it stops all running captures. To stop a capture after a specific log event 1. Choose Reports > Diagnostics > ler > TCP Dumps to display the TCP Dumps page. 2. Schedule a capture. Figure 8-23. TCP Dump Stop Trigger 3. In the Pattern text box, enter a Perl regular expression (regex) to find in a log. RiOS compares the Perl regex against each new line in the system logs and the trigger stops if it finds a match. The simplest regex is a word or a string of characters. For example, if you set the pattern to Limit, the trigger matches the line Connection Limit Reached. Notes: Perl regular expressions are case sensitive. Perl treats the space character like any other character in a regex. Perl reserves some characters, called metacharacters, for use in regex notation. The metacharacters are: { } [ ] ( ) ^ $. * +? \ SteelCentral ler for SteelHead Mobile User s Guide 195

Viewing Reports and Logs Viewing ler Reports You can match a metacharacter by putting a backslash before it. For example, to search for a backslash in the logs, you must enter two backslashes (\\) as the pattern. The pattern follows Perl regular expression syntax. For details, go to: http://perldoc.perl.org/perlre.html You cannot change the pattern while a scan is running. You must stop the scan before changing a pattern. You do not need to wrap the pattern with the metacharacters to match the beginning or end of a line (^ $) or with the wildcard character (*). 4. Specify the amount of time to pause before stopping all running captures when the Mobile ler finds a match. This gives the system some time to log more data without abruptly cutting off the capture. The default is 30 seconds. Specify 0 for no delay; the capture stops immediately. After a trigger has fired, the capture can stop by itself before the delay expires: for example, the capture duration can expire. 5. Click Start Scan. When the scan stops, the Mobile ler sends an email to all email addresses on the Configure > System Settings > Email page appearing under Report Events via Email. The email notifies users that the trigger has fired. The page indicates Last Triggered: Never if a TCP Dump stop trigger has never triggered on the Mobile ler. After th e delay duration of the stop trigger, the Mobile ler displays the last triggered time. Before changing the Perl regular expression or amount of delay, you must first stop the process. To stop a running scan Click Stop Scan to halt the background process that monitors the system logs. The Mobile ler dims this button when the stop trigger is idling. Stop Trigger Limitations These limitations apply to the trigger: You cannot create a trigger to stop a specific capture; the trigger affects all running captures. If the search pattern contains a typo, the trigger might never find a match. Only one instance of a trigger can run at one time. To view controller TCP dump files 1. Choose Reports > Diagnostics > ler > TCP Dumps to display the Mobile ler TCP Dumps page. 196 SteelCentral ler for SteelHead Mobile User s Guide

Exporting Logs Viewing Reports and Logs 2. Under Download Link, select the TCP dump name to open the file. Note: To print the TCP dump, select the TCP dump filename under Download Link. When the file opens, choose File > Print in your Web browser to open the Print dialog box. Note: To remove an entry, select the check box next to the name in the TCP dump list and click Remove Selected. To stop a running TCP dump 1. Choose Reports > Diagnostics > ler > TCP Dumps to display the TCP Dumps page. 2. Select the TCP dump filename in the Running Capture Name list. 3. Click Stop Selected Captures. In continuous mode, after you complete the capture, perform the following steps to upload a TCP dump to Riverbed Support. (For timed TCP dumps, start with Step 2.) Exporting Logs You can specify logs, choose a time range, and optionally receive your log data by email on the Reports > Export page. Reports are text files in CSV (comma-separated values) format. To export logs 1. Choose Report > Export to display the Export page. Figure 8-24. The Export Page SteelCentral ler for SteelHead Mobile User s Guide 197

Viewing Reports and Logs Exporting Logs 2. Use the controls to customize the report as described in this table. Export Report Data Select a report type from the drop-down list: CPU Utilization Memory Utilization Paging I/O Begin Date and Time - Choose a start time and date for your report. Date is in the format YYYY/MM/DD HH:MM:SS. End Date and Time - Choose an end time and date for your report. Date is in the format YYYY/MM/DD HH:MM:SS. Email Delivery - Optionally, choose to have the report sent by email. Email Address - Specify an email address. Note: If you choose to export a report without an email address, your report is downloaded by your browser. 198 SteelCentral ler for SteelHead Mobile User s Guide

CHAPTER 9 Troubleshooting the SteelHead Mobile This chapter describes how to troubleshoot common SteelHead Mobile problems. It includes the following section: Common SteelHead Mobile Problems on page 200 SteelCentral ler for SteelHead Mobile User s Guide 199

Troubleshooting the SteelHead Mobile Common SteelHead Mobile Problems Common SteelHead Mobile Problems The following table summarizes how to troubleshoot SteelHead Mobile problems. Problem Verification Solution Optimization is failing. Optimization is failing (continued) Restart the SteelHead Mobile. Verify that the monitor process is running. To restart the Windows SteelHead Mobile 1. In the client system tray, click the SteelHead Mobile software icon to open the SteelHead Mobile GUI. 2. In the SteelHead Mobile, click Support. 3. Under Restart SteelHead Mobile, click Restart. 4. In the SteelHead Mobile, click Status. 5. Check whether the monitor process is running. If the monitor process is running, the following message is displayed: Healthy To restart the Mac SteelHead Mobile 1. In the Finder, click the SteelHead Mobile icon to display the menu. 2. In the SteelHead Mobile menu, select Support > Restart SteelHead Mobile. 3. In the SteelHead Mobile menu, select Status. 4. Check whether the monitor process is running. If the monitor process is running, the following message is displayed: Healthy The monitor is a service that communicates with the Mobile ler and starts the optimization process. To verify that the monitor process is running 1. In the client system tray, click the SteelHead Mobile software icon to open the SteelHead Mobile GUI. 2. In the SteelHead Mobile, click Status. 3. Under Current ler, check whether the monitor is running. If the monitor is not running, the following message is displayed: Unable to connect to monitor 4. In the SteelHead Mobile, click Support. 5. Under Restart SteelHead Mobile, click Restart. 6. In the SteelHead Mobile, click Status. 7. Check whether the monitor process is running. If the monitor process is running, the following message is displayed: Healthy 200 SteelCentral ler for SteelHead Mobile User s Guide

