Central Management Console Users Guide

Steelhead Central Management Console
User’s Guide
Version 6.0
June 2010
© 2003-2010 Riverbed Technology, Incorporated. All rights reserved.
Riverbed Technology, Riverbed, Steelhead, RiOS, Interceptor and the Riverbed logo are trademarks or registered trademarks of
Riverbed Technology, Inc. All other trademarks used or mentioned herein belong to their respective owners.
Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware is a trademark of VMware,
Incorporated. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation. Microsoft, Windows, Vista,
Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation. UNIX is a registered trademark
in the United States and in other countries, exclusively licensed through X/Open Company, Ltd.
Parts of this product are derived from the following software:
Apache © 2000-2003. The Apache Software Foundation. All rights reserved.
Busybox © 1999-2005 Eric Andersen
ethtool © 1994, 1995-8, 1999, 2001, 2002 Free Software Foundation, Inc.
Less © 1984-2002 Mark Nudelman
Libevent © 2000-2002 Niels Provos. All rights reserved.
LibGD, Version 2.0 licensed by Boutell.Com, Inc.
Libtecla © 2000, 2001 by Martin C. Shepherd. All rights reserved.
Linux Kernel © Linus Torvalds
login 2.11 © 1993 The Regents of the University of California. All rights reserved.
md5, md5.cc © 1995 University of Southern California, © 1991-2, RSA Data Security, Inc.
my_getopt.{c,h} © 1997, 2000, 2001, 2002, Benjamin Sittler. All rights reserved.
NET-SNMP © Copyright 1989, 1991, 1992 by Carnegie Mellon University. All rights reserved. Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California. All rights reserved.
OpenSSH © 1983, 1990, 1992, 1993, 1995, 1993 The Regents of the University of California. All rights reserved.
pam © 2002-2004 Tall Maple Systems, Inc. All rights reserved.
pam-radius © 1989, 1991 Free Software Foundation, Inc.
pam-tacplus © 1997-2001 by Pawel Krawczyk
sscep © 2003 Jarkko Turkulainen. All rights reserved.
ssmtp © GNU General Public License
syslogd © 2002-2005 Tall Maple Systems, Inc. All rights reserved.
Vixie-Cron © 1988, 1990, 1993, 1994 by Paul Vixie. All rights reserved.
Zile © 1997-2001 Sandro Sigalam © 2003 Reuben Thomas. All rights reserved.
This product includes software developed by the University of California, Berkeley and its contributors. This product is derived
from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
For detailed copyright and license agreements or modified source code (where required), see the Riverbed Support site at
https://support.riverbed.com. Certain libraries were used in the development of this software, licensed under GNU Lesser
General Public License, Version 2.1, February 1999. For a list of libraries, see the Riverbed Support at
https://support.riverbed.com. You must log in to the support site to request modified source code.
Other product names, brand names, marks, and symbols are registered trademarks or trademarks of their respective owners.
The content of this manual is furnished on a RESTRICTED basis and is subject to change without notice and should not be
construed as a commitment by Riverbed Technology, Incorporated. Use, duplication, or disclosure by the U.S. Government is
subject to restrictions set forth in Subparagraphs (c) (1) and (2) of the Commercial Computer Software Restricted Rights at 48 CFR
52.227-19, as applicable. Riverbed Technology, Incorporated assumes no responsibility or liability for any errors or inaccuracies
that may appear in this book.
Riverbed Technology
199 Fremont Street
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801 Part Number
Web: http://www.riverbed.com 712-00009-08
Contents
Preface........................................................................................................................................................ 9
About This Guide ..........................................................................................................................................9
Types of Users .........................................................................................................................................9
Document Conventions .......................................................................................................................10
Hardware and Software Dependencies....................................................................................................11
Ethernet Network Compatibility...............................................................................................................11
SNMP-Based Management Compatibility...............................................................................................11
CMC Compatibility .....................................................................................................................................12
Additional Resources ..................................................................................................................................12
Online Notes..........................................................................................................................................13
Riverbed Documentation ....................................................................................................................13
Online Documentation.........................................................................................................................13
Riverbed Knowledge Base ..................................................................................................................13
Contacting Riverbed....................................................................................................................................13
Internet ...................................................................................................................................................13
Riverbed Technical Support ................................................................................................................13
Professional Services ............................................................................................................................14
Documentation......................................................................................................................................14
Chapter 1 - Overview of the CMC ............................................................................................................15

Overview of the CMC .................................................................................................................................15
Centralized Configuration with Groups and Policies.....................................................................16
Inheriting or Overriding Policy Settings from a Parent Group .....................................................16
Fetching Configurations ......................................................................................................................17
Upgrading from Previous Versions of the CMC .....................................................................................17
Group Membership ..............................................................................................................................17
Profiles to Policies.................................................................................................................................17
Policy Association.................................................................................................................................18
General Appliance Configuration......................................................................................................18
Migration Procedures...........................................................................................................................19
Steelhead Appliance Auto-Registration ...................................................................................................21
Steelhead Central Management Console User’s Guide iii

Contents
CMC Command-Line Interface .................................................................................................................23

Connecting to the CMC ..............................................................................................................................23
The Home Page.....................................................................................................................................26
Navigating in the CMC...............................................................................................................................28
Saving Your Configuration .................................................................................................................30
Printing Pages and Reports.................................................................................................................30
Getting Help .................................................................................................................................................30
Displaying Online Help.......................................................................................................................30
Logging Out ..........................................................................................................................................30
Chapter 2 - Configuring the CMC............................................................................................................31

Configuring Network Settings...................................................................................................................32
Configuring Host Settings...................................................................................................................32
Configuring Settings for the Network Interfaces.............................................................................36
Configuring System Settings......................................................................................................................39
Creating Announcements....................................................................................................................39
Setting Alarm Parameters ...................................................................................................................40
Configuring Monitored Ports .............................................................................................................42
Setting SNMP Basic Parameters and Trap Receivers ......................................................................43
Setting SNMP v3 Parameters ..............................................................................................................45
Setting SNMP ACLs Parameters ........................................................................................................47
Setting Up Email Notifications ...........................................................................................................50
Configuring Logging ...........................................................................................................................53
Configuring Security Settings ....................................................................................................................56
Configuring General Security Settings..............................................................................................57
Configuring CMC Security Settings ..................................................................................................58
Managing User Permissions ...............................................................................................................61
Configuring RADIUS Server Authentication...................................................................................68
Configuring TACACS+ Server Authentication................................................................................70
Unlocking the Secure Vault .................................................................................................................72
Configuring Management ACL..........................................................................................................73
Configuring Web Settings ...................................................................................................................74
Maintaining Your System ...........................................................................................................................75
Working with External CMC Backups ..............................................................................................76
Viewing Daily Maintenance Window Settings ................................................................................81
Displaying Job Status ...........................................................................................................................82
Managing Licenses ...............................................................................................................................84
Upgrading Your Software ...................................................................................................................85
Rebooting and Shutting Down the CMC ..........................................................................................86
Changing the Administrative Password ..................................................................................................87
Managing Configuration Files ...................................................................................................................88
Chapter 3 - Managing Appliance Groups ...............................................................................................91

Managing Appliances and Appliance Groups ........................................................................................91
Using the Trust Appliances by Key Feature .....................................................................................93
iv Steelhead Central Management Console User’s Guide

Contents
Creating a New Appliance Group .....................................................................................................94

Registering New Appliances ..............................................................................................................95
Editing Appliance Configurations .....................................................................................................96
Managing or Viewing Appliance Host Settings...............................................................................99
Managing or Viewing Appliance Base Interfaces Settings...........................................................100
Managing or Viewing Appliance In-Path Interface Settings........................................................102
Managing or Viewing Appliance SSL Settings ..............................................................................105
Working with Policies ...............................................................................................................................130
Understanding Policies and Policy Usage ......................................................................................130
Creating Policy Settings.....................................................................................................................133
Editing Policy Settings .......................................................................................................................134
Assigning Policies...............................................................................................................................136
Viewing and Managing System Operation History .............................................................................137
Managing Appliance Backup/Restore ...................................................................................................139
Performing Backups on an Appliance.............................................................................................139
Restoring a Backup Configuration to an Appliance......................................................................140
Removing Backup Configurations...................................................................................................141
Configuring Upgrades ..............................................................................................................................142
Configuring RSP Appliances ...................................................................................................................144
Configuring RSP Image Library ..............................................................................................................146
Configuring RSP Package Library...........................................................................................................147
Chapter 4 - Displaying and Customizing Reports ...............................................................................149

Displaying Managed Steelheads Reports and Logs .............................................................................149
Viewing Optimized Throughput Reports.......................................................................................150
Viewing Bandwidth Optimization Reports ....................................................................................153
Viewing Data Reduction Reports .....................................................................................................155
Viewing Traffic Summary Reports ...................................................................................................158
Viewing Connection History Reports..............................................................................................160
Viewing Connection Forwarding Reports ......................................................................................163
Viewing Connection Pooling Reports .............................................................................................164
Viewing HTTP Stats (Steelhead v5+) Reports ................................................................................166
Viewing HTTP Stats (Steelhead v4) Reports ..................................................................................170
Viewing SSL Servers Reports............................................................................................................172
Viewing NFS Reports.........................................................................................................................175
Viewing Data Store SDR-Adaptive Reports ...................................................................................177
Viewing Data Store Cost Reports .....................................................................................................179
Viewing Data Store Disk Load Reports...........................................................................................181
Viewing Data Store Hit Rate Reports ..............................................................................................182
Viewing Data Store IO Reports.........................................................................................................184
Viewing Data Store Read Efficiency Reports..................................................................................187
Viewing DNS Cache Hits Reports....................................................................................................189
Viewing DNS Cache Utilization Reports ........................................................................................190
Viewing QoS Stats Dropped Reports...............................................................................................192
Viewing QoS Stats Sent Reports .......................................................................................................194
Displaying Steelhead Diagnostics Reports ............................................................................................197
Steelhead Central Management Console User’s Guide v

Contents
Viewing CPU Utilization Reports ....................................................................................................198

Viewing Memory Paging Reports ....................................................................................................199
Viewing Appliance Details Reports .................................................................................................200
Viewing Health Check Details Reports ...........................................................................................203
Downloading Group Logs Reports..................................................................................................203
Viewing Expiring Certificates Reports ............................................................................................204
Viewing Data Store Status Reports ..................................................................................................205
Displaying CMC Diagnostics Reports ....................................................................................................205
Viewing the Alarm Status Report ....................................................................................................206
Viewing CPU Utilization Report ......................................................................................................208
Viewing Memory Paging Report......................................................................................................208
Viewing User Logs Report ................................................................................................................209
Downloading User Logs Report.......................................................................................................211
Viewing System Logs Reports ..........................................................................................................212
Downloading System Log Files Reports .........................................................................................213
Viewing the System Dumps List Report .........................................................................................213
Viewing Process Dump List Reports ...............................................................................................214
Viewing the TCP Dumps List Reports.............................................................................................214
Exporting Performance Statistics Reports..............................................................................................217
Appendix A - Policy Parameters and Settings .....................................................................................221

Viewing Policy Configurations................................................................................................................221
Optimization Policy Settings....................................................................................................................224
General Service Settings ....................................................................................................................224
In-Path Rules .......................................................................................................................................226
Peering Rules.......................................................................................................................................233
Service Ports ........................................................................................................................................235
Data Store.............................................................................................................................................236
Performance.........................................................................................................................................238
Protocols CIFS .....................................................................................................................................240
Protocols CIFS Prepopulation...........................................................................................................243
Protocols HTTP ...................................................................................................................................244
Protocols Oracle Forms......................................................................................................................247
Protocols MAPI ...................................................................................................................................249
Protocols MS-SQL...............................................................................................................................251
Protocols NFS ......................................................................................................................................252
Protocols Lotus Notes ........................................................................................................................254
Protocols Citrix ICA ...........................................................................................................................254
Windows Domain Auth.....................................................................................................................255
SSL Main Settings ...............................................................................................................................255
SSL Peering..........................................................................................................................................257
Certificate Authorities........................................................................................................................260
SSL Advanced Settings ......................................................................................................................260
Secure Peering (IPSEC) ......................................................................................................................262
System Settings Policies ............................................................................................................................264
Announcements ..................................................................................................................................264
Alarms ..................................................................................................................................................265
vi Steelhead Central Management Console User’s Guide

Contents
Monitored Ports ..................................................................................................................................269

SNMP Basic .........................................................................................................................................270
SNMP v3 ..............................................................................................................................................271
SNMP ACLs ........................................................................................................................................271
Email.....................................................................................................................................................273
Logging ................................................................................................................................................273
Networking Policy Settings......................................................................................................................277
Host Settings........................................................................................................................................277
WCCP ...................................................................................................................................................279
Simplified Routing .............................................................................................................................284
Asymmetric Routing ..........................................................................................................................284
Connection Forwarding.....................................................................................................................285
Flow Export .........................................................................................................................................286
QoS Classification...............................................................................................................................288
QoS Marking .......................................................................................................................................294
Port Labels ...........................................................................................................................................298
Security Policy Settings.............................................................................................................................298
General Security Settings...................................................................................................................298
User Permissions ................................................................................................................................299
RADIUS................................................................................................................................................300
TACACS+ ............................................................................................................................................302
Management ACL ..............................................................................................................................303
Web Settings ........................................................................................................................................304
Branch Services Settings ...........................................................................................................................304
Caching DNS .......................................................................................................................................305
RSP Slots ..............................................................................................................................................307
RSP Dataflow ......................................................................................................................................308
Appendix B - Riverbed System Ports ...................................................................................................309

Default Ports...............................................................................................................................................309
Commonly Excluded Ports ......................................................................................................................310
Interactive Ports Forwarded by the Steelhead Appliance ...................................................................310
Secure Ports Forwarded by the Steelhead Appliance ..........................................................................311
Appendix C - CMC Management Information Base (MIB) ...................................................................315

Accessing MIB Files...................................................................................................................................315
SNMP Traps................................................................................................................................................316
Acronyms and Abbreviations................................................................................................................321
Index ........................................................................................................................................................327
Steelhead Central Management Console User’s Guide vii

Contents
viii Steelhead Central Management Console User’s Guide

Preface
Welcome to the Steelhead Central Management Console User’s Guide. Read this preface for an overview of the
information provided in this guide and the documentation conventions used throughout, hardware and
software dependencies, additional reading, and contact information. It includes the following sections:
“About This Guide,” next
“Hardware and Software Dependencies” on page 11
“Ethernet Network Compatibility” on page 11
“SNMP-Based Management Compatibility” on page 11
“CMC Compatibility” on page 12
“Additional Resources” on page 12
“Contacting Riverbed” on page 13
About This Guide

The Steelhead Central Management Console User’s Guide describes how to configure and manage the Steelhead
Central Management Console (CMC).
Types of Users
This guide is written for storage and network administrators familiar with administering and managing
WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS.
This guide assumes you are familiar with connecting and using CLI. For details, see the Riverbed Command-
Line Interface Reference Manual.
Steelhead Central Management Console User’s Guide 9

Preface About This Guide
Document Conventions
This manual uses the following standard set of typographical conventions to introduce new terms, illustrate
screen displays, describe command syntax, and so forth.
Convention Meaning
italics Within text, new terms and emphasized words appear in italic typeface.
boldface Within text, CLI commands and GUI controls appear in bold typeface.
Courier Code examples appear in Courier font. For example:
login as: admin
Riverbed Steelhead
Last login: Wed Jan 20 13:02:09 2010 from 10.0.1.1
amnesiac > enable
amnesiac # configure terminal
<> Values that you specify appear in angle brackets. For example:
interface <ipaddress>
[] Optional keywords or variables appear in brackets. For example:

ntp peer <addr> [version <number>]
{} Required keywords or variables appear in braces. For example:

{delete <filename> | upload <filename>}
| The pipe symbol represents a choice to select one keyword or variable to the left or right of
the symbol. (The keyword or variable can be either optional or required.) For example:
{delete <filename> | upload <filename>}
10 Steelhead Central Management Console User’s Guide

Hardware and Software Dependencies Preface
Hardware and Software Dependencies

The following table summarizes the hardware and software requirements for the CMC.
Important: 64-bit guest VMs (such as, Windows Server 2008 R2) are not supported on the Models 250, 550 and the 1U
xx20s because these models do not incorporate Virtual Technology (VT) support.
CMC Hardware Requirements Software and Operating System Requirements
A 19 inch (483 mm) two or four-post rack. The CMC has been tested with Mozilla Firefox version
2.x, 3.x and Microsoft Internet Explorer version 6.x and
Any computer that supports a Web browser with a color 7.x.
image display.
Note: JavaScript and cookies must be enabled in your
browser.
Note: If you want to encrypt your communication, you
must have a Secure Sockets Layer (SSL) capable browser.
Ethernet Network Compatibility

The Steelhead appliance supports the following types of Ethernet networks:
Ethernet Logical Link Control (LLC) (IEEE 802.2 - 2002)
Fast Ethernet 100 Base-TX (IEEE 802.3 - 2002)
Gigabit Ethernet over Copper 1000 Base-T and Fiber 1000 Base-SX (LC connector) (IEEE 802.3 - 2002)
The Primary port in the Steelhead appliance is 10 Base-T/100, Base-TX/1000, and Base-T/SX Mbps (IEEE
802.3 -2002). (The Primary port on the Model 100, 200 is Fast Ethernet only.)
In-path Steelhead appliance ports are 10/100/1000 Base-TX or Gigabit Ethernet 1000Base-T/SX (IEEE 802.3
– 2002) (depending on your order).
The Steelhead appliance supports VLAN Tagging (IEEE 802.1Q - 2003). It does not support the Cisco
InterSwitch Link (ISL) protocol.
All copper interfaces are auto-sensing for speed and duplex (IEEE 802.3 - 2002).
The Steelhead appliance auto-negotiates speed and duplex mode for all data rates and supports full duplex
mode and flow control (IEEE 802.3 – 2002).
The Steelhead appliance with a Gigabit Ethernet card supports Jumbo Frames on in-path and primary
ports.
SNMP-Based Management Compatibility

The Steelhead appliance supports a proprietary Riverbed MIB accessible through SNMP. SNMPv1 (RFCs
1155, 1157, 1212, and 1215), SNMPv2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418), and SNMPv3 are
supported, although some MIB items might only be accessible through SNMPv3 and SNMPv2.

Preface CMC Compatibility
SNMP support allows the CMC to be integrated into network management systems such as Hewlett
Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management
tools.
CMC Compatibility
The Steelhead appliance has been tested with the following Central Management Console (CMC) versions:
Steelhead Recommended CMC v6.0.x CMC v5.5.x CMC v5.0.x CMC v4.1.x
Appliance CMC Version
RiOS
Version
v6.1.x v6.0.x Manages all Steelhead Not supported Not supported Not supported
appliance v6.0.x features.
RiOS v6.1.x features may
be supported in
subsequent point
releases of CMC v6.0.
v6.0.x v5.5.3b Parity; Manages all CMC v5.5.3 and Not supported Not supported
Steelhead appliance later, manages
v6.0.x features. only v5.5
Steelhead
appliance
features.
v5.5.x v5.5.3b Parity; Manages all Parity CMC v5.0.4 and Not supported
Steelhead appliance later, manages
v5.5.4 and later features. all Steelhead
appliance v5.0
features.
Additional Resources
This section describes resources that supplement the information in this guide. It includes the following
sections:
“Online Notes,” next
“Riverbed Documentation” on page 13
“Online Documentation” on page 13
“Riverbed Knowledge Base” on page 13

Contacting Riverbed Preface
Online Notes
The following online file supplements the information in this manual. It is available on the Riverbed
Technical Support site at https://support.riverbed.com.
Online File Purpose
<product>_<version_number>.txt Describes the product release and identifies fixed problems, known
problems, and workarounds. This file also provides documentation
information not covered in the manuals or that has been modified since
publication.
Please examine this file before you begin the installation and configuration process. It contains important
information about this release of the CMC.
Riverbed Documentation
For a complete list of Riverbed documentation, log in to the Riverbed Technical Support Web site located at
https://support.riverbed.com.
Online Documentation
The Riverbed documentation set is periodically updated with new information. To access the most current
version of Riverbed documentation and other technical information, consult the Riverbed Technical
Support site located at https://support.riverbed.com.
Riverbed Knowledge Base

The Riverbed Knowledge Base is a database of known issues, how-to documents, system requirements, and
common error messages. You can browse titles or search for key words and strings.
To access the Riverbed Knowledge Base, log in to the Riverbed Technical Support site located at https://
support.riverbed.com.
Contacting Riverbed
This section describes how to contact departments within Riverbed.
Internet
You can find out about Riverbed products through our Web site at https://support.riverbed.com.
Riverbed Technical Support

If you have problems installing, using, or replacing Riverbed products contact Riverbed Technical Support
or your channel partner who provides support. To contact Riverbed Technical Support, please open a
trouble ticket at https://support.riverbed.com or call 1-888-RVBD-TAC (1-888-782-3822) in the United
States and Canada or +1 415 247 7381 outside the United States.

Preface Contacting Riverbed
Professional Services
Using Professional Services from Riverbed or an authorized Riverbed partner can make your deployment
even more of a success. Riverbed product training and consultation are available for any size deployment.
For details, please go to the Riverbed Professional Services Web site at or contact them directly at
proserve@riverbed.com.
Riverbed has staff of professionals who can help you with installation assistance, provisioning, network
redesign, project management, custom designs, consolidation project design, and custom coded solutions.
To contact Riverbed Professional Services go to http://www.riverbed.com or email
proserve@riverbed.com.
Documentation
We continually strive to improve the quality and usability of our documentation. We appreciate any
suggestions you might have about our online documentation or printed materials. Send documentation
comments to techpubs@riverbed.com.

CHAPTER 1 Overview of the CMC
This chapter provides an overview of the CMC. It includes the following sections:
“Overview of the CMC,” next
“Upgrading from Previous Versions of the CMC” on page 17
“Steelhead Appliance Auto-Registration” on page 21
“CMC Command-Line Interface” on page 23
“Connecting to the CMC” on page 23
“Navigating in the CMC” on page 28
“Getting Help” on page 30
This chapter assumes you have installed and performed the initial configuration of the CMC. For details,
see the Steelhead Central Management Console Installation Guide.
Overview of the CMC

The CMC facilitates the administration tasks for the Riverbed system:
Configuration - The CMC enables you to automatically configure new Steelhead appliances or to send
configuration settings to appliances in remote offices. The CMC utilizes policies and groups to facilitate
centralized configuration and reporting.
Monitoring - The CMC provides both high-level status and detailed statistics of the performance of
Steelhead appliances and enables you to configure event notification for managed Steelhead
appliances.
Management - The CMC enables you to start, stop, restart, and reboot remote Steelhead appliances.
You can also schedule jobs to send software upgrades and configuration changes to remote appliances
or to collect logs from remote Steelhead appliances.

Overview of the CMC Overview of the CMC
Centralized Configuration with Groups and Policies

The CMC utilizes appliance policies and appliance groups to facilitate centralized configuration and
reporting of remote Steelhead appliances. Groups are comprised of Steelhead appliances or sub-groups of
Steelhead appliances; all groups and Steelhead appliances are contained in the root default Global group.
Policies are sets of common configuration options that can be shared among different Steelhead appliances
independently or via group membership.
The following policy types are available:
Optimization Policy - Use optimization policies to manage optimization features such as the data
store, in-path rules, and SSL settings, in addition to many others. For details, see “Optimization Policy”
on page 94.
System Settings Policy - Use system settings policies to organize and manage system setting features
such as alarms, announcements, email notifications, log settings, and others. For details, see “Security
Policy” on page 94.
Networking Policy - Use networking policies to manage networking features such as asymmetric
routing, DNS settings, host settings, QoS settings, and others. For details, see “Networking Policy” on
page 94.
Security Policy - Use security policies to manage appliances in which security is a key component. For
details, see “Security Policy” on page 94.
Each policy type is made up of particular RiOS features. For example, system settings policies contain
feature sets for common system administration settings such as alarm settings, announcements, email
notification settings, among others, while security policies contain feature sets for encryption,
authentication methods, and user permissions.
Note: For details on policy types and their feature sets, see “Policy Types” on page 131.
Each group or Steelhead appliance can be assigned one of each type of policy. Because the Global group
serves as the root group, or parent, to all subsequent groups and appliances, any policies assigned to the
Global group provide the default values for all groups and Steelhead appliances.
Inheriting or Overriding Policy Settings from a Parent Group

Policies are comprised of feature sets whose values can be inherited from the parent group. By default, no
policies are assigned to the Global group, but any policies assigned to the global group can be inherited by
all groups and appliances. Similarly, specific feature sets in individual policies can be enabled, in which case
they override the values that would otherwise be inherited from a parent.
You can also assign different policies directly to groups and appliances. For flexibility, the policy you apply
can also be configured to inherit or override specific feature-set values from the nearest parent group.
For example:
A group uses optimization policy accG, whose in-path rules feature set specifies four rules.
An appliance in that group uses optimization policy accA, whose in-path rules feature set specifies
only three rules.

Upgrading from Previous Versions of the CMC Overview of the CMC
By de-selecting the Enable Page option for in-path rules in the accA policy definition, you ensure that
the appliance uses the accG In-Path Rules settings.
Note: For a more detailed example of how policy feature sets are configured and applied, see “How Policies and
Inheritance Work” on page 131.
Fetching Configurations
If a remote Steelhead appliance has been independently configured, you can fetch that configuration, which
can be saved as newly generated policies. These can then be applied to other appliances.
For details on fetching, see “Fetch Appliance Configuration” on page 113.
Upgrading from Previous Versions of the CMC

With v5.0 or later, there have been major changes in the structuring of groups and the association of
configurations to groups and appliances. With these changes, upgrade rules have been implemented to
transition from the old mechanisms to the new.
In some of the cases, there is no way to upgrade a CMC configuration to perfectly match the configuration
you had before.
This section includes the following sections:
“Group Membership,” next
“Profiles to Policies” on page 17
“Policy Association” on page 18
“General Appliance Configuration” on page 18
“Migration Procedures” on page 19
Group Membership
Before v5.0, a Steelhead appliance could belong to multiple groups. This feature gave you the flexibility to
create groups based on geographic locations or model number, and so forth. The groups could be used for
configuration or reporting.
After v5.0, each Steelhead appliance can only belong to one group. A group can be a member of another
group. This facilitates visualization of configurations and makes configuration management easier.
Profiles to Policies
With v5.0 or later, the CMC uses policies to associate feature sets with groups of Steelhead appliances. There
are the following types of policies: optimization, system, security, and network. Each type of policy contains
settings for different features. You can create one or more of these policies and assign one of each type to a
group or Steelhead appliance.

Overview of the CMC Upgrading from Previous Versions of the CMC
To upgrade profiles to policies, the CMC looks at each profile, converts each CLI command into
corresponding configuration settings, and separates the configuration out into the different policy types. If
there are no configuration settings for a particular type of policy, then a policy is not created. For example,
if the profile Foo has in-path settings and IPSEC configured, the CMC creates an optimization policy Foo
with the in-path configuration settings and a security policy Foo with the IPSEC configuration settings.
Policy Association
In previous versions, you were able to associate multiple common profiles with a group and multiple
profiles with a Steelhead appliance. The associated profiles are pushed out when an auto-configuration or
full configuration push is performed. When multiple profiles are associated with a group, they are applied
in alphabetical order. If there is a conflicting configuration, the last profile wins. After the group profiles are
applied, the profiles associated with the appliance itself are applied in order.
In v5.0 CMC or later, multiple policies of the same type cannot be associated with a group or appliance.
However, specified settings of the policy configuration can selectively override the policies of its ancestors.
You must set up the appliance hierarchy correctly to make use of the inheritance feature. Profiles are
automatically converted to policies. However, they are not automatically applied to appliances. This step
must be performed after the upgrade. For details, see “Migration Procedures” on page 19.
General Appliance Configuration

Appliance-specific profiles currently contain some non-appliance-specific configurations such as DNS,
routing information, encryption (IPSEC), host settings, and proxies. When upgrading to v5.5, a similar
process for upgrading common profiles to policies is followed:
1. Configuration - Non-appliance-specific configurations are saved as policies. Appliance-specific

configurations, such as CLI commands, are saved as settings in four appliance pages (Host Settings,
Base Interfaces, In-Path Interfaces, and SSL).
2. Assignment - Policies are created for the non-appliance-specific configuration aforementioned. Each
policy is named after the appliance from whose configuration it is generated. Watch for name collusion
with policies created from configurations fetched from the appliance.
3. Group Organization - Appliance group affiliation is retained as much as possible. With v5.0 or later,
appliances can only belong to one group. If an appliance belongs to more than one group, the appliance
is assigned to one of the preserved groups alphabetically.

Upgrading from Previous Versions of the CMC Overview of the CMC
Migration Procedures
This section describes a generic process for migrating to v5.5 or later. Because configurations vary greatly,
Riverbed recommends that you consult with Riverbed Professional Services before beginning the migration
process. This section describes the following procedures:
“Upgrading the CMC Software Version,” next
“Registering the Steelhead Appliances” on page 20
“Organizing Steelhead Appliances into Groups” on page 20
“Creating New Policies from Steelhead Configurations” on page 20
“Modifying Policies to Appliances and Appliance Groups” on page 21
“Assigning Policies to Appliances and Appliance Groups” on page 21
“Pushing Policy Configuration to Remote Appliances” on page 21
Upgrading the CMC Software Version

You can upgrade your software version in the Configure > Maintenance > Software Upgrade page.
To upgrade the software
1. Obtain the new image from Riverbed Technical Support and save it to a local directory.
2. Log in to the current CMC.
3. Click Configure to expand the Configure menu.
4. Choose Maintenance > Software Upgrade in the left menu to display the Configure > Maintenance >
Software Upgrade page.
5. Under Install Upgrade, select the From Local File option and specify the image you saved in Step 1.
6. Click Install Upgrade.
7. After the new image installs, reboot the CMC:

– Click Configure to expand the Configure menu.
– Choose Maintenance > Reboot/Shutdown to display the Configure > Maintenance > Reboot/
Shutdown page.
– Click Reboot.
After you click Reboot, you are logged out of the system, and it reboots.
Note: After upgrading, you should clear the cache of your browser to ensure that the CMC displays correctly.

Overview of the CMC Upgrading from Previous Versions of the CMC
Registering the Steelhead Appliances

You can register the Steelhead appliances in the Manage > Appliances page.
All Steelhead appliances registered in the CMC prior to the upgrade are automatically registered after the
upgrade. It might take a few moments for all the Steelhead appliances to appear.
For details on manually registering additional Steelhead appliances, see “Registering New Appliances” on
page 95.
Organizing Steelhead Appliances into Groups

You organize Steelhead appliances into groups in the Manage > Appliances page.
The upgrade process retains your existing groups. However, v5.0 or later restricts appliances to only one
group membership. As a result, if an appliance previously belonged to multiple groups, the upgrade
process selects one of the groups alphabetically.
For details on organizing appliances into groups, see “Moving Groups and Appliances” on page 116.
Creating New Policies from Steelhead Configurations

You can create policies by fetching configurations from Steelhead appliances in the Manage > Appliances
page.
Fetched configurations are automatically saved as policies, which can be managed and applied to
appliances and appliance groups.
When you create policies, you can set the values of feature sets directly or copy them from existing policy
configurations
Policies can also be made from scratch or based on other existing policies. For details on how policies work,
see “Understanding Policies and Policy Usage” on page 130.
To create new policies from existing Steelhead configurations
1. Choose Manage > Appliances to display the Appliances page.
2. Click the name of the appliance in the Groups and Managed Appliances column to display settings.
3. Scroll down to the Utilities panel.
4. In the Name to use for Fetched Policies field, type the complete name of the policy.
All policies generated from the selected appliance have the same name, but can be distinguished by
their policy types.
5. Click Fetch.
The fetched configuration can now be applied to appliances and appliance groups as policies. For
details on applying policies, see “Fetching Configurations” on page 17.
6. Repeat the preceding steps for each appliance.