Common SteelHead Mobile Problems Troubleshooting the SteelHead Mobile Problem Verification Solution Optimization is failing (continued) Optimization is failing (continued) Verify that the client is connected to the Mobile ler. Verify that the client is connecting to the Mobile ler. In the SteelHead Mobile GUI, under Settings, verify that the client is connected to the Mobile ler. To verify that the SteelHead Mobile is connected to the Mobile ler 1. In the client system tray, click the SteelHead Mobile software icon to open the SteelHead Mobile GUI. 2. Click Status. If the SteelHead Mobile is connected to the Mobile ler, the following message is displayed: Connected In the SteelHead Mobile, test whether the client is connecting to the Mobile ler. To verify that the SteelHead Mobile is connecting to the Mobile ler 1. In the client system tray, click the SteelHead Mobile software icon to open the SteelHead Mobile GUI. 2. In the SteelHead Mobile, click Settings. 3. Under Configure Mobile lers, click Configure to display the Configure Mobile lers dialog box. 4. Select the Mobile ler that you want to verify and click Test to test the connection. It takes approximately 30 seconds for the client to connect with the Mobile ler (after you have VPN connectivity). If after 30 seconds, the client GUI still indicates that SteelHead Mobile client is not connected to the Mobile ler, perform Step 5. 5. Under Restart SteelHead Mobile Client, click Restart, and then click Yes. SteelCentral ler for SteelHead Mobile User s Guide 201

Troubleshooting the SteelHead Mobile Common SteelHead Mobile Problems Problem Verification Solution Optimization is failing (continued) Optimization is failing (continued) Verify that there is enough free disk space for the data store. Verify that the connections are optimized. To verify whether there is enough free disk space for the data store 1. In the client system tray, click the SteelHead Mobile software icon to open the SteelHead Mobile GUI. 2. In the SteelHead Mobile, click Status. 3. If the SteelHead Mobile displays the following message, the optimization process is not running: Critical 4. On the client system tray, right-click and select Task Manager to open the Windows Task Manager dialog box. 5. Click Processes and look for the rbtsport.exe process. 6. If the process is not running, in the SteelHead Mobile, click Support. 7. Under Logs, click View Log to view the current log file. 8. Look for the following message: Insufficient disk space for seg store If you do not have enough disk space, reduce the data store size value. 9. In the SteelHead Mobile, click Settings. 10. Under Resource Allocation, select a smaller data store size from the drop-down list. To verify that connections are optimized, your system administrator must 1. Log in to the Management Console. 2. Click Reports > Endpoints > Endpoint Report to display the Endpoint Report page. 3. Click the username in the endpoints list to display the Endpoint Details page. 4. Under General Information, check the connection status. 202 SteelCentral ler for SteelHead Mobile User s Guide

APPENDIX A Default Policy Settings This appendix describes the default policy settings. Default Policy Settings Summary on page 203 Default Policy Settings Summary The following table summarizes the default settings for the initial default policy. For basic steps for deploying SteelCentral ler for SteelHead Mobile with the default policy and package, see Basic Steps for Deploying the SteelHead Mobile Package on page 15. In most cases, the default policy does not need to be modified. However, if a Mobile ler is on the public Internet, an unlicensed user can add the IP address of the Mobile ler to his or her client controller list. The user will then receive the default acceleration policy associated with the Mobile ler, and will consume a license when a connection is optimized. Using a nondefault policy requires the user to know the policy name to specify in their endpoint policy information that requires admin/monitor access. Therefore, if you have a Mobile ler on the public Internet, Riverbed recommends that the default policy disable optimization. The easiest way to disable optimization is to add an in-path rule that passes through all traffic. Although users can still connect to the Mobile ler with a default policy that disables optimization, the user will not consume a license. Parameter Default value General Settings: Policy Name Initial None SteelCentral ler for SteelHead Mobile User s Guide 203

Default Policy Settings Default Policy Settings Summary Parameter Optimization Rules: In- Path Rule Type Position Default value Auto Discover Start Source Subnet 0.0.0.0/0 Destination Subnet 0.0.0.0/0 Port or Port Label Preoptimization Policy Optimization Policy Latency Optimization Policy Neural Framing Mode WAN Visibility Mode All None Normal Normal Always Correct Addressing None Protocol Settings: CIFS Enable Latency Optimization Enabled Optimize Connections with Security Signatures (that do not require signing) Disable Write Optimization Enable Server Side Dynamic Write Throttling Buffer Size Enable Overlapping Open Optimization Optimize Only the Following Extensions: sldasm, slddrw, slddwg, sldprt Optimize All Except the Following Extensions: ldb, mdb Enabled Disabled Enabled 2048 KB Disabled Disabled Disabled Protocol Settings: SMB2 Enable SMB2 Latency Optimization Enabled Do Not Optimize Connections that cannot be Down-Negotiated Enable SMB2 Latency Optimization on Connections that cannot be Down-Negotiated Enabled Disabled 204 SteelCentral ler for SteelHead Mobile User s Guide

Default Policy Settings Summary Default Policy Settings Parameter Protocol Settings: MAPI Enable MAPI Optimization - Exchange Port Enable MAPI NSPI - NSPI Port Enable Encrypted Optimization Enable Outlook Anywhere Optimization Auto-Detect Outlook Anywhere Connections Default value Enabled Port 7830 Disabled Port 7840 Disabled Disabled Disabled Protocol Settings: NFS (Mac clients only) Protocol Settings: Oracle Forms Protocol Settings: Lotus Notes Enable NFS Optimization Enable Oracle Forms Optimization Enable Lotus Notes Optimization - Lotus Notes Port Disabled Disabled Disabled Port 1352 Protocol Settings: Citrix Enable Citrix ICA Optimization Disabled ICA Port Port 1494 Session Reliability (CGP) Port Port 2598 Enable Secure ICA Encryption Disabled General Protocol Settings: Connection Settings Maximum Connection Pooling Size 5 HTTP: Settings Enable HTTP Optimization Disabled HTTP: Add New Prefetch Tag Tag Name Tag Attribute None None SteelCentral ler for SteelHead Mobile User s Guide 205

Default Policy Settings Default Policy Settings Summary Parameter Default value HTTP: Add a Subnet Server Subnet None Strip Compression v3.1.0 clients and newer Insert Cookie v3.1.0 clients and newer Insert Keep Alive v3.1.0 clients and newer URL Learning Parse and Prefetch Object Prefetch Table Reuse Auth v3.1.0 clients and newer Force NTLM v3.1.0 clients and newer Strip Auth Header v3.1.0 clients and newer Gratuitous 401 v3.1.0 clients and newer Enabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled SSL: General SSL Settings Enable SSL Optimization Disabled SSL: Client Authentication SSL: SSL Secure Peering Settings SSL: SSL Peering Location Awareness Enable Client Certificate Support Traffic Type Fallback to No Encryption Trust All Pre-Configured Peering Certificates Trust Selected Peering Certificates Enable Latency-based location awareness Disabled SSL Only Enabled Enabled Disabled Disabled Latency Awareness Enable Branch warming Disabled Adapters to Optimize: Add New Rule Endpoint Settings: General Settings Endpoint Settings: Data Store Settings Position Adapter Optimize Show Client in the System Tray Data Store Size Start All Adapters Yes Enabled 10 GB Endpoint Settings: Log Settings Maximum Log Size Maximum Number of Log Files 2 5000 KB 206 SteelCentral ler for SteelHead Mobile User s Guide