Steelhead Appliance Auto-Registration Overview of the CMC
Modifying Policies to Appliances and Appliance Groups

You modify policies by fetching configurations from Steelhead appliances in the Manage > Policies page.
For details on modifying policies, see the following sections:
“Editing Policy Settings” on page 134
Appendix A, “Policy Parameters and Settings” on page 221
Assigning Policies to Appliances and Appliance Groups

You assign policies to appliances and appliance groups in the Manage > Appliances page.
For details on assigning policies, see “Assigning Policies” on page 136.
Pushing Policy Configuration to Remote Appliances

You push configurations to appliances and appliance groups in the Manage > Appliances page.
After assigning policies to appliances and appliance groups, you must push the configuration to the
affected appliances and appliance groups.
For details on pushing configurations to appliances, see “Pushing Policies to Appliances and Appliance
Groups” on page 118.
Steelhead Appliance Auto-Registration

Steelhead appliances must be registered with the CMC so that you can monitor and manage them with the
CMC.
Steelhead appliances are designed to send a registration request periodically to the CMC—either to an IP
address or hostname you specify when you run the Steelhead appliance installation wizard, or to a default
CMC hostname. In order for auto-registration with the default hostname to work, you must configure your
DNS server to map to the hostname riverbedcmc and the IP address of the CMC.
The steps you take to register Steelhead appliances with the CMC depend on the order in which you install
the products.
Note: After an Steelhead appliance is registered, you can set auto-configuration to automatically push the current
configuration when the Steelhead appliance connects. For details, see “Auto Configure” on page 98.
Note: During auto-registration, the Steelhead appliances do not send passwords to the CMC. Unless the password
value is modified in the Manage Appliances page, the CMC assumes the password is password. For details, see
“Managing Appliances and Appliance Groups” on page 91.

Overview of the CMC Steelhead Appliance Auto-Registration
If you install the CMC before you connect the Steelhead appliances
1. Set up a DHCP server to assign IP addresses in your network.
2. Install the CMC.
3. Use the CMC to complete the registration entries for remote appliances. Registration entries specify:
the serial number of the appliance.
the user name and password of the account through which the configuration must be performed
(defaults are admin and password).
an initial group assignment (optional).
4. Use the CMC to create the policy and group configuration objects you use to manage the Steelhead
appliances in your system:
Create and assign policies. For details, see “Creating Policy Settings” on page 133 and “Assigning
Policies” on page 136.
Create groups and assign appliances to the groups. Enable auto-configuration for each appliance in
the group. For details, see “Auto Configure” on page 98.
Appliances you have not assigned to groups are members of the default group Global. The
default group Global has the auto-configuration feature enabled.
Review the appliance configuration, add additional CLI commands (if any). For details, see
“Managing Appliances and Appliance Groups” on page 91.
5. Set up a DNS server to map to the hostname riverbedcmc and the IP address for the CMC.
6. Connect the remote Steelhead appliance primary network interface to the network and power it on.
When the Steelhead appliance contacts the CMC, the CMC sends the configuration to the remote
Steelhead appliance, the appliance is registered with the CMC, and the CMC begins collecting
performance metrics for the Steelhead appliance.
If you install the Steelhead appliances before you install the CMC
1. Set up a DHCP server to assign IP addresses in your network.
2. Install the remote Steelhead appliances.
3. Set up a DNS server to map to the hostname riverbedcmc and the IP address for the CMC.
4. Install the CMC.

When you view the CMC, the Steelhead appliances in your system appear in the Manage > Appliances
page. It might take as long as an hour for all Steelhead appliances to appear in the Manage >
Appliances page.
5. Create and assign policies. For details, see “Creating Policy Settings” on page 133 and “Assigning
Policies” on page 136.
6. Create groups and assign appliances to the groups.

Appliances you have not assigned to groups are members of the default group Global.

CMC Command-Line Interface Overview of the CMC
7. If necessary, complete the registration entries for the remote appliances by specifying:
the user name and password of the account through which the configuration must be performed
only if you are not using the defaults: admin and password.
an initial group assignment (optional).
For details, see “Managing Appliances and Appliance Groups” on page 91.
CMC Command-Line Interface

The CMC has a subset of CLI commands available for configuring the system.
For details, see the Riverbed Command-Line Interface Reference Manual.
Note: The CMC CLI cannot be used to configure remote Steelhead appliances. It can only be used to configure the CMC.
Connecting to the CMC

To connect to the CMC you must know the host, domain, and administrator password that you assigned
during the initial setup of the CMC. For details, see the Steelhead Central Management Console Installation
Guide.
To connect to the CMC
1. Enter the URL for the CMC in the location box of your browser:
protocol://host.domain
– protocol is http or https. The secure HTTPS uses the SSL protocol to ensure a secure environment.
When you connect using HTTPS, you are prompted to inspect and verify the SSL certificate. This is
a self-signed certificate used to provide encrypted Web connections to the CMC. The secure vault
does not protect the self-signed certificate used with HTTPS connections. It is re-created when the
appliance hostname is changed and when the certificate has expired.
– host is the IP address or hostname you assigned the CMC during initial configuration. If your DNS
server maps the IP address to a name, you can specify the DNS name.

Overview of the CMC Connecting to the CMC
– domain is the full domain name for the CMC.

The CMC Login page appears.
Figure 1-1. Login Page
2. In the Username text box, type the user login: admin, monitor, or a login from a RADIUS, or a
TACACS+ database.
For details on RADIUS and TACACS+ configuration, see “Configuring Security Settings” on page 56.
The default login is admin. Users with administrator privileges can configure and administer the
CMC. Users with monitor (monitor) privileges can view CMC reports.
3. In the Password text box, type the password you assigned in the configuration wizard of the CMC.
The CMC is shipped with the default password: password.

Connecting to the CMC Overview of the CMC
4. Click Log In to log in and display the Home page.

Figure 1-2. Home Page
Tip: Click the appliance IP address to display the Manage > Appliances page.

Overview of the CMC Connecting to the CMC
The Home Page

The Home page displays the following information for the CMC, appliance groups, and Steelhead
appliances.
Field Description
CMC Status System Uptime. Displays the time since the last reboot of the system.
Statistics for <group> This panel displays bandwidth optimization and optimized LAN throughput reports
over <period> / based on the group, period, and direction specified in the Web Preferences page.
<direction>
Bandwidth Optimization. This report displays the following:
• WAN Data - Displays the bytes sent and received (depending on direction) over the
WAN ports.
• LAN Data - Displays the bytes sent and received (depending on direction) over the
LAN ports (depending on direction).
• Total Data Reduction % - Displays the total decrease of data transmitted over the
WAN, according to the following calculation: (Data In – Data Out) and (Data In)*100.
• Optimized Bandwidth Capacity Increase - Displays Specifies the increase in the
amount of data transmitted over the WAN.
• Total Bandwidth Capacity Increase - Displays the increase in the amount of data
transmitted over the WAN, according to the following calculation:
1 and (1-Reduction Rate).
Optimized LAN Throughput. This report displays the following:
• Peak WAN/LAN Throughput - Displays the date and time of the peak data activity.
• 95th Percentile WAN/LAN Throughput - Displays the 95th percentile for data
activity. The 95th percentile is calculated by taking the peak of the lower 95% of
inbound and outbound throughput samples.
• Average LAN Throughput - Displays the average amount of data transmitted.
Summary for <group> This panel summarizes the number and status of the managed appliances of the
specified group.
• Healthy - Number of appliances currently optimizing.
• Degraded - Number of appliances appliance optimizing but have an issue. For
example, restart may be required.
• Disconnected - Number of appliances currently not connected.

Connecting to the CMC Overview of the CMC
Field Description
Appliances Address - Displays the hostname or IP address of the appliance.

Note: This table may be Model - Displays the model number of the appliance.
sorted by any of the
column headers. Version - Displays the software version running on the appliance.
Status - Displays the current status of the appliance.
Reduction - Displays the percentage of data reduction for the appliance.
Peak Throughput - Displays the peak data transmitted for the appliance.
Total Connections - Displays the total active connections.
Datastore Use - Displays the total data store use.
Established Connections - Displays the total established connections.
Optimized Connections - Displays the total optimized connections.

Half-Opened Connections - Displays the total half-opened connections.
Datastore Use - Displays the percent of data store usage.
Appliances Needing Address - Displays the hostname or IP address of the appliance.

Attention
Model - Displays the model number of the appliance.
Note: This table may be
sorted by any of the Version - Displays the software version running on the appliance.
column headers.
Groups Display Address - Displays the hostname or IP address of the appliance.

Note: This table may be Model - Displays the model number of the appliance.
column headers. Version - Displays the software version running on the appliance.

Overview of the CMC Navigating in the CMC
Field Description
Settings Home Page Options - Displays the home page options.

Note: This table may be Statistics Options - Displays the statistics options.
column headers.
Note: You can access the Management Console of any registered Steelhead appliance by clicking on the appliance
address under Appliances. For details on automatic sign in from the CMC, see “Configuring CMC Security Settings”
on page 58.
Navigating in the CMC

You go to the tools and reports available to you in the CMC using cascading menus.
To display cascading menus
1. Click the item in the menu bar to display the submenus.

For example, click Reports to display the submenus Steelhead, Appliance, Diagnostic, and Export
submenus. The menu item that is currently active is differentiated by a different tone of color.
2. To go to a page, slide your mouse down to the submenu item you want to display and click the menu
name.
For example, under Reports > Managed Steelheads, click Bandwidth Optimization to display the
Bandwidth Optimization page.
The following figure illustrates cascading menus in the CMC.
Figure 1-3. Cascading Menus

Navigating in the CMC Overview of the CMC
The following table summarizes the cascading menus.
Menu Submenus
Home Displays the Home page.
Configure Networking. Configure host settings (hostname, DNS servers, hosts, proxies, date and time) and
network interfaces (primary interface and routing). For details, see “Configuring Network Settings”
on page 32.
System Settings. Configure alarm settings, announcements, email settings, log settings, monitored
ports, SNMP settings, and Web settings from this menu. For details, see “Configuring System
Settings” on page 39.
Security. Configure general security parameters, RADIUS, TACACS+, and the secure vault from
this menu. For details, see “Configuring Security Settings” on page 56.
Maintenance. Start and stop system services, schedule jobs, upgrade software, backup
configurations, and reboot or shutdown the appliance from this menu. For details, see “Maintaining
Your System” on page 75.
My Account. Modify administrator user password,
Configurations. Manage configuration files for the system from this menu. For details, see
“Managing Configuration Files” on page 88.
Manage Appliances. Manage Steelhead appliances from this menu. You can create groups of appliances,
add appliances to a group, edit appliance information, filter information, and perform actions on
appliances such as CLI pushes, software upgrades, starting and stopping services, reboots,
shutdowns, and password changes. For details, see “Managing Appliances and Appliance Groups”
on page 91.
Policies. Create and manage optimization, system settings, network, and security policies for
groups of appliances from this menu. You can create new policies and assign specific features to a
particular policy. For details, see “Working with Policies” on page 130.
Operation History. View the history of operations such as upgrades, fetches, and reloads from this
menu. For details, see “Viewing and Managing System Operation History” on page 137.
Appliance Backup/Restore. Manage configuration backups from this menu. You can view, delete,
and restore configurations for a specified appliance. For details, see “Managing Appliance Backup/
Restore” on page 139.
Configure Upgrades. Manage the software image library and configure automatic upgrades. For
details, see “Configuring Upgrades” on page 142.
RSP. Manage the RSP appliance. For details, see “Configuring RSP Appliances” on page 144.
Reports Managed Steelheads. Create and display optimization reports such as bandwidth, data store hit
rate, data reduction, HTTP statistics, SSL servers, throughput, and traffic summary reports from this
menu. For details, see “Displaying Managed Steelheads Reports and Logs” on page 149.
Steelheads Diagnostics. Display and download Steelhead diagnostic reports such as user and
system logs, alarms status, system snapshots, system dumps, TCP dumps, and user permissions
from this menu. For details, see “Displaying Steelhead Diagnostics Reports” on page 197.
CMC Diagnostics. Display and download CMC diagnostic reports such as user and system logs,
alarms status, system snapshots, system dumps, TCP dumps, and user permissions from this menu.
For details, see “Displaying CMC Diagnostics Reports” on page 205.
Export. Export reports from this menu. For details, see “Exporting Performance Statistics Reports”
on page 217.
Support Display online help, links to product documentation, contact information for Riverbed Technical
Support, appliance details such as the model, revision type, serial number, and software version,
and appliance MIB files from this menu. For details, see “Getting Help” on page 30.

Overview of the CMC Getting Help
Saving Your Configuration

The Save icon on the menu bar saves the configurations. For details, see “Managing Configuration Files”
on page 88 files.
Printing Pages and Reports

You can print CMC pages and reports using the print option on your Web browser.
To print pages and reports

Choose File > Print in your Web browser to open the Print dialog box.
Getting Help
The Support tab provides you with the following options:
Online Help - Display online help and links to documentation on the Riverbed support site.
Technical Support - Display links and contact information for Riverbed Technical Support.
Appliance Details - Display appliance information such as the model number, hardware revision type,
serial number, and the software version number currently installed on the appliance.
MIB Files - Display Riverbed and appliance MIB files in text format.
Displaying Online Help

The CMC provides page level help for the appliance. You can also display an online help book for the CMC.
To display online help in the CMC

Click the question mark icon next to the page heading. The help for the page appears in a new browser
window.
To display the online help book
1. Click Support in the menu bar to display the Support page.
2. Click the Book icon for Browser-based online help to display the online help book for the appliance.
3. Go to the item you want to view using the left-pane table of contents.
For the most up-to-date documentation for the Steelhead appliance, see the Riverbed Technical Support
Web site at https://support.riverbed.com.
Logging Out
In the menu bar, click Logout to end your session.

CHAPTER 2 Configuring the CMC
This chapter describes how to modify CMC settings, manage configurations, upgrade software, and stop
and start the CMC. It includes the following sections:
“Configuring Network Settings,” next
“Configuring System Settings” on page 39
“Configuring Security Settings” on page 56
“Maintaining Your System” on page 75
“Changing the Administrative Password” on page 87
“Managing Configuration Files” on page 88
This chapter assumes you have installed and performed the initial configuration of the CMC. For details,
see the Steelhead Central Management Console Installation Guide.

Configuring the CMC Configuring Network Settings
Configuring Network Settings

The following section describes how to configure network settings in the CMC. It includes the following
sections:
“Configuring Host Settings,” next
“Configuring Settings for the Network Interfaces” on page 36
Configuring Host Settings

You can view and modify general host settings in the Host Settings page.
When you initially run the installation wizard, you set required network host settings for the CMC. You can
configure or modify the following settings:
Name - Modify the hostname only if your deployment requires it.
DNS Settings - Riverbed recommends that you use DNS resolution.
Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can add
additional hosts to the system.
Proxies - Configure proxy addresses for Web or FTP proxy access to the CMC.
Date and Time - Riverbed recommends that you configure NTP time synchronization.