Default Policy Settings Summary Default Policy Settings Parameter Endpoint Settings: Add a new ler Insert At Hostname Default value End The current Mobile ler Port 7870 ler Options Add a New ler Insert At - Select start, end, or a Mobile ler number from the drop-down list. The default value is end. Specify the order in which controllers connect with Mobile lers. SteelHead Mobile Clients connect according to the number you specify, starting with 1. If the system is unable to connect to 1 in the list, the system moves on to the next Mobile ler in the list. For example, if the system is unable to connect to Mobile ler 1, then Mobile ler 2 is attempted. If Mobile ler 2 is successful, no further Mobile lers in the list are attempted. Hostname Name of current Mobile ler. Port 7870 Endpoint Settings: Windows-only Settings Use Random Ordering of lers when Connecting Reorder Intermediate Drivers (Required for Check Point and Nortel VPN compatibility) Disable TCP/IP Checksum Offloading (Requires client reboot) Disabled Disabled Disabled The Initial policy contains the following pass-through rules to automatically pass through traffic that cannot be optimized. The three rules are: Secure - For traffic on secure ports (for example, SSH, HTTPS, and SMTPS). Interactive - For traffic on interactive ports (for example, Telnet, TCP ECHO, remote logging, and shell). RBT-Proto - Specifies well-known ports used by the system: 7744 (data store synchronization), 7800-7801 (in-path), 7810 (out-of-path), 7820 (failover), 7850 (connection forwarding), 7860 (SteelHead Interceptor), 7870 (Mobile ler). SteelCentral ler for SteelHead Mobile User s Guide 207

Default Policy Settings Default Policy Settings Summary 208 SteelCentral ler for SteelHead Mobile User s Guide

APPENDIX B Windows and Mac SteelHead Mobiles This appendix describes the Windows and Mac SteelHead Mobile software properties. It includes the following sections: Windows SteelHead Mobile Properties on page 209 Mac SteelHead Mobile Properties on page 215 Windows SteelHead Mobile Properties The Windows SteelHead Mobile software icon is displayed in the system tray if the Show Client in the System Tray option is enabled in the policy. To display the SteelHead Mobile software on the client machine Double-click the SteelCentral ler for SteelHead Mobile icon in the system tray to display the SteelHead Mobile software. Figure B-1. Windows Status SteelCentral ler for SteelHead Mobile User s Guide 209

Windows and Mac SteelHead Mobiles Windows SteelHead Mobile Properties Status Tab The Status tab displays the SteelHead Mobile system status, performance statistics, and connection list. The following table describes the controls under the Status tab of the Windows SteelHead Mobile. Function System Status Optimization Status Displays the current state of the SteelHead Mobile. The SteelHead Mobile can be in one of the following states: Initializing - Indicates that the optimization service is starting. Healthy - Indicates that all systems are functioning properly. Critical - Indicates that the optimization service is not running. Contact your system administrator. Disabled - Indicates that the optimization service is turned off. Warning - Indicates that the optimization status is running, but there are some issues. Contact your system administrator. Performance Statistics Connection List Current ler ler Connection Status Policy Total Data Reduction Optimization Statistics (LAN/ WAN) Branch Warming Statistics (In/Out) SSL Connections (Successful/Total) Displays the Mobile ler hostname or IP address and the port to which the client connects. Displays the Mobile ler s connection status. Possible values are Connected, Connected: Licensed, Connected: Not Licensed, or Not Connected. Displays the policy currently running on the client. Displays the percent data reduction on the SteelHead Mobile since the optimization service has been running. Displays the total amount of optimized data exchanged with peer SteelHead (for LAN/WAN). Displays the branch warming statistics. Displays the number of successful SSL connections. Displays the different connections. Right-click a connection and select Detect SteelHeads to find and display SteelHeads along the network path to a specified destination server. Connection Icons The following icons are displayed in the Connection List of the Status tab to indicate the state of the connection: Yellow arrows Green arrow Blue arrow Gray arrow Red arrow Lock icon Displays Established (Optimized) connection. Displays Established (Branch Mode) connection. Displays Established (Branch Warming) connection. Displays Established (Pass-through) connection. Displays Established (Optimized) connection with optimization error. Indicates secure inner channel connections. 210 SteelCentral ler for SteelHead Mobile User s Guide

Windows SteelHead Mobile Properties Windows and Mac SteelHead Mobiles Settings Tab The Settings tab displays current SteelHead Mobile settings such as data store size, optimization settings, reset connections, and adapter list. Note: The SteelHead Mobile allows users to override policy settings made by the system administrator. Even if a new policy is sent to the client, the settings in the client remain in effect unless the client clicks Reset to Administrator Policy under Settings. The following table describes the controls under the Settings tab of the Windows SteelHead Mobile. Function Resource Allocation Optimization Settings Reset Connections Reset to Administrator Policy Current Data Store Size on Disk Data Store Size RiOS Bandwidth and Latency Optimization MAPI Optimization (for Exchange) HTTP Optimization SSL Optimization SMB2 Optimization SMB3 Optimization Citrix Optimization Lotus Notes Oracle Forms Reset connections when SteelCentral ler for SteelHead Mobile is initialized Reset Specifies the current data store size on disk. Specify the amount of disk space allocated to the data store from the drop-down list. Auto (x GB) is the size set by the administrator in the policy. Setting this option to a non-auto value overrides the current Endpoint Settings in your policy. Specify this option to enable RiOS bandwidth optimization on the client. When enabled, all dependent check boxes are grayed-out. You can also enable and disable client optimization from the SteelHead Mobile icon in the system tray. Specify this option to optimize MAPI for Exchange. Specify this option to optimize HTTP. Specify this option to optimize SSL. Specify this option to optimize CIFS SMB2. Specify this option to optimize CIFS SMB3. Specify this option to optimize Citrix. Specify this option to optimize Lotus Notes. Specify this option to optimize Oracle Forms. Resets existing nonoptimized connections when the optimization service restarts. Click Reset to return values on the Settings tab back to the values defined by your system administrator. SteelCentral ler for SteelHead Mobile User s Guide 211

Windows and Mac SteelHead Mobiles Windows SteelHead Mobile Properties Function Configure SteelHead Mobile lers Adapter List Configure Click Configure to open the Configure Mobile lers dialog box. A list of Mobile lers is displayed and the following controls: Use controller list defined by Administrator - Connect to a Mobile ler listed by the system administrator in the policy. Override controller list - Does not restrict the Mobile ler list to the system administrator-set specifications in the policy. New - Add a Mobile ler to the list. This option is available when Override controller list is selected. Edit - Modify a Mobile ler on the list. This option is available when Override controller list is selected and a Mobile ler is selected in the list. Delete - Delete a Mobile ler from the list. This option is available when Override controller list is selected and a Mobile ler is selected in the list. Test - Verifies that the user can connect to the Mobile ler. This option is available when Override controller list is selected and a Mobile ler is selected in the list. Apply - Click Apply to save your configurations. Arrow keys - Use the arrows on the right side of the list to change the priority order of the Mobile lers the client connects to. The priority list is used only if Select ler at Random is disabled and Override controller list is selected. Select ler at Random - If there is more than one Mobile ler in the list, the SteelHead Mobile randomly connects to one of them. Use this option if you want to distribute SteelHead Mobile connections. This control has the following options: Enabled - Specifies random selection of Mobile lers. Auto ( ) - Enables or disables random selection of Mobile lers as defined by the administrator in the policy. Disabled - Specifies the first Mobile ler on the list. If this connection fails, the next Mobile ler on the list is selected, and so on. Displays the adapters that SteelCentral ler for SteelHead Mobile has identified on the client system, along with IP address and the optimization status for each adapter. Support Tab The Support tab displays tools for assisting you in diagnosing problems with your system. For more information about troubleshooting your system, see Common SteelHead Mobile Problems on page 200. 212 SteelCentral ler for SteelHead Mobile User s Guide

Windows SteelHead Mobile Properties Windows and Mac SteelHead Mobiles The following table describes the controls under the Support tab. Function Logs Diagnostics Check Restart SteelHead Mobile View your current log file. Upload system dump to your Administrator. Generate a TCP dump and send it to your administrator. Run a diagnostics check to ensure your SteelHead Mobile is running properly. Restart your SteelHead Mobile. Click View Log to view your current log file. These are the log files for the SteelHead Mobile. For assistance, contact your system administrator. Click Upload System Dump to upload your system dump file to the Mobile ler. Your system administrator uses the dump file to troubleshoot your system. For assistance, contact your system administrator. Click Generate to generate a TCP dump for the specified amount of time (seconds or minutes). The TCP dump is automatically sent to Mobile ler where a system administrator can view it in the Reports tab. Use this option to troubleshoot the client system. For assistance, contact your system administrator. Click Run Check to run a diagnostics check on the SteelHead Mobile. If the status is anything other than Healthy, there might be a problem with the system. For assistance, contact your system administrator. Click Restart to restart the SteelHead Mobile. This option restarts the optimization service and is a first step for troubleshooting the optimization service. SteelCentral ler for SteelHead Mobile User s Guide 213

Windows and Mac SteelHead Mobiles Windows SteelHead Mobile Properties Function View SSL Certificates Detect SteelHeads Reset Statistics Upgrade View the certificates that are used for SSL optimization and authorization with the SteelHead Mobile. Certificates Certificate Details PEM Format Find and display SteelHeads along the network path to a specified destination server. Reset the cumulative historical statistics. Check to see if you have the latest version of the SteelCentral ler for SteelHead Mobile installed. Click View Certificates to view the certificates that are used for SSL optimization. The following list of certificates is displayed: SteelHead Mobile ler CA Certificate SteelHead Mobile ler Server Certificate SteelHead Peering Certificate - Click to regenerate a certificate while the optimization is enabled. This option is disabled when optimization on the client is disabled or when a controller is not connected. Advanced SSL CA Certificate Displays the following information: Serial Number - Specifies the serial number (Issued To, only). Issued To/Issued By - Specifies the following information: Common Name - Specifies the common name of the certificate authority. Organization Unit - Specifies the organization name (for example, the company). Locality - Specifies the city. State - Specifies the state. Country - Specifies the country (2-letter code only). Validity - Specifies the following information: Issued On - Specifies the date the certificate was issued. Expires On - Specifies the date the certificate expires. Fingerprint - Specifies the fingerprint. SHA1 - Specifies the SSL fingerprint. Displays the certificate in PEM format. Click Detect SteelHeads to find and display SteelHeads along the network path to a specified destination server. Click Reset Stats to reset the cumulative historical statistics. Click Check for Updates to check if you have the latest version of SteelCentral ler for SteelHead Mobile installed. System Tray Options This section describes the functionality of the Windows SteelHead Mobile system tray properties. 214 SteelCentral ler for SteelHead Mobile User s Guide

Mac SteelHead Mobile Properties Windows and Mac SteelHead Mobiles To display the SteelHead Mobile system tray properties Right-click the SteelCentral ler for SteelHead Mobile icon in the system tray to display the different options. The following table describes the options in the system tray. Option Show Hide Enable/Disable Optimization About Exit Specify this option to show the SteelHead Mobile on the screen. Specify this option to minimize the SteelHead Mobile to the system tray. Specify this option to enable or disable client optimization. Specify this option to show the SteelHead Mobile software version. Specify this option to remove the SteelHead Mobile icon from the system tray and disable client optimization. Always use this option to stop SteelHead Mobile optimization. Mac SteelHead Mobile Properties The following section describes the Mac SteelHead Mobile. Viewing Preferences and System Status 1. To see the SteelCentral ler for SteelHead Mobile preferences, open the Mac System Preferences and select SteelCentral ler for SteelHead Mobile. Figure B-2. Mac System Preferences SteelCentral ler for SteelHead Mobile User s Guide 215

Windows and Mac SteelHead Mobiles Mac SteelHead Mobile Properties 2. Click the SteelCentral ler for SteelHead Mobile logo on the menu bar and select Status to display the current system status. Figure B-3. Status Window The following table describes the information displayed in the Status window of the Mac SteelHead Mobile. Function System Status Optimization Status Displays the current state of the SteelHead Mobile. The SteelHead Mobile can be in one of the following states: Initializing - Indicates that the optimization service is starting. Healthy - Indicates that all systems are functioning properly. Critical - Indicates that the optimization service is not running. Contact your system administrator. Disabled - Indicates that the optimization service is turned off. Current ler ler Status Policy Displays the Mobile ler hostname or IP address and the port that the client connects to. Warning - Indicates that the optimization status is running, but there are some issues. Contact your system administrator. Displays whether the Mobile ler is currently Connected, Not Connected, Licensed, or Not Licensed. Displays the policy currently running on the client. 216 SteelCentral ler for SteelHead Mobile User s Guide