Configuring Network Settings Configuring the CMC
To modify general host settings
1. Choose Configure > Networking > Host Settings to display the Host Settings page.
Figure 2-1. Host Settings Page

To change the hostname
1. Under Name, complete the configuration as described in the following table.
Control Description
Hostname Modify the hostname, if necessary.
Apply Applies your changes to the running configuration.
2. Click Save to save your settings permanently.
To specify DNS settings
1. Under DNS Settings, complete the configuration as described in the following table.
Control Description
Primary DNS Server IP Address Specify the IP address for the primary name server.
Secondary DNS Server IP Optionally, specify the IP address for the secondary name server.
Address
Tertiary DNS Server IP Address Optionally, specify the IP address for the tertiary name server.
DNS Domain List Specify an ordered list of domain names.

If you specify domains the system automatically finds the appropriate domain
for each of the hosts that you specify in the system.
2. Click Apply to apply the settings to the current configuration.
To add a new host
1. Under Hosts, complete the configuration as described in the following table.
Control Description
Add a New Host Displays the controls for adding a new host.
IP Address Specify the IP address for the host.
Hostname Specify a hostname.
Add Adds the host.
Remove Selected Click the check box next to the name and click Remove Selected.

To add a proxy
1. Under Proxies, complete the configuration as described in the following table.
Control Description
Web/FTP Proxy IP Address Specify the IP address for the Web/FTP proxy.
Port Specify the port for the Web/FTP proxy.
To configure the date and time
1. Under Date and Time, complete the configuration as described in the following table.
Control Description
Use NTP Time Add a New NTP Server. Click to display the controls to add a server.
Synchronization
Host Name or IP Address. Specify the hostname or IP address for the NTP server.
Version. Select the NTP server version from the drop-down list: 3 or 4
Enabled. Click to enable the connection to the NTP server.
Add. Adds the NTP server to the table list.
Remove Selected. Click the check box next to the name and click Remove Selected.
Set Time Manually Date. Specify the date in the following format: YYYY/MM/DD
Time. Specify the time in the following format: HH:MM:SS
Time Zone. Select the time zone from the drop-down list. The default is US/Pacific.
Note: If you change the time zone, log messages retain the old time zone until you
reboot the system.
Important: After you apply your settings, you can verify whether changes have had the desired effect by reviewing
related reports. When you have verified appropriate changes, you can write the active configuration that is stored in
memory to the active configuration file (or Save As any filename you choose). For details on saving configurations, see
“Managing Configuration Files” on page 88.

Configuring Settings for the Network Interfaces

You can view and modify settings for the Primary and Auxiliary interfaces in the Network Interfaces page.
On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is
the appliance management interface. You connect to the primary interface to use the Web UI or the CLI.
To configure network interface settings
1. Choose Configure > Networking > Network Interfaces to display the Network Interfaces page.
Figure 2-2. Network Interfaces Page

2. Under Primary Interface, complete the configuration as described in the following table.
Control Description
Obtain IP Address Automatically Specify this option to automatically obtain the IP address from a DHCP server.
A DHCP server must be available so that the system can request the IP address
from it.
Important: The primary and in-path interfaces can share the same subnet. The
primary and auxiliary interfaces cannot share the same network subnet.
Specify IP Address Manually Specify this option if you do not use a DHCP server to set the IP address.
Specify the following settings:
• IP Address. Specify an IP address.
• Subnet Mask. Specify a subnet mask.
• Primary Gateway IP. Specify the primary gateway IP address. The primary
gateway must be in the same network as the primary interface. You must set
the primary gateway for in-path configurations.
Speed Select a speed from the drop-down list. The default value is Auto.
Duplex Select Auto, Full, or Half from the drop-down list. The default value is Auto.
If your network routers or switches do not automatically negotiate the speed
and duplex, be sure to set them manually.
The speed and duplex must match (LAN and WAN) in an in-path
configuration. If they do not match, you might have a large number of errors on
the interface when it is in bypass mode, because the switch and the router are
not set with the same duplex settings.
MTU Specify the MTU value. The MTU is the largest physical packet size, measured
in bytes, that a network can send. The default value is 1500.
3. Under Auxiliary Interface, complete the configuration as described in the following table.
Control Description
Enable Aux Interface Enables an auxiliary interface.
Obtain IP Address Automatically Specify this option to set the appliance to automatically obtain the IP address.
Important: The primary and auxiliary interfaces cannot share the same network
subnet. The auxiliary and in-path interfaces cannot share the same subnet. You
cannot use the auxiliary port for out-of-path Steelhead appliances.
Specify IP Address Manually Specify the following settings:

Specify this option if you do not use a DHCP server to set the IP address.
Speed Select the speed from the drop-down list. The default value is Auto.

Control Description
Duplex Select Auto, Full or Half from the drop-down list. The default value is Auto.
and duplex, be sure to set them on the device manually.
configuration. To avoid a speed and duplex mismatch, configure your LAN
external pair to match the WAN external pair.
5. Click Save to save your changes permanently.
6. Under Main Routing Table, you can configure a static routing for out-of-path deployments or if your
device management network requires static routes.
You can add or remove routes from the table list.
.
Control Description
Add a New Route Adds a route.
Destination IP Address Specify the destination IP address for the out-of-path appliance or network
management device.
Subnet Mask Specify the subnet mask.
Gateway IP Address Specify the IP address for the gateway.
Add Adds the route to the table list.
7. Click Save to save your changes permanently.

Configuring System Settings Configuring the CMC
Configuring System Settings

This section describes how to configure settings to manage the system. It includes the following sections:
“Creating Announcements,” next
“Setting Alarm Parameters” on page 40
“Configuring Monitored Ports” on page 42
“Setting SNMP Basic Parameters and Trap Receivers” on page 43
“Setting SNMP v3 Parameters” on page 45
“Setting SNMP ACLs Parameters” on page 47
“Setting SNMP v3 Parameters” on page 45
“Setting SNMP ACLs Parameters” on page 47
“Setting Up Email Notifications” on page 50
“Configuring Logging” on page 53
Creating Announcements
You can create or modify a login message or a message of the day in the Announcements page.
The login message appears in the CMC Login page. The message of the day appears on the Home page and
when you first log in to the CLI.
To set an announcement
1. Choose Configure > System Settings > Announcements to display the Announcements page.
Figure 2-3. Announcements Page

Configuring the CMC Configuring System Settings
2. Use the controls to complete the configuration as described in the following table.
Control Description
Login Message Type a message in the text box to appear on the Login page.
MOTD Type a message in the text box to appear on the Home page.
Setting Alarm Parameters

You modify default parameters for CMC alarms for the CMC in the Alarms page.
Enabling this feature is optional.
When an alarm reaches the rising threshold, it is activated; it is reset when it reaches the lowest or reset
threshold. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold.
To set alarm parameters
1. Choose Configure > System Settings > Alarms to display the Alarms page.
Figure 2-4. Alarms Page

Control Description
CPU Utilization Specify this option to trigger an alarm if the average and peak threshold for the
CPU utilization is exceeded. When an alarm reaches the rising threshold, it is
activated; when it reaches the lowest or reset threshold, it is reset. After an alarm
is triggered, it is not triggered again until it has fallen below the reset threshold.
Set the following:
• Rising Threshold - Specify a whole number to specify a percent of CPU
utilization.
• Reset Threshold - Specify a whole number to specify a percent of CPU
utilization.
This alarm is enabled by default, with a rising threshold of 90% and a reset
threshold of 70%.
Temperature Specify this option to trigger an alarm when the CPU temperature exceeds the
rising threshold. When the CPU returns to the reset threshold, the rising alarm is
cleared. The default value for the rising threshold temperature is 70º C; the
default reset threshold temperature is 67º C.
• Rising Threshold - Specify the rising threshold (º C). When an alarm reaches
the rising threshold, it is activated. The default value is 70º C.
• Reset Threshold - Specify the reset threshold (º C). When an alarm reaches
the lowest or reset threshold, it is reset. After an alarm is triggered, it is not
triggered again until it has fallen below the reset threshold. The default value
is 67º C.
Note: This alarm setting appears only on appliance versions of the CMC.
Network Interface Link Errors Specify this option to trigger an alarm if network interface link errors are
detected.
Fan Error Specify this option to trigger an alarm if sensors detect a problem with the fans.
Memory Error Specify this option to trigger an alarm if ECC memory errors are detected. This
includes high rates of corrected errors and any uncorrected errors.
Extended Memory Paging Specify this option to trigger an alarm if extended memory paging activity is
Activity detected.
If 100 pages are swapped every couple of hours, the appliance is functioning
properly. If thousands of pages are swapped every few minutes, contact
Riverbed Technical Support.
This alarm is enabled by default.
System Disk Full Specify this option to trigger an alarm if the system disk becomes full.
Secure Vault Specify this option to trigger an alarm when the secure vault is locked. You can
unlock the vault with a password. For details, see “Managing User Permissions”
on page 61.
When the alarm is triggered, it provides a link to the Secure Vault page. Click the
link to display the Secure Vault page and unlock the vault. The alarm also
appears on the Reports > Diagnostics > Alarm Status page.
This alarm is enabled by default.

Control Description
Expiring SSL Certificates Specify this option to trigger an alarm when any certificate is expired or within
sixty days of expiring.
External Backups Specify this option to trigger an alarm when an automatic external backup
occurs.
Configuring Monitored Ports

You set the TCP ports that you want to monitor in the Monitored Ports page. The ports that you specify
appear in the Traffic Summary report. Make sure the description that you specify helps you identify the
type of traffic on the port.
The CMC automatically discovers all of the ports in the system that have traffic. Discovered ports, along
with a label (if one exists), are added to the Traffic Summary report. If a discovered port does not have a
label, then an unknown label is added to the discovered port. To change the unknown label to a name
representing the port, you must add the port with a new label. All statistics for this new port are preserved
from the time the port was discovered.
For details, see “Viewing Traffic Summary Reports” on page 158.
By default, traffic is monitored on ports 21 (FTP), 80 (HTTP), 139 (CIFS:NetBIOS), 443 (SSL), 445 (CIFS:TCP),
1352 (Lotus Notes), 1433 (SQL:TDS), 7830 (MAPI), 8777 (RCV), and 10566 (SnapMirror).
To configure monitored ports
1. Choose Configure > System Settings > Monitored Ports to display the Monitored Ports page.
Figure 2-5. Monitored Ports Page

2. To add a new monitored port, complete the configuration as described in the following table.
Control Description
Add Port Displays the controls to add a new port.
Port Number Specify the port to be monitored.
Port Description Specify a description of the type of traffic on the port.
Add Displays the controls for adding a port.
3. To modify a monitored port, click on the port and complete the configuration as described in the
following table.
Control Description
Apply Changes Applies your settings to the running configuration.
Cancel Cancels your actions.
Setting SNMP Basic Parameters and Trap Receivers

You configure SNMP basic contact and trap receiver settings to allow events to be reported to an SNMP
agent in the SNMP Basic page. Traps are messages sent by an SNMP agent that indicate the occurrence of
an event.
For details on SNMP traps sent to configured servers, see “SNMP Traps” on page 316.
By default, SNMP trap receivers are not confirmed.

To set SNMP Basic parameters
1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page.
Figure 2-6. SNMP Basic Page
2. Under SNMP Server Settings, complete the configuration as described in the following table.
.
Control Description
Enable SNMP Traps Enables SNMP traps.
System Contact Specify the user name for the SNMP contact.
System Location Specify the physical location of the SNMP system.

Read-Only Community Specify a password-like string to identify the read-only community. For example: public.
String This community string overrides any VACM settings.

3. To add a new trap receiver, complete the configuration as described in the following table.
Control Description
Add a New Trap Receiver Displays the controls to add a new trap receiver.
Receiver IP Address Specify the destination IP address for the SNMP trap.
Destination Port Specify the destination port.
Receiver Type Click v1, v2c, or v3 (User-based Security Model) to select the SNMP version.
Community For v1 or v2 trap receivers, specify the SNMP community name; for example,
public or private v3 trap receivers need a remote user with an authentication
protocol, and a password and security level.
Enable Receiver Enables the trap receiver.
Add Adds a new trap receiver to the list.
Run a trap test Click Run to run the trap test.
4. Click Apply to apply your changes to the running configuration.
Setting SNMP v3 Parameters

You configure SNMP v3 contact settings to allow events to be reported to an SNMP agent in the SNMP v3
page. Traps are messages sent by an SNMP agent that indicate the occurrence of an event.
To set SNMP v3 parameters
1. Choose Configure > System Settings > SNMP v3 to display the SNMP v3 page.
Figure 2-7. SNMP v3 Page

2. To add a new trap receiver, complete the configuration as described in the following table.
Control Description
Add a New User Displays the controls to add a user.
User Name Specify the user name.
Authentication Protocol Select a authentication method from the drop-down list:

• MD5 - Specifies the Message-Digest 5 algorithm, a widely-used
cryptographic hash function with a 128-bit hash value. This is the default
value.
• SHA - Specifies the Secure Hash Algorithm, a set of related
cryptographic hash functions. SHA is considered to be the successor to
MD5.
Authentication Optionally, click either Supply a Password or Supply a Key to use while
authenticating users.
Password Specify a password. The password must have a minimum of eight

characters.
Password Confirm Confirm the password.

Setting SNMP ACLs Parameters

You configure SNMP ACLs contact settings to allow events to be reported to an SNMP agent in the SNMP
ACLs page. Traps are messages sent by an SNMP agent that indicate the occurrence of an event.

To set SNMP ACLs parameters
1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page.
Figure 2-8. SNMP ACLs Page

2. Under Security Names, complete the configuration as described in the following table.
Control Description
Add a New Security Name Displays the controls to add a security name.
Security Name Specify a name to identify a requestor (allowed to issue gets and sets). The
security name may make changes to the View Based Access Control Model
(VACM) security name configuration.
Note: Traps for v1 and v2c are independent of the security name.
Community String Specify the password-like community string to control access. Use a
combination of uppercase, lowercase, and numerical characters to reduce the
chance of unauthorized access to the appliance.
Note: If you specify a read-only community string (located on the SNMP Basic
page under SNMP Server Settings), it takes precedence over this community
name and allows users to access the entire MIB tree from any source host. If
this is not desired, delete the read-only community string
Source IP Address and Mask Bits Specify the host IP address and mask bits to which you permit access using
the security name and community string
Add Adds the security name.
3. Under Groups, complete the configuration as described in the following table.
Control Description
Add a New Group Displays the controls to add a new group.
Group Name Specify a group name.
Security Model and Name Pairs Click the + button and select a security model from the drop-down list:
• v1 or v2c displays another drop-down menu; select a security name.
• v3 (usm) displays another drop-down menu, select a user.
To add another Security Model and Name pair, click the + button.
Add Adds the group name and security model and name pairs
4. Under Views, complete the configuration as described in the following table.
Control Description
Add a New View Displays the controls to add a new view.
View Name Specify a descriptive view name to facilitate administration.
Includes Specify the Object Identifiers (OIDs) to include in the view, separated by
commas; for example, .1.3.6.1.2.1.1.
By default, the view excludes all OIDs. You can specify .iso or any subtree
or subtree branch.
You can specify an OID number or use its string form; for example,
.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.mo
del

Control Description
Excludes Specify the OIDs to exclude in the view, separated by commas. By default,
the view excludes all OIDs.
Add Adds the view.
5. Under Access Policies, complete the configuration as described in the following table.
Control Description
Add a New Access Policy Displays the controls to add a new access policy.
Group Name Select a group name from the drop-down list.
Security Level Determines whether a single atomic message exchange is authenticated.