Mac SteelHead Mobile Properties Windows and Mac SteelHead Mobiles Function Performance Statistics Connection List Total Data Reduction Optimization Statistics (LAN/ WAN) Your Capacity Increase Branch Warming Statistics (In/Out) SSL Connections (Successful/Total) Displays the percent data reduction on the SteelHead Mobile since the optimization service has been running. Displays the total amount of optimized data exchanged with peer SteelHead (for LAN/WAN). Specifies the performance improvement as a result of data optimization. Displays the branch warming statistics. Displays the number of successful SSL connections. Displays the different connections. -click a connection and select Detect SteelHeads to find and display SteelHeads along the network path to a specified destination server. Connection Icons The following icons are displayed in the Connection List of the Status window to indicate the state of the connection: Yellow arrows Green arrow Blue arrow Gray arrow Red arrow Lock icon Displays Established (Optimized) connection. Displays Established (Branch Mode) connection. Displays Established (Branch Warming) connection. Displays Established (Pass-through) connection. Displays Established (Optimized) connection with optimization error Indicates secure inner channel connections. Accessing the Support Menu The Mac Support menu provides tools for diagnosing problems with your system. To access the Support menu Click the SteelCentral ler for SteelHead Mobile logo on the menu bar to display tools for assisting you in diagnosing problems with your system. For details about troubleshooting your system, see Common SteelHead Mobile Problems on page 200. SteelCentral ler for SteelHead Mobile User s Guide 217

Windows and Mac SteelHead Mobiles Mac SteelHead Mobile Properties The following table describes the controls on the Mac Support menu. Function View Log Generate Sysdump Generate TCP Trace Detect SteelHeads Restart SteelCentral ler for SteelHead Mobile Reset Statistics View your current log file. Upload system dump to your Administrator. Generate a TCP trace and send it to your administrator. Find and display SteelHeads along the network path to a specified destination server. Restart your SteelHead Mobile. Reset the cumulative historical statistics. Click View Log to view your current log file. These are the log files for the SteelHead Mobile. For assistance, contact your system administrator. Click Upload System Dump to upload your system dump file to the Mobile ler. Your system administrator uses the dump file to troubleshoot your system. For assistance, contact your system administrator. Click Generate to generate a TCP dump for the specified amount of time (seconds or minutes). The TCP dump is automatically sent to Mobile ler where a system administrator can view it in the Reports tab. Use this option to troubleshoot the client system. For assistance, contact your system administrator. Click Detect SteelHeads to find and display SteelHeads along the network path to a specified destination server. Click Restart to restart the SteelHead Mobile. This option restarts the optimization service and is a first step for troubleshooting the optimization service. Click Reset Stats to reset the cumulative historical statistics. Managing Optimization s The Mac SteelCentral ler for SteelHead Mobile preferences pane appears with three tabs: Optimization, lers, and SSL. 218 SteelCentral ler for SteelHead Mobile User s Guide

Mac SteelHead Mobile Properties Windows and Mac SteelHead Mobiles The Optimization tab displays current optimization status and enables users to enable optimization, configure connection reset, and set the data store size. Figure B-4. Optimization Tab The following table describes the controls under the Optimization tab of the Mac SteelHead Mobile. Function Optimization Settings SteelCentral ler for SteelHead Mobile Monitor Service Restart Optimization Status RiOS Bandwidth and Latency Optimization NFS Optimization HTTP Optimization Indicates if the service is running or not running. Click to restart the SteelHead Mobile Monitor Service. Displays the current state of the SteelHead Mobile. The SteelHead Mobile can be in one of the following states: Initializing - Indicates that the optimization service is starting. Healthy - Indicates that all systems are functioning properly. Critical - Indicates that the optimization service is not running. Contact your system administrator. Disabled - Indicates that the optimization service is turned off. Specify this option to enable RiOS bandwidth optimization on the client. When enabled, all dependent check boxes are dimmed. You can also enable and disable client optimization from the SteelHead Mobile icon in the system tray. Specify this option to optimize NFS. Specify this option to optimize HTTP. SteelCentral ler for SteelHead Mobile User s Guide 219

Windows and Mac SteelHead Mobiles Mac SteelHead Mobile Properties Function Data Store Reset connections when SteelCentral ler for SteelHead Mobile is initialized Current data store size on disk Data store size Resets existing nonoptimized connections when the optimization service is restarted. Specifies the current data store size on disk. Specifies the amount of disk space allocated to the data store. Using the lers Tab The Mac lers tab displays the current controller and connection status, and enables users to specify controller options and to add and modify controllers. Figure B-5. lers Tab 220 SteelCentral ler for SteelHead Mobile User s Guide

Mac SteelHead Mobile Properties Windows and Mac SteelHead Mobiles The following table describes the controls under the lers tab of the Mac SteelHead Mobile. Function Configure Mobile lers Current ler Connection Status Select controller to use at random Use controller list defined by administrator Override controller list Revert Apply Specifies the Mobile ler hostname or IP address, and the port that the SteelHead Mobile connects to. Displays the current connection status of the SteelHead Mobile. The SteelHead Mobile can be in one of the following states: Connected - Indicates that the SteelHead Mobile is connected to a Mobile ler but is not consuming a license from the Mobile ler. This may indicate, for instance, that the SteelHead Mobile is in branch mode, or is not currently optimizing any connections. Connected: Licensed - Indicates that the SteelHead Mobile is connected to a Mobile ler and is consuming a license from the Mobile ler. Connected: Denied License - Indicates that the SteelHead Mobile is connected to a Mobile ler but is unable to obtain a license from the Mobile ler. Not Connected- Indicates that the SteelHead Mobile is not connected to a Mobile ler. If there is more than one Mobile ler in the list, the SteelHead Mobile randomly connects to one of them. Use this option if you want to distribute SteelHead Mobile connections. This control has the following options: Auto - Enables or disables random selection of Mobile lers as defined by the administrator in the current policy. On - Specifies random selection of Mobile lers. Off - Specifies the first Mobile ler on the list. If this connection fails, the next Mobile ler on the list is selected, and so on. Connect to a Mobile ler listed by the system administrator in the current policy. Does not restrict the Mobile ler list to the system administrator-set specifications in the current policy. When Override controller list is selected, the following additional controls are activated: + - Click + to add a Mobile ler to the list; click - to remove one. Test - Verifies that the user can connect to the selected Mobile ler. Arrow keys - Use the arrows on the right side of the list to change the priority order of the Mobile lers the client connects to. The priority list is used only if Select ler at Random is disabled. To modify a Mobile ler on the list, double-click the controller in the list and edit directly. This is only possible when Override controller list is selected Click Revert to undo any changes made to the controller configuration in this tab. Click Apply to save your configurations. SteelCentral ler for SteelHead Mobile User s Guide 221

Windows and Mac SteelHead Mobiles Mac SteelHead Mobile Properties Using the SSL Tab The Mac SSL tab displays the CA certificates and enables users to enable or disable SSL optimization. Figure B-6. SSL Tab 222 SteelCentral ler for SteelHead Mobile User s Guide

Mac SteelHead Mobile Properties Windows and Mac SteelHead Mobiles The following table describes the controls under the SSL tab of the Mac SteelHead Mobile. Function SSL optimization Refresh Certificates Certificate Details Click On or Off to enable or disable SSL optimization. Click to refresh the CA information. The following list of certificates is displayed: SteelHead Mobile ler CA Certificate SteelHead Mobile ler Server Certificate SteelHead Peering Certificate - Regenerates when you click Regenerate while the optimization is enabled. This button is disabled when optimization on the client is disabled or when a controller is not connected. Advanced SSL CA Certificate Displays the following information based on the certificate option selected above: Serial Number - Displays the serial number (Issued To, only). Issued To/Issued By - Displays the following information: Common Name - Displays the common name of the certificate authority. Organization - Displays the organization name (for example, the company). Org. Unit - Displays the organizational unit within the organization. Locality - Displays the city. State - Displays the state. Country - Displays the country (2-letter code only). Issued On - Displays the date the certificate was issued. Expires On - Displays the date the certificate expires. Fingerprint - Displays the fingerprint. SteelCentral ler for SteelHead Mobile User s Guide 223

Windows and Mac SteelHead Mobiles Mac SteelHead Mobile Properties 224 SteelCentral ler for SteelHead Mobile User s Guide

APPENDIX C Windows Installer Properties This appendix describes the Windows installer properties. Windows Installer Properties Overview on page 225 Windows Installer Properties Overview The SteelCentral ler for SteelHead Mobile Windows installer supports many Microsoft Windows Installer (MSI) properties that you can modify to control installation features. You can specify these properties from the Windows command-line by passing them to MSI executable file (msiexec.exe). Command-line Properties When you run the SteelCentral ler for SteelHead Mobile installer from the command line, the properties can be passed to msiexec.exe using this syntax: msiexec /i SteelheadMobile.msi <property_name>=<value> [/qn] For example, you can specify the location of the installer and data store, the size of the data store, and disabled the desktop icon for the SteelHead Mobile using the following syntax: msiexec /i SteelheadMobile.msi RVBD_INSTALLDIR="E:\Riverbed" RVBD_DATASTOREDIR="E:\Datastore" RVBD_DATASTORESIZEMB=512 RVBD_DESKTOPICON=0 /qn Precedence Rules Properties can be set by multiple sources. A single property can be set from the command line, the installer user interface, or the value set by the administrator on the Mobile ler when creating the package. The installer uses the following precedence rules (from highest to lowest) to choose the values it will use during installation: 1. Modified value from the installer UI. If a value is not modified in the installer dialog boxes, then the property's final value is set based on rest of the rules. 2. Value passed on the Windows command line. If both INSTALLDIR and RVBD_INSTALLDIR are set on the command line, the value of INSTALLDIR takes precedence. SteelCentral ler for SteelHead Mobile User s Guide 225

Windows Installer Properties Windows Installer Properties Overview 3. Value set by the administrator on the Mobile ler when creating the package. The following table describes the Windows installer properties and their values. Property Supported Values INSTALLDIR RVBD_CONTROLLERS RVBD_DATASTOREDIR Absolute directory paths. Valid paths with embedded environment variables are also supported. For example: INSTALLDIR="C:\Riverbed" INSTALLDIR="%SYSTEMDRIVE%\Ri verbed" A string containing one or more controllers delimited by a semicolon (;). ler port, if specified, must be delimited by a colon (:). Ports default to 7870 if they are not specified. For example: RVBD_CONTROLLERS="1.2.3.4:78 70;mv-gw1;mvgw2.nbttech.com:8080" Absolute directory paths. Valid paths with embedded environment variables are also supported. For example: RVBD_DATASTOREDIR="C:\Datast ore" RVBD_DATASTOREDIR="%SYSTEMDR IVE%\Datastore" Determines the install directory path. Consider setting RVBD_INSTALLDIR instead of setting this property. If both INSTALLDIR and RVBD_INSTALLDIR are set, the value of INSTALLDIR takes precedence. Determines the controllers to which the client connects. Determines the location of the SteelHead Mobile data store. RVBD_DATASTORESIZEMB 256, 512, 1024, 2048, 5120, 10240, 15360, and 20480. For example: RVBD_DATASTORESIZEMB=512 Determines the size of SteelHead Mobile data store. RVBD_DESKTOPICON RVBD_INSTALLDIR 0 - Do not create a desktop shortcut. 1 - Create a SHM desktop shortcut. For example: RVBD_DESKTOPICON=0 Absolute directory paths. Valid paths with embedded environment variables are also supported. For example: RVBD_INSTALLDIR="C:\Riverbed " RVBD_INSTALLDIR="%SYSTEMDRIV E%\Riverbed" Determines whether or not to create a Windows desktop shortcut. Determines the install directory path. It is recommended that you use RVBD_INSTALLDIR over INSTALLDIR, as the installer performs additional error checks when RVBD_INSTALLDIR is set. If both INSTALLDIR and RVBD_INSTALLDIR are set, the value of INSTALLDIR takes precedence. 226 SteelCentral ler for SteelHead Mobile User s Guide

Windows Installer Properties Overview Windows Installer Properties Property Supported Values RVBD_RANDOMIZECONTROLLERS RVBD_SHOWUI RVBD_STARTMENUICON 0 - Do not select controllers at random. 1 - Select a controller at random. For example: RVBD_RANDOMIZECONTROLLERS=0 0 - Suppress the installer UI. 1 - Display the installer UI. For example: RVBD_SHOWUI=0 0 - Do not create a shortcut in the Start menu folder. 1 - Create a shortcut in the Start menu folder. For example: RVBD_STARTMENUICON=0 Determines whether the client should choose a controller at random from the specified list of controllers and connect to it. Determines whether to show the installer UI dialogs during the installation. Determines whether or not to create a start menu shortcut. SteelCentral ler for SteelHead Mobile User s Guide 227

Windows Installer Properties Windows Installer Properties Overview 228 SteelCentral ler for SteelHead Mobile User s Guide