Select one of the following from the drop-down list:
• No Auth. Does not authenticate packets and does not use privacy. This
is the default setting.
• Auth. Authenticates packets but does not use privacy.
Note: A security level applies to a group, not to an individual user.
Read View Select a view from the drop-down list.
Add Adds the configurations.
Setting Up Email Notifications

You can set email notification parameters for events and failures in the Email page.
By default email addresses are not specified for event and failure notification.

To set event and failure email notification
1. Choose Configure > System Settings > Email to display the Email page.
Figure 2-9. Email Page
2. Under Email Notifications, complete the configuration as described in the following table.
Control Description
SMTP Server Specify the SMTP server. You must have external DNS and external access for
SMTP traffic for this feature to function.
Important: Make sure you provide a valid SMTP server to ensure that the users
you specify receive email notifications for events and failures.
SMTP Port Specify the port number for the SMTP server.
Report Events via Email Specify this option to report events through email. Specify a list of email
addresses to receive the notification messages. Separate addresses by spaces,
semicolons, commas, or vertical bars.
Optionally, select any of the following options:
• Include Events from Managed Appliances. Click the check box to include
events from Steelhead appliances managed by the CMC appliance.
• Enable Event Aggregation. Click the check box to enable event aggregation
and specify the Aggregation Duration (minutes). This setting aggregates
events into a single notification for the specified duration.

Control Description
Report Failures via Email Specify this option to report failures through email. Specify a list of email
addresses to receive the notification messages. Separate addresses by spaces,
semicolons, commas, or vertical bars.
Report Failures to Technical Specify this option to report serious failures such as system crashes to Riverbed
Support Technical Support.
Specify the email addresses to which to send notification messages. Separate
addresses by spaces, semicolons, commas, or vertical bars.
Riverbed recommends that you activate this feature so that problems are
promptly corrected.
Important: This option does not automatically report a disk drive failure. In the
event of a disk drive failure, please contact Riverbed Technical Support at
support@riverbed.com.

Configuring Logging
You set up local and remote logging in the Logging page.
To set up logging
1. Choose Configure > System Settings > Logging to display the Logging page.
Figure 2-10. Logging Page
2. To rotate logs, click Rotate Logs.

3. Under Logging Configuration, complete the configuration as described in the following table.
Control Description
Minimum Severity Select the minimum severity level for the system log messages. The log contains all
messages with this severity level or higher. Select one of the following levels from the
drop-down list:
• Emergency. Emergency, the system is unusable.
• Alert. Action must be taken immediately.
• Critical. Conditions that affect the functionality of the Steelhead appliance.
• Error. Conditions that probably affect the functionality of the Steelhead appliance.
• Warning. Conditions that could affect the functionality of the Steelhead appliance,
such authentication failures.
• Notice. Normal but significant conditions, such as a configuration change.
• Info. Informational messages that provide general information about system
operations.
Note: This control applies to the system log only. It does not apply to the user log.
Maximum Number of Specify the maximum number of logs to store. The default value is 10.
Log Files
Lines Per Log Page Specify the number of lines per log page. The default value is 100.
Rotate Based On Specify one of the following rotation options:

• Time. Select Day, Week, or Month from the drop-down list.
• Disk Space. Specify how much disk space, in megabytes, the log uses before it rotates.
The default value is 16 MB.
5. To add a new log server, complete the configuration as described in the following table.
Control Description
Add a New Log Server Displays the controls for configuring new log servers.
Server IP Specify the server IP address.
Minimum Severity Select the minimum severity level for the log messages. The log contains all messages
with this severity level or higher. Select one of the following levels from the drop-down
list:
operations.
Add Adds the server to the list.

6. Click Rotate Logs to rotate the actions.
7. Under Per-Process Logging, complete the configuration as described in the following table.
Control Description
Add a New Process Logging Displays the controls for adding a process level logging filter.
Filter
Process Select a process to include in the log from the drop-down list:
• rbmd - Central Management Server.
• cli - Command Line Interface.
• mgmtd - Device control and management, which directs the entire device
management system. It handles message passing between various
management daemons, managing system configuration and general
application of system configuration on the hardware underneath through
the hald.
• hald - Hardware Abstraction Daemon, which handles access to the
hardware.
• pm - Process Manager, which handles launching of internal system daemons
and keeps them up and running.
• sched - Process Scheduler, which handles one-time scheduled events.
• statsd - Statistics Collector, which handles queries and storage of system
statistics.
• wdt - Watchdog Timer, the motherboard watchdog daemon.
• webasd - Web Application Process, which handles the Web user interface.
Minimum Severity Select the minimum severity level for the log messages. The log contains all
messages with this severity level or higher. Select one of the following levels
from the drop-down list:
• Emergency - Emergency, the system is unusable.
• Alert - Action must be taken immediately.
• Critical - Conditions that affect the functionality of the Steelhead appliance.
• Error - Conditions that probably affect the functionality of the Steelhead
appliance.
• Warning - Conditions that could affect the functionality of the Steelhead
appliance, such authentication failures.
• Notice - Normal but significant conditions, such as a configuration change.
• Info - Informational messages that provide general information about
system operations.
Add Adds the filter to the list. The process now logs at the selected severity and
higher level.
Remove Selected Click the check box next to the name and click Remove Selected to remove the
filter.

Configuring the CMC Configuring Security Settings
Configuring Security Settings

The following section describes how to configure security settings in the CMC. It includes the following
sections:
“Configuring General Security Settings,” next
“Configuring CMC Security Settings” on page 58
“Managing User Permissions” on page 61
“Configuring RADIUS Server Authentication” on page 68
“Configuring TACACS+ Server Authentication” on page 70
“Unlocking the Secure Vault” on page 72
“Configuring Management ACL” on page 73
“Configuring Web Settings” on page 74

Configuring Security Settings Configuring the CMC
Configuring General Security Settings

You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the
authorization policy and default user for RADIUS and TACACS+ authorization systems in the General
Security Settings page.
Important: Make sure to put the authentication methods in the order in which you want authentication to occur. If
authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been
attempted.
Tip: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the
following attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
where you replace monitor with admin for write access.
For details on setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide.
To set general security settings
1. Choose Configure > Security > General Security Settings to display the General Security Settings page.
Figure 2-11. General Security Settings Page
2. Under Authentication Methods, complete the configuration as described in the following table.
Control Description
Authentication Specifies an authentication method from the drop-down list. The methods are listed in the
Methods order in which they occur. If authorization fails on the first method, the next method is
attempted, and so forth, until all the methods have been attempted.
For RADIUS/ When checked, indicates fallback to a RADIUS or TACACS+ server only when all of the
TACACS+, fallback other servers have not responded. This is the default setting.
only when servers are
When this feature is disabled, the Steelhead appliance does not fall back to the RADIUS
unavailable
or TACACS+ servers. If it exhausts the other servers and does not get a response, it
returns a server failure.
Apply Applies your settings to the running configuration.

3. Under Authentication Map, complete the configuration as described in the following table.
Control Description
Authentication Map Appears only for some Authentication Methods. Optionally, select one of the following
Policy policies from the drop-down list:
• Remote First. Check the remote server first for an authentication policy, and only
check locally if the remote server does not have one set. This is the default behavior.
• Remote Only. Only checks the remote server.
• Local Only. Only checks the local server. All remote users are mapped to the user
specified. Any vendor attributes received by an authentication server are ignored.
Default User. Optionally, select Admin or Monitor from the drop-down list to define the
default authentication policy.
Configuring CMC Security Settings

You can configure CMC Security Settings in the CMC Security page.
CMC Security enables strict key verification to prevent rogue appliances from accessing the network with
a forged IP address (also known as spoofing). Riverbed strongly recommends enabling this feature if
appliance configurations contain sensitive data.

To set CMC security
1. Choose Configure > Security > CMC Security to display the CMC Security page.
Figure 2-12. CMC Security Page
2. Under Web Auto Sign On, use the controls to complete the configuration as described in the following
table.

This setting controls the login information used when the Management Console for an individual
Steelhead appliance is accessed directly from the Home page of the CMC. For details on accessing
appliance Management Consoles, see “The Home Page” on page 26.
Control Description
Never Select this option to require the current user to log in when the Management Console
opens.
Always Select this option to automatically log in as the registered user for the appliance when the
Management Console opens. For details on registered owner configuration, see “Editing
Appliance Panel” on page 97.
Note: The registered user must have administrative privileges.
When logged in as the Select this option to log in when the Management Console opens using the same user
appliance registered name used to log in to the CMC.
user
For this option to function properly, the CMC login must match the login configured for
the appliance’s registered user. For details on registered owner configuration, see
“Editing Appliance Panel” on page 97.
3. Under Appliance Connection, use the controls to complete the configuration as described in the
following table.
These settings control how the URLs are generated for the appliances shown on the Home page.
Control Description
Always use http Select this option to always generate the appliance URL using the HTTP protocol.
Always use https Select this option to always generate the appliance URL using the HTTPS protocol.
Use https if enabled, Select this option to generate the appliance URL automatically based on whether the
otherwise http appliance is SSL-enabled (HTTPS) or not (HTTP).
4. Optionally, under SSL, select the check box to enable Strict Key Verification.
Strict key verification prevents the CMC from inadvertently connecting with rogue Steelhead
appliances. If you select this option, the CMC will not connect with Steelhead appliances whose correct
SSH public keys are not known by the CMC. The CMC requires users to enter the Steelhead’s SSH
public key before allowing communication.
To create a key for a specific appliance, see “Using the Trust Appliances by Key Feature” on page 93.
5. Click Apply to apply the changes to the Web Auto Sign On, Appliance Connection, and SSL settings to
the current configuration.
6. Click Save to save the settings permanently.
7. Optionally, under Bulk SSL Import, use the controls described in the following table to import a SSL
configuration from a local file.
Control Description
File Specify the source file by typing in the filename or using Browse to specify the file.
Password Specify a valid password.
Import Click to complete the import from the specified file.

8. Optionally, under Bulk SSL Export, use the controls described in the following table to export a SSL
configuration to a local file.
Control Description
Include Server Select this option to include server certificates and private keys.
Certificates and Private
Keys
Password Specify a valid password.
Export Click to complete the export.
Managing User Permissions

You can change the administrator or monitor passwords, and define role-based users in the User
Permissions page.
This section describes the following:
“Capability-Based Accounts,” next
“Role-Based Accounts” on page 61
“Roles and Permissions” on page 63
“Permissions Specific to CMC Configuration” on page 66
“Permissions Required for Policy Administration” on page 66
Capability-Based Accounts
The system has two accounts based on what actions the user can take:
Admin - The administrator user has full privileges. For example, as an administrator you can set and
modify configuration settings, add and delete users, restart and reboot CMC services, and create and
view performance and system reports.
Monitor - A monitor user can view reports. A monitor user cannot make configuration changes or
change their own password.
Role-Based Accounts
You can also create users, assign passwords to the user, and assign configuration roles, including access to
group configurations to the user. A user role determines whether the user has permission to:
Deny - With deny privileges, you cannot view settings or make configuration changes for a feature.
Read-only - With read privileges, you can view current configuration settings but you cannot change
them.
Read/Write - With read and write privileges, you can view settings and make configuration changes
for a feature.
For example, you might have user Jane who can make configuration changes to QoS, PFS, and SSL whereas
user John can only view these configuration settings; and finally, user Joe cannot view or change the settings
for these features.

Available menu items reflect the privileges of the user. For example, any menu items that a user does not
have permission to use are dimmed. When a user clicks a dimmed link, the User Permissions page appears.
To set the administrator or monitor password
1. Choose Configure > Security > User Permissions to display the User Permissions page.
Figure 2-13. User Permissions Page
2. Under Capability-Based Accounts, complete the configuration as described in the following table.
Control Description
admin/monitor Click the magnifying glass to change the administrator or monitor password.
Enable Account. Click to enable or clear to disable the administrator or monitor account.
Use a Password. Enables password protection.
Password. Type a password in the text box. The password must have a minimum of six
characters.
Password Confirm. Confirm the new administrator password.

3. Under Role-Based Accounts, complete the configuration as described in the following table.
Control Description
Add a New User Displays the controls for creating new role based-accounts.
Account Name Specify a name for the role-based account.
Enable Account Enables the new role-based account.
Use a Password Select this box and specify a password in the Enter Password text box to require a user
password. The password must have a minimum of 6 characters.
Password Type the new password.
Password Confirm Retype the new password.
Roles and Permissions Grant the user one of the following privileges using the radio buttons:
• Deny - With deny privileges the user cannot view settings or make configuration
changes for a feature. This is the default.
• Read-Only - With read privileges the user can view current configuration settings for
the feature but cannot change them.
• Read/Write - With write privileges the user can view settings and make configuration
changes for a feature.
Roles are comprised of groups of settings. With write access permission the user can
change the configuration for these roles.
For details on available roles and permissions, see “Roles and Permissions” on page 63.
Add Click to add your settings to the system.

The new user appears in the User table at the bottom of the page.
Remove Selected Check the box next to the name and click Remove Selected to remove it from the list.
Roles and Permissions

The following tables describes the available roles and permissions that can be set for a user.
Roles and Permissions Description
CMC General Settings Grants access to CMC-specific settings including alarms, email
notifications, SNMP, and log settings.
Network Settings Modifies the CMC hostname and IP settings.
Security Settings Configures the CMC security settings, including RADIUS and
TACACS authentication settings and secure vault password.
CMC External Backup Creates or deletes configuration backups of the CMC.
Diagnostics Customizes the CMC system diagnostic logs.
Reports Changes how graphs and statistics are displayed in the CMC.

Appliance File Transfer Downloads logs off managed appliances.

Management
Policy Push Pushes out a policy to managed appliances.
Appliance Upgrade Upgrades an appliance managed by a CMC.
Operation Status Checks and clears the status of current and past push, fetch and
backup operations on the CMC.
Steelhead Backup Creates or deletes configuration backups of managed appliance.
CLI Command Scripts Click to enable privileges for using CLI scripts in configurations.
Groups Global Click to enable access to all groups and appliances within the
specified group (<group name>).
<group name>
Users are granted access to appliances and groups on a per-group
basis. There are no roles for individual appliances, only groups. In
order for users to edit an appliance, users must have write
permissions to the group that contains the appliance. Permissions are
governed based on the closest parent group to an appliance.
Note: By default, role-based management system users cannot display
any groups or appliances.
Steelhead General Settings Configures per source IP connection limit and the maximum
connection pooling size.
Network Settings Configures host and network interface settings, including DNS cache
settings.
QoS Enforces QoS policies.
Optimization Service Starts and stops the optimization service.
In-Path Rules Configures TCP traffic for optimization and how to optimize traffic by
setting in-path rules. Includes WAN visibility to preserve TCP/IP
address or port information.
For details on WAN visibility, see the Steelhead Appliance Deployment
Guide.
CIFS Optimization Enables CIFS optimization.
HTTP Optimization Configures enhanced HTTP optimization settings: cache settings,

keep-alive, insert cookie, file extensions to prefetch, and ability to set
up HTTP optimization for a specific server subnet.
Oracle Forms Optimizes Oracle E-business application content and forms

Optimization applications.
MAPI Optimization Optimizes MAPI and sets Exchange and NSPI ports.
SQL Optimization Configures MS-SQL optimization.
NFS Optimization Configures NFS optimization.
Notes Optimization Configures Lotus Notes acceleration.
SSL Optimization Configures SSL support.
Replication Configures replication optimization.

Optimization
Proxy File Service (PFS) Click to enable the PFS. This setting enables the user to configure the
CIFS prepopulation in optimization policies in the CMC.

Riverbed Services Adds functionality into a virtualized environment on the client

Platform (RSP) Steelhead appliance. The functionality can include a print server, a
streaming video server, and a package that provides core networking
services (DNS, DHCP, TFTP and Radius mirroring). For details, see
the Riverbed Command-Line Interface Reference Manual.
Security Settings Configures security settings, including RADIUS and TACACS

authentication settings and secure vault password.
Diagnostics Customizes system diagnostic logs, including system and user log
settings.
Reports Sets system report parameters.

Permissions Specific to CMC Configuration

To configure the CMC settings described in the Page column, users must have write privileges for the roles
and permissions specified.
Page Description
Host Settings Configures host settings.
Network Interfaces Configures network interfaces.
Announcements Configures the announcements.
Alarms Configures the alarms.
Monitored Ports Configures the monitored ports.
SNMP Configures SNMP.
Email Configures the email.
Logging Configures logging.
Web Preferences Configures the web preferences.
Permissions Required for Policy Administration

To configure the policy settings described in the Page column, users must have write privileges for the roles
and permissions specified.
Policy Type Page
Optimization Data Store
General Service Settings
In-Path Rules
Peering Rules
CIFS
HTTP
Lotus Notes
Oracle Forms
MAPI
MS-SQL
NFS
Performance
Service Ports
SSL General Settings
SSL Peering

Policy Type Page
System Settings Alarms
Announcements
Email Notification
Logs
Monitored Ports
SNMP
SSL Ciphers
Networking Asymmetric Routing
Caching DNS
Connection Forwarding
Encrypted Communication
Host Settings
NetFlow
QoS Classes
QoS Marking
Port Labels
Security General Security Settings
RADIUS
TACACS+
User Permissions
Web Settings
Routing
Simplified Routing
WCCP

Configuring RADIUS Server Authentication

You set up RADIUS server authentication in the RADIUS page.
RADIUS is an access control protocol that uses a challenge and response method for authenticating users.
Setting up RADIUS server authentication is optional.
For details on setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide.
To set RADIUS server authentication
1. Choose Configure > Security > RADIUS to display the RADIUS page.
Figure 2-14. RADIUS Page
2. Under Default RADIUS Settings, complete the configuration as described in the following table.
Control Description
Set a Global Default Enables a global server key for the RADIUS server.
Key
Global Key Specify the global server key.

Control Description
Confirm Global Key Confirm the global server key.
Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3.
Retries Specify the number of times you want to allow the user to retry authentication. The
default value is 1.
4. To add a new RADIUS server, complete the configuration as described in the following table.
Control Description
Add a RADIUS Server Displays the controls for defining a new RADIUS server.
Server IP Address Specify the server IP address.
Authentication Port Specify the port for the server.
Override the Global Overrides the global server key for the server.
Default Key
Server Key. Specify the override server key.
Confirm Server Key. Confirm the override server key.
Timeout (seconds) Specify the time-out period in seconds (1 - 60). The default value is 3.
Retries Specify the number of times you want to allow the user to retry authentication. Valid
values are 0-5. The default value is 1.
Enabled Enables the new server.
Add Adds the RADIUS server to the list.
Note: If you add a new server to your network and you do not specify these settings at that time, the global settings are
applied automatically.

Configuring TACACS+ Server Authentication

You set up TACACS+ server authentication in the TACACS+ page.
TACACS+ is an authentication protocol that allows a remote access server to forward a login password for
a user to an authentication server to determine whether access is allowed to a given system.
For details on configuring RADIUS and TACACS+ servers to accept login requests from the Steelhead
appliance, see the Steelhead Appliance Deployment Guide.
To set a TACACS+ server
1. Choose Configure > Security > TACACS+ to display the TACACS+ page.
Figure 2-15. TACACS+ Page

2. Under Default TACACS+ Settings, complete the configuration as described in the following table.
Control Description
Set a Global Default Specify this option to enable a global server key for the server.
Key
Confirm Global Key Confirms the global server key.
values are 0-5. The default is 1.
4. To add a TACACS+ server, complete the configuration as described in the following table.
Control Description
Add a TACACS+ Server Displays the controls for defining a new TACACS+ server, as described in this table.
Authentication Port Specify the port for the server. The default value is 49.
Authentication Type Click either PAP or ASCII to select the authentication type.
Override the Global Specify this option to override the global server key for the server.
Default Key
Server Key Specify the override server key.
Confirm Server Key Confirm the override server key.
Timeout (seconds) Specify the time-out period in seconds (1-60). The default is 3.
Add Adds the TACACS+ server to the list.
5. If you add a new server to your network and you do not specify these fields at that time, the global
settings are applied automatically.

Unlocking the Secure Vault

You can unlock and change the password for the secure vault in the Secure Vault page.
The secure vault contains sensitive information from your CMC configuration, including SSL private keys
and the data store encryption key. These configuration settings are encrypted on the disk at all times using
AES 256-bit encryption.
Initially the secure vault is keyed with a default password known only to the RiOS software. This allows
the system to automatically unlock the vault during system start up. You can change the password, but the
secure vault does not automatically unlock upon start up. You must unlock the secure store to manage SSL
configuration on the CMC and to unlock the secure stores on the Steelhead appliances.
To unlock or change the password of the secure vault
1. Choose Configure > Security > Secure Vault to display the Secure Vault page.
Figure 2-16. Secure Vault Page
2. Under Unlock Secure Vault, specify the password.

Initially the secure vault is keyed with a default password known only to the RiOS software. This
allows the system to automatically unlock the vault during system start up. You can change the
password, but the secure vault does not automatically unlock on start up.
Note: To optimize SSL connections or to use data store encryption, the secure vault must be unlocked.
3. Click Unlock Secure Vault.
4. Under Change Password, complete the configuration as described in the following table.
Control Description
Current Password Specify the current password. If you are changing the default password that ships
with the product, leave the text box blank.
New Password Specify a new password for the secure vault.

Control Description
New Password Confirm Retype the new password for the secure vault.
Change Password Changes the password to the new value.
Configuring Management ACL

You can modify Management ACL settings in the Management ACL page.
To modify Management ACL
1. Choose Configure > Security > Management ACL to display the Management ACL page.
Figure 2-17. Management ACL Page
2. Under Management ACL Settings, complete the configuration as described in the following table.
Control Description
Enable Management ACL Select this check box to enable management ACL.
Apply Applies the settings.
3. To add a new rule, complete the configuration as described in the following table.

Control Description
Add a New Rule Displays the controls for adding a new rule.
Action Select one of the following rule types from the drop-down list:
• Allow. Allows a matching packet access to the Steelhead appliance. This is the
default action.
• Deny. Denies access to any matching packets.
Service Optionally, select All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet from the
drop-down list. When specified, the Destination Port is dimmed and unavailable.
Protocol Select ICMP, TCP, UDP, or All from the drop-down list.
Source Network Optionally, specify the source subnet of the inbound packet.
Interface Optionally, select an interface name from the drop-down list. Select All to specify
all interfaces.
Description Optionally, describe the rule to facilitate administration.
Rule Number Optionally, select a rule number from the drop-down list. By default, the rule
goes to the end of the table (just above the default rule). Steelhead appliances
evaluate rules in numerical order starting with rule 1. If the conditions set in the
rule match, then the rule is applied, and the system moves on to the next packet.
If the conditions set in the rule do not match, the system consults the next rule.
For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2
matches the conditions, it is applied, and no further rules are consulted.
Note: The default rule, Allow, which allows all remaining traffic from everywhere
that has not been selected by another rule, cannot be removed and is always listed
last.
Log Packets Tracks denied packets in the log. By default, packet logging is enabled.
4. Click Add to add the rule to the list.
Configuring Web Settings

You can modify Management Console Web user interface settings in the Web Settings page.

Maintaining Your System Configuring the CMC
To modify Web settings
1. Choose Configure > Security > Web Settings to display the Web Settings page.
Figure 2-18. Web Settings Page
2. Under Web Settings, complete the configuration as described in the following table.
Control Description
Default Web Login ID Specify the user name that appears on the authentication page. The default value is
admin.
Web Inactivity Timeout Specify the number of idle minutes before time-out. The default value is 15. A value of 0
disables time-out.
Allow Session By default, session time-out is enabled, which stops the automatic updating of the report
Timeouts on Auto- pages when the session times out. Clear this box to disable the session time-out, remain
Refreshing Pages logged-in indefinitely, and automatically refresh the report pages.
Important: Disabling this feature poses a security risk.
Maintaining Your System

This section describes how to view job status, upgrade your software, and how to shut down and reboot
the system. It includes the following sections:
“Working with External CMC Backups,” next
“Viewing Daily Maintenance Window Settings” on page 81
“Displaying Job Status” on page 82
“Managing Licenses” on page 84
“Upgrading Your Software” on page 85
“Rebooting and Shutting Down the CMC” on page 86

Configuring the CMC Maintaining Your System
Working with External CMC Backups

You can configure the backup of CMC configurations and Steelhead appliance statistics to an external
location in the External CMC Backups page.
The following types of data are backed up:
Steelhead appliance configuration information (policies, host settings, etc.) as configured by the CMC.
Steelhead appliance statistics (host settings, base interfaces, etc.) as reported by the CMC.
CMC configuration information (networking, system settings, security settings, etc.).
This type of backup is distinct from appliance backups, which serve an archival purpose for a specific
appliance. For details, see “Managing Appliance Backup/Restore” on page 139.
This section describes the following procedures:
“Configuring External CMC Backups,” next
“Performing Back Up Restore” on page 80
Configuring External CMC Backups

You can configure the external backups in the External CMC Backups page.

To configure external backups
1. Choose Configure > Maintenance > External CMC Backups to display the External CMC Backups page.
Figure 2-19. External CMC Backups Page

2. Under Backup Server, specify the external location for the backup by completing the configuration as
described in the following table.
the
Control Description
Protocol Select from drop-down list the file server protocol for the backup server for
storing or retrieving the backup: CIFS, NFS, or SSH.
Note: If you select an mount point and the same directory location is
subsequently exposed on CIFS, the backup may fail.
Host Name or IP Address Specify the hostname or IP address for the backup server.
Remote Path Specify the directory path on the backup server for the backup file.
Note: The directory must already exist on the backup server.
CIFS Domain (CIFS only) Specify the CIFS domain.
Tip: If the username corresponds to a local account (as opposed to a domain

account), this field should contain the NETBIOS name of the backup server.
User Name (CIFS only) Specify a valid user name for CIFS access.
Password (CIFS only) Supply a valid password for CIFS access.
Password Confirm Confirm the password for CIFS access.
CIFS Security Mode Select from the drop-down NTLM or NTLMv2..
Tip: Windows 2K is not supported with NTLMv2.
3. Under Backup Limits, specify the backup time, disk space, and maximum number of configurations, as
Control Description
Statistics Backup Time Limit Specify the maximum amount in time (minutes) for the back up process to take.
Specify 0 for no limit.
Note: If you set this value for less than sixty minutes, the initial backup may not
be complete. However, after several backups, the process will catch up with
itself and require less time than subsequent backups.
Backup Disk Space Limit Specify the amount of disk space (MB) allowed for backups.
Note: When the specified amount is exceeded, the oldest statistics are deleted in
turn (FIFO).
Maximum Configurations The maximum number of backups allowed on the backup server.
Retained
Note: When the specified number is exceeded, the oldest statistics are deleted in
turn (FIFO).

4. Under Scheduling, set the options to enable backing up of configurations and statistics data, as
Control Description
Enable Configuration Backup Enables the back up of appliance configuration data.

Scheduling
Complete the following settings:
• Configuration Backup Initial Date/Time - Specify the start date and time
using the following format: YYYY/MM/DD HH:MM:SS
• Configuration Backup Interval - Specify the interval in days between
backups.
Enable Statistics Backup Enables the backup of appliance statistic data.

Scheduling
Complete the following settings:
• Statistics Backup Initial Date/Time - Specify the start date and time using
the following format: YYYY/MM/DD HH:MM:SS
• Statistics Backup Interval - Specify the interval in days between backups.

Performing Back Up Restore

You can perform back up operations (i.e., creating, restoring, deleting) in the Backup Operations panel in
the External CMC Backups page.
To perform backup restore
1. Choose Configure > Maintenance > External CMC Backups to display the External CMC Backups page
and scroll to the bottom.
Figure 2-20. Configure > Maintenance > External CMC Backups Page
The Backup Operations panel displays the history of backup and restore operations for both
configuration and statistic data, as shown in the following table.
Operation Type Description Status Details
Configuration Backup Displays the status and timestamp of the An operation can have the following status:
Status most recent configuration backup.
• success, <timestamp>
Configuration Restore Indicates whether a configuration backup • running <time duration>, <percentage
Status restore is currently in process. complete>
Statistics Backup Displays the status and timestamp of the • failed <timestamp>
Status most recent configuration backup.
• failed <timestamp>, last success:
Statistics Restore Indicates whether a statistics backup <timestamp>
Status restore is currently in process. Note: A status of idle indicates that there is
no backup or restore history. The system does
not retain a record of backup and restore
statuses from prior to system startup
(including reboots).

2. Select the operation to be performed from the Backup Operation drop-down list.
3. Depending on the operation you select, additional fields will display, as described in the following table.
Operation Description
Perform Configuration Backup Performs a backup of the current appliance configurations.
Restore Configuration Backup Restores the specified configuration backup.

When this option is selected, additional fields dynamically display:
• Restore Back Name
• Restore Secure Vault
• Vault Password
• Restore Primary and Aux network interfaces
Remove Configuration Backup Removes the specified configuration backup.

When this option is selected, an additional field dynamically displays:
• Remove backup Name - Select the desired timestamped configuration
backup from the drop-down list.
Perform Statistics Backup Performs a backup of the current appliance statistics.
Restore Statistics Backup Restores the latest statistics backup.
4. Click Start to begin to selected operation.
Viewing Daily Maintenance Window Settings

You can view daily maintenance window settings in the Maintenance Window page.
To view daily maintenance window settings
1. Choose Configure > Maintenance > Maintenance Window to display the Maintenance Window page.
Figure 2-21. Maintenance Window Page
2. Complete the configuration as described in the following table.
Control Description
Start Time Enter the Start Time. Use the following format: HH:MM:SS.
End Time Enter the End Time. Use the following format: HH:MM:SS.
Apply Click Apply to save your settings.

Displaying Job Status

You can view completed, pending, inactive jobs, as well as jobs that were not completed because of an error
in the Scheduled Jobs page.
Jobs are CLI commands that execute at a time you specify.
The only jobs you can schedule using the CMC are software upgrades and configuration pushes; for all
other jobs, you must use the CLI.
For details on scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual.
To display job status
1. Choose Configure > Maintenance > Scheduled Jobs to display the Scheduled Jobs page.
Figure 2-22. Scheduled Jobs Page
2. To cancel a job or to remove a completed job from the list, click the check box next to the entry and click
Remove Selected Jobs.
3. Click the Job ID number to display details about the job.
4. Optionally, under Details for Job <#>, complete the configuration as described in the following table.
Control Description
Name Specify a name for the job.
Comment Specify a comment.
Interval (seconds) Specify how often the job runs. The default value is 0, which runs the job once.
Executes On Specify the date on which the job runs.
Enable/Disable Job Enables the job.
Apply Changes Applies the changes to the current configuration.
Cancel This Job Cancels the job.
Execute Now Runs the job.
Remove Selected Jobs Click the check box next to the name and click Remove Selected Jobs.


Managing Licenses
You can install licenses and update or remove expired licenses on the CMC appliance in the Licenses page.
For more details, see the Steelhead Management Console User’s Guide. For details on hardware specifications
that require hardware upgrades, see the Upgrade and Maintenance Guide.
To install a license
1. Choose Configure > Maintenance > Licenses to display the Licenses page.
Figure 2-23. Licenses Page
2. Under Licenses, complete the configuration as described in the following table.
Control Description
Add a New License Displays the controls to add a new license.
Licenses Text Box Copy and paste the license key provided by Riverbed Technical Support or
Sales into the text box.
Tip: Separate multiple license keys with a space, Tab, or Enter.
Add Adds the license.