APPENDIX D Mobile ler MIB This appendix describes the Mobile ler SNMP MIB. It includes the following sections: Accessing the Mobile ler Enterprise MIB on page 229 SNMP Traps on page 230 Accessing the Mobile ler Enterprise MIB The Mobile ler MIB monitors device status and peers, and provides network statistics for seamless integration into network management systems such as Hewlett Packard OpenView Network Node Manager, PRTG, and other SNMP browser tools. For details about configuring and using these network monitoring tools, consult the vendor documentation. The following guidelines describe how to download and access the Mobile ler MIB using common MIB browsing utilities: You can download the Mobile ler MIB (CONTROLLER-MIB.txt) from the Help: Online Help page of the Mobile ler or from the Riverbed Support site at https://support.riverbed.com and load it into any MIB browser utility. Some utilities might expect a file type other than a text file. If this occurs, change the file type to the one expected. Some utilities assume that the root is mib-2 by default. If the utility sees a new node, such as enterprises, it might look under mib-2.enterprises. If this occurs, use.iso.org.dod.internet.private.enterprises.rbt as the root. Some command-line browsers might not load all MIB files by default. If this occurs, find the appropriate command option to load the CONTROLLER-MIB.txt file: for example, for NET-SNMP browsers, snmwalk -m all. SteelCentral ler for SteelHead Mobile User s Guide 229

Mobile ler MIB SNMP Traps SNMP Traps The following table summarizes the SNMP traps sent out from the Mobile ler to configured trap receivers. Trap proccrash (enterprises.17163.1.4.4.1.1) procexit (enterprises.17163.1.4.4.1.2) cpuutil (enterprises.17163.1.4.4.1.3) pagingactivity (enterprises.17163.1.4.4.1.4) scheduledjoberror (enterprises.17163.1.4.4.1.5) confmodeenter (enterprises.17163.1.4.4.1.6) confmodeexit (enterprises.17163.1.4.4.1.7) linkerror (enterprises.17163.1.4.4.1.8) powersupplyerror (enterprises.17163.1.4.4.1.9) fanerror (enterprises.17163.1.4.4.1.10) memoryerror (enterprises.17163.1.4.4.1.11) ipmi (enterprises.17163.1.4.4.1.12) warningtemp (enterprises.17163.1.4.4.1.13) criticaltemp (enterprises.17163.1.4.4.1.14) configurationerror (enterprises.17163.1.4.4.1.16) configchange (enterprises.17163.1.4.4.1.15) epdatastoreerror (enterprises.17163.1.4.4.1.100) epfsfullerror (enterprises.17163.1.4.4.1.101) A process has crashed and subsequently been restarted by the system. A system snapshot of this crash is accessible on the Mobile ler. Riverbed Support might need information contained in the system snapshot to determine the cause of the crash. A process has unexpectedly exited and been restarted by the system. The process might have exited on its own or due to other process failures. Contact Riverbed Support to determine the cause of this event. Average CPU utilization has exceeded an acceptable threshold. Sustained CPU load might be symptomatic of a more serious issue. Contact Riverbed Support for more information. The system is running low on memory and has begun swapping memory pages to disk. This event can be triggered during heavy computing loads. Contact Riverbed Support to determine the cause of this event. A scheduled job on the system has failed. Use the Mobile ler to determine which job failed. A user on the system has entered configuration mode. A user on the system has exited configuration mode. An interface has lost its link on the Mobile ler. A power supply on the Mobile ler has failed. A fan error has been detected on the Mobile ler. A memory error has been detected on the Mobile ler. An IPMI event has been detected on the Mobile ler. Mobile ler temperature has reached the warning level. Mobile ler temperature has reached the critical level. Error writing system configuration files. A change has been made to the system configuration. Endpoint data store error threshold has been exceeded. Endpoint file system full threshold has been exceeded. 230 SteelCentral ler for SteelHead Mobile User s Guide

SNMP Traps Mobile ler MIB Trap eplicenseerror (enterprises.17163.1.4.4.1.102) epversionerror (enterprises.17163.1.4.4.1.103) epserviceerror (enterprises.17163.1.4.4.1.104) Endpoint license limit has been exceeded. Endpoint version error threshold has been exceeded. Endpoint service error threshold has been exceeded. SteelCentral ler for SteelHead Mobile User s Guide 231

Mobile ler MIB SNMP Traps 232 SteelCentral ler for SteelHead Mobile User s Guide

Index A Accounts capability-based 63 privileges 63 role-based 64 Adapters, managing 59 Adapters, viewing list 59 Add a New TCP Dump 189 Administrator password 63 Advanced settings, configuring 57 Alarm settings, configuring 32 Alarm status admission control 169 fan error 34 licensing 171 link state 171 memory paging 171 software version mismatch 171 temperature 172 Alarm Status report, viewing 168 Alarm thresholds, setting 32 Announcement, setting on home page 31 Applock optimization 115 Assignments configuring 146 definition of 7 Authentication methods setting 61 TACACS+ 62 Auto-discover, in-path rule 107 B Branch Warming report, viewing 160 Bulk import and export, configuring 99 C Capability-based accounts 63 Cascading menus displaying and using 11 summary of 12 Certificate authorities adding 98 configuring in SSL 98 CIFS optimization 112, 118 overlapping opens, enabling 116 SMB signing, disabling 115 Citrix, enabling optimization 129 Cluster information on Home page 10 Cluster, prerequisites for adding a Mobile ler 82 Clusters connections, troubleshooting 84 definition 7 overview of 81 Clusters, configuring 81 Command-line interface, using 9 Configurations, saving 14, 85 Configuring advanced settings 57 alarm settings 32 clusters 81 email settings 50 endpoint settings for policies 136 general security settings 61 in-path rules for policies 106 location awareness for policies 133 log settings 53 monitored ports 39 peering 89 port labels 27 preoptimization policy 108 protocol settings 112 scheduled jobs 75 SNMP settings 41 SNMP v3 44 SSL bulk import and export 99 SSL certificate authorities 98 SSL for Mobile lers 87 SSL for policies 130 TACACS+ access 68 Web settings 71 Connection pool, setting size for 130 Console, connecting to 9 Continuous log, viewing a 180 Correct addressing mode 110 CPU utilization alarm status 169 report, viewing 173 Creating new policies 104 packages 139 Critical state 154, 210, 216, 219 D Default policy, settings for 203, 227 SteelCentral ler for SteelHead Mobile User s Guide 233