Removing a License
Riverbed recommends that you keep old licenses in case you want to downgrade to an earlier software
version.
To remove a license
1. Choose Configure > Maintenance > Licenses to display the Licenses page.
2. Select the license you want to delete.
3. Click Remove Selected.
Upgrading Your Software

You can upgrade or revert to a backup version of the software in the Software Upgrade page.
To upgrade or revert software versions
1. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page.
Figure 2-24. Software Upgrade Page
2. To revert to a backed up version, click Switch to Backup Version under Software Upgrade.

3. Under Install Upgrade, complete the configuration as described in the following table.
Control Description
From URL Click this option and type the URL.

If you specify a URL in the URL text box, the image is uploaded, installed, and
the system is rebooted at the time you specify.
From Local File Click this option and type the path or click Browse to navigate to the local file
directory.
If you specify a file to upload in the Local File text box, the image is uploaded
immediately, however the image is installed and the system is rebooted at the
time you specify.
Schedule Upgrade for Later Schedules the upgrade process. Specify the date and time to run the upgrade:
• Date and Time. Use the following formats: YYYY/MM/DD, HH:MM:SS
Install Upgrade Installs the software upgrade on your system.

Cancel Cancels your changes.
4. Reboot the CMC.
Rebooting and Shutting Down the CMC

You can reboot or shut down the system in the Reboot/Shutdown page.
To restart the system, you must manually turn on the appliance. Rebooting the CMC does not affect the
optimization of the Steelhead appliances.
To reboot or shut down the system
1. Choose Configure > Maintenance > Reboot/Shutdown to display the Reboot/Shutdown page.
Figure 2-25. Reboot/Shutdown Page
2. Click Reboot. After you click Reboot, you are logged out of the system and it is rebooted.
3. Click Shutdown to shut down the system.

After you click Shutdown, the system is turned off.

Changing the Administrative Password Configuring the CMC
Changing the Administrative Password

You can change the admin password in the My Account page.
You must be logged in as the admin user to change the administrator password.
To change the admin password
1. Choose Configure > My Account to display the My Account page.

Figure 2-26. My Account Page
2. Under Password, complete the configuration as described in the following table.
Control Description
Change Password Select this option to change the password.
New Password Specify a new password.
Confirm New Password Confirm the new password.

Configuring the CMC Managing Configuration Files
Managing Configuration Files

You can save, activate, and import configurations in the Configurations page.
Each CMC has an active, running configuration and a written, saved configuration.
When you apply your settings in the CMC, the values are applied to the active running configuration, but
the values are not written to disk and saved permanently.
When you save your configuration settings, the values are written to disk and saved permanently. They
take effect after you restart the RiOS services to which the configuration was pushed.
Each time you save your configuration settings, they are written to the current running configuration, and
a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is
backed up to myconfig.bak and myconfig is overwritten with the current configuration settings.
The Configuration Manager is a utility that enables you to save configurations as backups or to activate
configuration backups.
Important: Some configuration settings require that you to restart the Steelhead service for the settings to take effect.
For details on restarting the Steelhead service, see “Starting, Stopping, or Restarting Appliances and Appliance Groups”
on page 123.
To manage configurations
1. Choose Configure > Configurations to display the Configurations page.

Figure 2-27. Configurations Page

Managing Configuration Files Configuring the CMC
2. Under Current Configuration: <name>, complete the configuration as described in the following table.
Control Description
Current Configuration: View Running Configuration. Click to display the running configuration settings in a
<configuration name> new browser window.
Save. Click to save settings that have been applied to the running configuration.
Revert. Reverts your settings to the running configuration.
Save Current Specify a new filename to save settings that have been applied to the running
Configuration configuration as a new file, and then click Save.
3. To import a configuration from another appliance, click Import a New Configuration and complete the
configuration as described in the following table.
Control Description
IP/Hostname Specify the IP address or host name of the CMC from which you want to import the
configuration.
Remote Admin Specify the administrator password for the remote CMC.
Password
Remote Config Name Specify the name of the configuration you want to import from the remote CMC.
New Config Name Specify a new, local configuration name.
Import Shared Data This value is enabled by default.

Only
Copies only the following common settings: in-path and out-of-path interface, protocols,
CLI and Web, statistics, NTP, SNMP, and alarm settings. The system does not
automatically copy the following settings: failover, SNMP (contact and location), log, and
network settings.
Add Adds the configuration.

The imported configuration appears in the Configuration list but does not become the
active configuration until you click Activate.
Tip: Click the configuration name to display the configuration settings in a new browser window.
4. To change the currently active configuration, select another configuration from the drop-down list
under Change Active Configuration, and click Activate.
Important: You must restart the Steelhead service for a new configuration to take effect. For details, see “Starting,
Stopping, or Restarting Appliances and Appliance Groups” on page 123.

Configuring the CMC Managing Configuration Files

CHAPTER 3 Managing Appliance Groups
This chapter describes how to use the CMC to manage Steelhead appliance configurations using polices and
groups. It includes the following sections:
“Managing Appliances and Appliance Groups,” next
“Working with Policies” on page 130
“Viewing and Managing System Operation History” on page 137
“Managing Appliance Backup/Restore” on page 139
“Configuring Upgrades” on page 142
“Configuring RSP Appliances” on page 144
“Configuring RSP Image Library” on page 146
“Configuring RSP Package Library” on page 147
Managing Appliances and Appliance Groups

You manage appliances in the Appliances page.
The Appliances page displays a table of the currently registered Steelhead appliances and the groups into
which they are organized.
Figure 3-1. Appliances Page

Managing Appliance Groups Managing Appliances and Appliance Groups
The table includes the following columns:
Control Description
Groups and Managed Appliances Lists the Steelhead appliance by group membership. You can open and close
groups to show or hide the member groups and appliances.
Connection Specifies the status of the connection between the CMC and the Steelhead
appliance.
Branch Managed Specifies that a Steelhead appliance is branch managed. You cannot manage
this Steelhead appliance from the CMC.
Auto Configure Specifies that a Steelhead appliance is set for auto-configure and updates
automatically each time it connects.
Push Required Specifies that the configuration shared by this Steelhead appliance has
changed on the CMC and a push configuration is required to restore
synchronization.
Optimization Policy Displays the name of the optimization policy assigned to the group.
System Settings Policy Displays the name of the system settings policy assigned to for the group.
Networking Policy Displays the name of the networking policy assigned to for the group.
Security Policy Displays the name of the security policy assigned to for the group.
Branch Services Policy Displays the name of the branch services policy for the group.
Model Displays the hardware model information for listed Steelhead appliances.
You can perform the following tasks in the Appliances page:

Use keys to trust detected appliances - For details, see “Using the Trust Appliances by Key Feature,”
next.
Create appliance groups - For details, see “Creating a New Appliance Group” on page 94.
Register a new appliance - For details, see “Registering New Appliances” on page 95.
Edit appliance configurations - For details, see “Editing Appliance Configurations” on page 96.
Manage hostname settings on remote appliances - For details, see “Managing or Viewing Appliance
Host Settings” on page 99.
Manage base interfaces on remote appliances - For details, see “Managing or Viewing Appliance Base
Interfaces Settings” on page 100.
Manage in-path interface settings on remote appliances - For details, see “Managing or Viewing
Appliance In-Path Interface Settings” on page 102.
Manage SSL settings on remote appliances - For details, see “Managing or Viewing Appliance SSL
Remove groups and appliances from the CMC - For details, see “Removing Groups and Appliances”
on page 114.
Move groups and appliances from one group to another - For details, see “Moving Groups and
Appliances” on page 116.
Filter your display of appliance groups - For details, see “Filtering the Display of Appliances and
Appliance Groups” on page 117.
Perform operations on appliances or appliance groups - For details, see “Performing Operations on

Managing Appliances and Appliance Groups Managing Appliance Groups
Using the Trust Appliances by Key Feature

You can enable the CMC to trust detected Steelhead appliances based on an appliance-specific security keys
in the Appliances page.
This feature requires generating a key for the Steelhead appliance. For details, see “Managing or Viewing
Appliance SSL Settings” on page 105.
To use the Trust Appliances by Key feature
2. Scroll to the bottom of the page and toggle open the Trust Appliances by Key field.
Figure 3-2. Trust Appliances by Key Field
3. Paste in the keys for the appliances to be automatically trusted, and click Trust.
Note: If you enable the Strict Key Verification feature, you must create keys for all Steelhead appliances for them to
connect to the CMC. For details on Strict Key Verification, see “Configuring CMC Security Settings” on page 58.

Creating a New Appliance Group

You can create a new appliance group in the Appliances page.
An appliance group enables you to more effectively organize and manage Steelhead appliances. For
example, at the group level you can apply policies, push configurations, set passwords, and so forth.
Note: There is a maximum number of 256 groups that can be added.
To create a new group
2. To create a new group, click New Group.

Control Description
Name Specify the name for the group.
Parent Group Select the parent group for the group from the drop-down list. The default
parent is Global.
Optimization Policy Select the optimization policy for the group from the drop-down list. The
default value is None.
System Settings Policy Select the system settings policy for the group from the drop-down list. The
Networking Policy Select the networking policy for the group from the drop-down list. The
Security Policy Select the security policy for the group from the drop-down list. The default
value is None.
Branch Services Policy Select the branch services policy from the drop-down list. The default value is
None.

Control Description
Comment Specify a comment to help you identify the group.
Add Adds the group to your list of managed Steelhead appliances and groups.
Registering New Appliances

You can register new appliances in the Appliances page.
Registering a Steelhead appliance creates a connection between the CMC and the Steelhead appliance,
enabling you to perform configuration tasks for the appliance on the CMC. The CMC also collects statistical,
health, and connection history information from registered Steelhead appliances.
To add a new appliance to a group
2. To add a new appliance to a group, click New Appliance.

Control Description
Serial Number Specify the serial number for the appliance.
Host Name or IP Address Optionally, specify the IP address or hostname for the remote appliance.

Control Description
User Name Specify the administrator user name for the remote appliances.
Password Specify the corresponding password.
Confirm Password Confirm the corresponding password.
Optimization Policy Select the optimization policy for the appliance from the drop-down list. The
System Settings Policy Select the system settings policy for the appliance from the drop-down list. The
Networking Policy Select the networking policy for the appliance from the drop-down list. The
Security Policy Select the security policy for the appliance from the drop-down list. The
None.
Comment Specify a descriptive comment to help you identify the group.
Group Select from the drop-down list the group to which the new appliance belongs.
The default value is Global.
Branch Managed Select the check box to prevent any remote action from being performed on the
specified appliance. For example, you would not be able to push
configurations to this appliance from the CMC.
Disable Automatic Upgrades Select the check box to prevent automatic upgrades from being performed on
the specified appliance.
Auto Configure Select the check box to enable auto configure (used only when policies are
ready).
Add Adds the new appliance.
Editing Appliance Configurations

You can modify Steelhead appliance-specific configuration settings directly in the Appliances page. It
includes the following sections:
“Editing Appliance Panel,” next
“Editing Appliance Pages Panels” on page 98
Note: Changes are not applied to the appliance configuration until you have pushed the configuration to the appliance.
For details, see “Pushing Policies to Appliances and Appliance Groups” on page 118.

Editing Appliance Panel

You can edit appliance details in the Appliances page.
To edit an appliance configuration
2. Click the name of the appliance you want to edit to display the Edit Appliance panel.
3. Click the Edit Appliance tab to display the Edit Appliance panel.
Figure 3-5. Edit Appliance Panel
4. Modify the configuration as described in the following table.
Control Description
Host Name or IP Address Specify the IP address or hostname for the remote appliance.
User Name Specify the administrator user name for the remote appliances.
Password Specify the corresponding password.
Confirm Password Confirm the password.
Optimization Policy Select the optimization policy from the drop-down list. The default value is
None.
System Settings Policy Select the system settings policy from the drop-down list. The default value is
None.
Networking Policy Select the networking policy from the drop-down list. The default value is
None.
Security Policy Select the security policy selected from the drop-down list. The default value is
None.

Control Description
None.
Comment Specify a descriptive comment to help you identify the group.
Group Select the parent group from the drop-down list. The default value is Global.
Branch Managed Select to prevent configurations from being pushed to this appliance from the
CMC.
Disable Automatic Upgrades Select to prevent automatic upgrades as set in the Configure Upgrades page.
For details, see “Configuring Upgrades” on page 142.
Auto Configure Select to automatically push the current configuration (as defined by the
policies applied in this page to the appliance or appliance group) to the current
Steelhead appliance the next time it connects to the CMC.
Note: This feature is only available when the Steelhead appliance is
disconnected. This setting is automatically disabled after the push.
Trusted Select to add the trusted entity to the trusted peers list.
Note: This feature is only available when the Steelhead appliance is trusted.
Apply Applies the settings to the selected appliance configuration.

Note: The settings are not applied to the selected appliance until you push the
configuration to it.
Note: Changes are not applied to the appliance configuration until you have pushed the configuration to the appliance.
For details, see “Pushing Policies to Appliances and Appliance Groups” on page 118.
Editing Appliance Pages Panels

You can edit appliance pages panels in the Appliances page.
From the CMC, you can modify the following pages for a selected appliance:
Host Settings - For details, see “Managing or Viewing Appliance Host Settings,” next.
Base Interfaces - For details, see “Managing or Viewing Appliance Base Interfaces Settings” on
page 100.
In-Path Interfaces - For details, see “Managing or Viewing Appliance In-Path Interface Settings” on
page 102.
SSL - For details, see “Managing or Viewing Appliance SSL Settings” on page 105.
Licenses - For details, see “Managing or Viewing Licenses Settings” on page 111.
To edit appliance page configurations
3. Click the Appliance Pages tab to display the Appliance Configuration Pages panel.

4. Under Appliance Configuration Pages, click the name of the page whose settings you want to modify.
Figure 3-6. Appliance Configuration Pages
5. For detailed procedures on each configuration page, see:

“Managing or Viewing Appliance Host Settings,” next
“Managing or Viewing Appliance Base Interfaces Settings” on page 100
“Managing or Viewing Appliance In-Path Interface Settings” on page 102
“Managing or Viewing Appliance SSL Settings” on page 105
“Managing or Viewing Licenses Settings” on page 111
Managing or Viewing Appliance Host Settings

You can edit host settings in the Editing Appliance Configuration: <Appliance ID>, Host Settings page.
To modify host settings for the selected appliance
4. Under Appliance Configuration Pages, click Host Settings to display the Editing Appliance
Configuration: <Appliance ID>, Host Settings page.
Figure 3-7. Host Settings Page
5. Under Name, type or modify the Hostname value.

Managing or Viewing Appliance Base Interfaces Settings

You can edit base interface settings in the Editing Appliance Configuration: <Appliance ID>, Base
Interfaces page.
To modify base interfaces settings for the selected appliance
3. Click the Appliance Pages tab to display the Appliance Configuration panel.
4. Under Appliance Configuration Pages, click Base Interfaces to display the Editing Appliance
Configuration: <Appliance ID>, Base Interfaces page.
Figure 3-8. Base Interfaces Page

5. Under Primary Interface, modify the configurations as described in the following table.
Control Description
A DHCP server must be available so that the system can request the IP address
from it.
Specify IP Address Manually Specify this option if you do not use a DHCP server to set the IP address.
Specify the following settings:
• Primary Gateway IP. Specify the primary gateway IP address. The primary
gateway must be in the same network as the primary interface. You must set
the primary gateway for in-path configurations.
Speed Select a speed from the drop-down list. The default value is Auto.
Duplex Select Auto, Full, or Half from the drop-down list. The default value is Auto.
and duplex, be sure to set them manually.
configuration. If they do not match, you might have a large number of errors on
the interface when it is in bypass mode, because the switch and the router are
not set with the same duplex settings.
7. Under Auxiliary Interface, modify the configuration as described in the following table.
Control Description
Enable Aux Interface Enables an auxiliary interface.