Index Definition of terms 7 Demilitarized zone (DMZ), definition of 7 Deny privileges in role-based accounts 64 Desktop Bandwidth report, viewing 158 Desktop Traffic report, viewing 166 Diagnostics reports, viewing 168 Disabled state 154 DMZ (demilitarized zone), definition of 7 Document conventions, overview of 2 Downloading endpoint TCP dumps 185 log files 182 E Email, configuring notification 50 Endpoint client, definition of 7 Endpoint Diagnostic reports, viewing 183 Endpoint History report, viewing 164 Endpoint reports filter types 153 viewing 152 Endpoint reports, viewing 152 Endpoint settings for policies, configuring 136 Enterprise MIB, accessing 229 Ethernet network compatibility v Events, configuring email for 50 Exporting logs 197 F Failures, configuring email for 50 Fan Error alarm status 34 FTP proxy access, configuring 17 Full address transparency, description of 110 G GPO (Group Policy Object) changing an endpoint group 149 enabling and disabling optimization in 150 Group assignments configuring 146 definition of 7 H Hardware dependencies, overview of 5 Healthy state, description of 154 Home page cluster information 10 overview of 10 Home page announcement setting 31 Host settings, modifying 17 I In-path rules auto-discover 107 configuring for policies 106 deny 107 discard 107 fixed target 107 Installing from the command line 225 license 77 Interactive ports, description of 27 Interface Counters report, viewing 177 IPMI error 34, 170 IPMI, SNMP trap 230 IPv6 support summary 20 J Jobs scheduling 75 viewing 76 K Keepalive for HTTP optimization 123 Known issues 2, 84 L Labeling, traffic in reports 39 Licenses 76 fetching automatically 77 pooling of 85 Licensing alarm status 171 Link state alarm status 171 Local logging, setting 53 localhost Mobile Client 136 Location awareness, configuring 133 Log settings, configuring 53 Logins, multiple 10 Logs customizing 182 downloading 179 exporting 197 filtering 180 viewing 179 viewing continuous 182 M Mac client properties 215 client settings 215 lers tab 220 deploying packages 145 Optimization tab 219 SSL tab 223 Status window 216 Support menu 217 Management Console connecting 9 navigating 11 using 9 Managing configurations 85 licenses 76 Mobile Client group assignments 146 Mobile Client packages 139 Mobile Client policies 103 optimization controls 218 user permissions 63 Web SSL certificates 72 MAPI Exchange 2003 enabling optimization 119 Memory dumps, viewing 183 Memory error 34, 170 Memory paging alarm status 171 234 SteelCentral ler for SteelHead Mobile User s Guide

Index reports 175 Message of the day See MOTD MIB file SNMP traps sent 230 Mobile Client common problems 200 installer GUI 226 Mac GUI 215 updating software 145 Mobile Client packages definition of 7 steps for deploying 15 Modifying general host settings 17 network interfaces 20 ports in a port label 28 Monitor password, configuring 63 Monitored ports, configuring 39 MOTD, setting 31 MTU value, setting 24, 25 Multiple logins 10 N Network adapters 59 Network interfaces, modifying 20 O Object identifiers, viewing through SNMP 49 Object prefetches, configuring 122 Online documentation 2, 84 Optimization disabling CIFS SMB signing for 115 overlapping opens, enabling 116 Oracle Forms traffic, in-path rule 108 Outlook Anywhere automatic detection 120 latency optimization 120 over HTTPS 120 Overlapping opens, enabling 116 P Packages creating 139 creating software updates 146 definition of 7, 8 deploying 15, 143 viewing details 141 Pass-through enable for traffic on interactive ports 27 rules, default settings for 207 traffic on secure ports 27 traffic on system ports 27 Peering, configuring 89 Permissions managing 63 viewing 62 Policies configuring endpoint settings for 136 configuring location awareness for 133 configuring protocol settings for 112 configuring SSL for 130 creating 104 definition of 7, 8 Port labels configuring 27 overview of 27 Port transparency 110 Ports, modifying, in a port label 28 Power supply error 170 Preferences and system status, viewing 215 Preoptimization policy, configuring 108 Primary gateway IP address 24 Primary interface on the SteelHead appliance 20 setting 23 Printing pages and reports 14 Private Key importing 73 Privileges, read, write, and deny 64 Process dumps, viewing 187 Protocol settings, configuring 112 Proxy addresses for Web access 17 setting an IP for Web/FTP 19 Q QoS policies, port transparency 110 Queue capture file 189 specifying the trace dump size 190 R RADIUS, configuring 66 RBT-Proto, description of 27 Read-only privileges for role-based accounts, configuring 64 Rebooting the system 80 Related reading 2 Reports Alarm Status 168 Branch Warming 160 CPU Utilization 173 Desktop Bandwidth 158 Desktop Traffic 166 Endpoint 152 Endpoint History 164 Endpoints 151 Interface Counters 177 Memory dumps for endpoints 183 Memory Paging 175 Process dumps for Mobile lers 187 SSL 162 System dumps for endpoints 184 System dumps for Mobile lers 186 TCP dumps for endpoints 185 TCP dumps for Mobile lers 188 Reverting, to a backup version of the system 78 Riverbed, contacting 3 Role-based accounts 64 user permissions 63 RPC over HTTP or HTTPS, using with Outlook Anywhere 120 SteelCentral ler for SteelHead Mobile User s Guide 235

Index S Scheduled jobs, configuring 75 Secure ports, description of 27 Secure vault, unlocking 70 Security configuring RADIUS 66 configuring TACACS+ 68 Security for Steelhead Mobile 73 Security settings, configuring 61 Security signatures, disabling 115 Setting alarm thresholds 32 local logging 53 SNMP trap receivers 41 SMB signing, disabling 115 SNMP access control 46 access policies 50 access policy security 43, 50 adding groups 48 adding trap receivers 43 adding views 49 authentication 46 creating users 44 MIB, accessing 229 supported versions 41 testing a trap 44 traps, summary of sent 230 v3 configuring 44 Software dependencies, overview of 5 Software version mismatch, alarm status for 171 Software, upgrading 78 Speed and duplex avoiding a mismatch 25 SSL configuring certificate authorities 98 configuring for Mobile lers 87 configuring for policies 130 error state 154 non-443 servers detected on upgrade 171 peering list 72 trusted entities 89 Subnet for aux interface 20 System dumps, viewing 184, 186 System tray options 214 System, logging out of 14 U Upgrading, software 78 User logs downloading 182 viewing 179 User permissions, configuring 63 V Vault, unlocking and changing the password 70 W WAN visibility modes 110 Web settings, configuring 71 Windows SMB signing, disabling 115 Windows Mobile Client installer properties 225 properties 209 Settings tab 211 Status tab 210 Support tab 212 Write optimization, disabling 114 Write throttling, enabling 114 T TACACS+ configuring 68 configuring access to 68 setting authentication method 61 TCP dump 189 TCP dumps adding 192 capturing and uploading 188 viewing 185, 188 Temperature alarm status 172 Time zone setting 38 Traps, summary of SNMP traps sent 230 Troubleshooting cluster connections 84 optimization failure 200 236 SteelCentral ler for SteelHead Mobile User s Guide