Obtain IP Address Automatically Specify this option to set the appliance to automatically obtain the IP address.
Important: The primary and auxiliary interfaces cannot share the same network
subnet. The auxiliary and in-path interfaces cannot share the same subnet. You
cannot use the auxiliary port for out-of-path Steelhead appliances.
Specify IP Address Manually Specify the following settings:

Specify this option if you do not use a DHCP server to set the IP address.
Speed Select the speed from the drop-down list. The default value is Auto.

Control Description
Duplex Select Auto, Full or Half from the drop-down list. The default value is Auto.
9. Under Main Routing Table, complete the configuration as described in the following table.
.
Control Description
Add a New Route Displays the controls for adding a new route.
Destination IP Address Specify the destination IP address for the out-of-path appliance or network
management device.
Subnet Mask Specify the subnet mask.
Gateway IP Address Specify the IP address for the gateway. The gateway must be in the same
network as the primary or auxiliary interface you are configuring.
Add Adds the route to the table list.
Managing or Viewing Appliance In-Path Interface Settings

You can edit in-path interface settings in the Editing Appliance Configuration: <Appliance ID>, In-Path
Interfaces page.
To modify in-path interface settings for the selected appliance

4. Under Appliance Configuration Pages, click In-Path Interfaces to display the Editing Appliance
Configuration: <Appliance ID>, In-Path Interfaces page.
Figure 3-9. In-Path Interfaces Page
5. Select the interface you wish to edit.

When you select an interface, the configuration properties display.
Figure 3-10. Editing In-Path Interfaces Page

6. Modify the configuration as described in the following table.
Control Description
(A DHCP server must be available so that the Steelhead appliance can request
the IP address from it.)
Specify IP Address Manually Specify the following settings if you do not use a DHCP server to set the IP
address:
• IP Address. Specify an IP address. This IP address is the in-path main
interface.
• Subnet Mask. Specify the subnet mask.
• In-Path Gateway IP. Specify the IP address for the in-path gateway. If you
have a router (or a Layer-3 switch) on the LAN side of your network,
specify this device as the in-path gateway.
Important: If there is a routed network on the LAN-side of the in-path appliance,
the router that is the default gateway for the appliance must not have the ACL
configured to drop packets from the remote hosts as its source. The in-path
appliance uses IP masquerading to appear as the remote server.
LAN Speed and Duplex Speed. Select Auto, 1000, 100, or 10 from the drop-down list. The default value
is Auto.
WAN Speed and Duplex
Duplex. Select Auto, Full, or Half from the drop-down list. The default value is
Auto.
Important: Speed and duplex mismatches can easily occur in a network. For
example, if one end of the link is set at half or full-duplex and the other end of
the link is configured to auto negotiate (auto), the link defaults to half-duplex,
regardless of the duplex setting on the non-auto-negotiated end. This duplex
mismatch passes traffic, but it causes interface errors and results in degraded
optimization.
The following guidelines can help you avoid speed and duplex mismatches
when configuring the Steelhead appliance:
• Routers are often configured with fixed speed and duplex settings. Check
your router configuration and set it to match the Steelhead appliance WAN
and LAN settings. Make sure your switch has the correct setting.
• After you finish configuring the Steelhead appliance, check for speed and
duplex error messages (crc or frame errors) in the System Log page of the
Management Console.
• If there is a serious problem with the Steelhead appliance and it goes into
bypass mode (that is, it automatically continues to pass traffic through your
network), a speed and duplex mismatch might occur when you reboot the
Steelhead appliance. To avoid a speed and duplex mismatch, configure your
LAN external pair to match the WAN external pair.

Control Description
MTU (Bytes) Specify the MTU value. The MTU is the largest physical packet size, measured
VLAN Tag ID If you have enabled VLAN tagging, this field specifies a numeric ID.
Use the default value of 0 to leave the interface untagged.
When you specify the VLAN Tag ID for the in-path interface, all packets
originating from the Steelhead appliance are tagged with that identification
number. Specify the VLAN tag that the appliance uses to communicate with
other Steelhead appliances in your network. The VLAN Tag ID might be the
same value or a different value than the VLAN tag used on the client. A zero (0)
value specifies non-tagged (or native) VLAN.
For example, if the in-path interface is 192.168.1.1 in VLAN 200, you would
specify tag 200.
Note: When the Steelhead appliance communicates with a client or a server it
uses the same VLAN tag as the client or the server. If the Steelhead appliance
cannot determine which VLAN the client or server is in, it uses its own VLAN
until it is able to determine that information.
Note: You must also define in-path rules to apply to your VLANs.
Managing or Viewing Appliance SSL Settings

You can edit the SSL settings for a specific appliance in the Appliances page.
The following procedures are described in this sections:
“Accessing SSL Settings for a Specific Appliance,” next
“Displaying Certificate PEM” on page 106
“Replacing the SSL Certificate” on page 108
“Exporting Certificate” on page 110
“Generating Certificate” on page 110
Accessing SSL Settings for a Specific Appliance

All SSL settings for a specific appliance can be modified or viewed from the Appliance Pages panel.
To access the SSL settings for a specific application
3. Click the Appliance Pages tab.

4. Under Appliance Configuration Pages, click SSL to display the Editing Appliance Configuration:
<Appliance ID>, SSL page.
Figure 3-11. SSL Page
5. For detailed procedures on each configuration page, see:

“Displaying Certificate PEM,” next
“Replacing the SSL Certificate” on page 108
“Exporting Certificate” on page 110
“Generating Certificate” on page 110
Displaying Certificate PEM

You can display the certificate PEM for the selected appliance in the Editing Appliance Configuration:
To view peering certificate details

5. Click the Display Certificate PEM panel to display the contents.

Figure 3-12. Display Certificate PEM Panel

Replacing the SSL Certificate

You can replace SSL certificates for the selected appliance in the Editing Appliance Configuration:
To replace the SSL certificate
5. Click the Replace Certificate panel to display the contents.

Figure 3-13. Replace Certificate Panel

Control Description
Import Existing Private Key and Click this option if the existing private key and CA-signed certificate are located
CA-Signed Public Certificate in one file. The page displays a Private Key and CA-Signed Public Certificate
(One File in PEM or PKCS12 control for browsing to the key and certificate files or a text box for copying and
formats) pasting the key and certificate.
Note: The private key is required.
Local File. Browse to the local file.
Text. Paste the text content of the file into the text box.
Decryption Password. Specify the decryption password, if necessary.
Set. Sets the peer.
Import Existing Private Key and Click this option if the existing private key and CA-signed certificate are located
CA-Signed Public Certificate in two files. The page displays a Private Key and CA-Signed Public Certificate
(Two Files in PEM or DER control for browsing to the key and certificate, or a text box for copying and
formats) pasting the key and certificate.
Note: Importing the private key is optional.
Local File. Browse to the local file.
Certificate Text. Paste the certificate text content of the file into the text box.
Generate New Private Key and Click this option to generate a new private key and self-signed public certificate.
Self-Signed Public Certificate
Cipher Bits. Select the key length from the drop-down list. The default value is
1024.
Common Name. Specify the hostname of the peer.
Organization Name. Specify the organization name (for example, the company).
Organization Unit Name. Specify the organization unit name (for example, the
section or department).
Locality. Specify the city.
State. Specify the state.
Country. Specify the country (2-letter code only).
Email Address. Specify the email address of the contact person.
Validity Period (Days). Specify how many days the certificate is valid. The
default value is 730.
7. Click Set to set your settings.

Exporting Certificate
You can export the SSL certificate from the selected appliance in the Editing Appliance Configuration page.
To export the SSL certificate
5. Click the Export Certificate panel to display the contents.

Figure 3-14. Export Certificate Panel
6. Select the Include Private Key check box.
7. Type and confirm the password.
8. Click Export.
Generating Certificate
You can generate the certificate for the selected appliance in the Editing Appliance Configuration page.
To generate the certificate

5. Click the Generate Certificate panel to display the contents.

Figure 3-15. Generate Certificate Panel
Use the controls to complete the configuration as described in the following table.
Control Description
Common Name Specify the common name (hostname).
Organization Name Specify the organization name (for example, the company).
Organization Unit Name Specify the organization unit name (for example, the section or department).
Locality Specify the city.
State Specify the state.
Country Specify the country (2-letter code only).
Email Address Specify the email address of the contact person.
Generate CSR Generates the Certificate Signing Request.
Managing or Viewing Licenses Settings

This section describes how to view a license. It includes the following sections:
“Viewing Licenses,” next
For details, see the Steelhead Management Console User’s Guide.
Viewing Licenses
To view licenses

4. Under Appliance Configuration Pages, click Licenses to display the Editing Appliance Configuration
<Appliance ID>, Licenses page.
Figure 3-16. Edit Appliance Configuration <appliance>, Licenses Page
Controls Descriptions
Add a New License Displays the controls for adding a new license.
Text box Enter or paste the license into the text area.
Add Adds the new license.
Running Appliance Utilities

You can run appliance utilities (reconnecting and fetching configurations) in the Appliances page.
To run appliance utilities

3. Click Appliance Utilities to display the Editing Appliance Configuration <appliance>, Utilities panel.
Figure 3-17. Edit Appliances Utility Panel
4. Complete the configuration as in the following table.
Control Description
Fetch Appliance Configuration Name to use for Fetched Policies. Specify a text string to name the fetched
policies. The fetch policies are listed in the Policies page.
Fetch. Click to fetch the current configuration from the selected appliance. The
fetched configuration is contained in policies (optimization, system,
networking, and security) that can be applied to other groups and appliances.
The fetch process also updates the host settings, base interfaces, in-path
settings, and SSL settings. For details, see “Editing Appliance Configurations”
on page 96.
Note: You can view the status of the fetch in the Manage > Operation History
page.
Update Appliance Serial Number Update. Click to update the current configuration.
Reconnect Reconnect. Click to reconnect the CMC to the current appliance.

Note: Reconnecting does not affect policy configurations.
Backup, Restore, or Migrate State For detailed information, see “Managing Appliance Backup/Restore” on
page 139.
After clicking either Reconnect or Fetch, the Edit Appliance <serial number> panel closes.
Viewing Policies Inherited by the Appliance

You can view the policies that are inherited by the appliance in the Appliances page.
To view policies inherited by an appliance
2. Click the name of the appliance you want to view to display the Edit Appliance panel.

3. Click the Inherited Policies panel.

The Page column lists the policy feature and the Policy column displays the feature source.
Figure 3-18. Inherited Policies Page
Note: The Inherited Policies panel on this page lists the policies and feature sets that are inherited by the appliance. For
details on policies and policy inheritance, see “Understanding Policies and Policy Usage” on page 130
Removing Groups and Appliances

You can remove groups and appliances in the Appliances page.
To remove an appliance or a group

2. Select the check boxes next to the appliances or groups you want to remove.

3. Click Remove Selected.

When you remove a group, the child appliances in the group automatically move to the nearest
available grandparent, such as the Global group.

Moving Groups and Appliances

You can move groups and appliances from one parent group to another in the Appliances page.
To move groups and appliances

2. Select the check boxes next to the appliances or groups you want to move to another group.
3. Click Move Selected.

Arrows display next to all available groups where the selected items can be moved.
4. Click the arrow next to the group where you want to move the selected items.

Filtering the Display of Appliances and Appliance Groups

You can filter the display of managed appliances in the Appliances page.
For example, if you specify A16, only appliances and groups with that string in their identifiers display in
the list.
To filter the display managed appliances
2. Click the Filter tab to display the filter controls.

Figure 3-21. Filter Table
3. Type an expression into the desired fields to filter the display of appliances.
You can filter by the following string values:
– Group Name
– Address or Serial Number
– Model Number
– Software Version
– Connection State
– Health Status
– Optimization Policy
– System Settings Policy
– Networking Policy
– Security Policy
– Branch Services Policy
4. Click Apply Filter to display only the appliances that match the filtered criteria.

Performing Operations on Appliance Groups

You can perform the following operations on selected appliances and appliance groups in the Appliances
page:
Push Policies - Push configurations to selected appliances and appliance groups. For details, see
“Pushing Policies to Appliances and Appliance Groups” on page 118.
Upgrade Software - Upgrade the software images on selected appliances and appliance groups. For
details, see “Upgrading Appliances and Appliance Groups” on page 120.
Start/Stop Services - Start and stop the system service on selected appliances and appliance groups.
For details, see “Starting, Stopping, or Restarting Appliances and Appliance Groups” on page 123.
Reboot - Reboot selected appliances and appliance groups. For details, see “Rebooting Appliances and
Shutdown - Shutdown the system on selected appliances and appliance groups. For details, see
“Shutting Down Appliances and Appliance Groups” on page 125.
Set Password - Set the password for administrator and monitor users on selected appliances and
appliance groups. For details, see “Setting the Password on Appliances and Appliance Groups” on
page 126.
Unlock Secure Vault - Unlock the Secure Vault on selected appliances and appliance groups. When the
vault on an appliance is locked, you might be unable to push some configuration settings. For details,
see “Unlocking the Secure Vault” on page 127.
Change Secure Vault Password - Change the password for the Secure Vault on selected appliances and
appliance groups. For details, see “Changing the Secure Vault Password” on page 128.
Send CLI Commands - Send a set of CLI commands to the selected appliances and groups. For details,
see “Sending CLI Commands to Appliances and Appliance Groups” on page 129.
Pushing Policies to Appliances and Appliance Groups

You can push CMC configurations (in the form of policies) to selected appliances or appliance groups in the
Appliances page.
Any changes made to policies on the CMC do not take effect on Steelhead appliances until the new
configurations are pushed to the Steelhead appliance.
Note: Any time you push CMC configurations (in the form of policies) to selected appliances or appliance groups,
appliance page configurations are also pushed. Similarly, appliance page configurations are also populated when you
fetch policies from an appliance. For details on appliance page configurations, see “Editing Appliance Configurations”
on page 96. For details on fetching configurations from appliances, see “Running Appliance Utilities” on page 112.
To push a configuration to an appliance or an appliance group
2. Click Appliance Operations tab to display the operation options.

3. Select Push Policies from the operation drop-down list.

4. Under Push Policies, complete the configuration as described in the following table.
Control Description
Restart Service If Required Click to restart the targeted services after the push, if required based on the
type of configuration changes.
Schedule Deferred Push Specify the date and time using the following formats:
YYYY/MM/DD, HH:MM:SS
If this option is not selected, the push occurs the next time the appliance
connects.
Push Click the check box next to the name of the appliance and appliance groups
you want to change and click Push to push the configuration to the selected
appliances or appliance groups.
The results of this operation can be viewed in the Operation History page. For details, see “Viewing
and Managing System Operation History” on page 137.

Upgrading Appliances and Appliance Groups

You can upgrade the software image on selected appliances or groups in the Appliances page.
Software images can be obtained from a URL or the image library, which is managed on the Configure
Upgrades page. For details, see “Configuring Upgrades” on page 142.
To upgrade appliances or appliance groups

3. Select Upgrade Software from the operation drop-down list.



.
Control Description
Image Source This panel provides the same set of options for 32-bit appliances and 64-bit
appliances, and for transitioning to 64-bit.
Note: To install a 64-bit image on a supported Steelhead currently running a 32-
bit image, the Steelhead must first be upgraded to at least 4.1.7c (for 4.1.x
Steelhead appliances) or 5.0.5c (for 5.0.x Steelhead appliances). Only after this
upgrade can the Steelhead can be further upgraded to 64-bit 5.5.0 or higher.
Under the appropriate set, select and configure one of the following options:
• From the Library - Specify this option to specify an image currently in the
Image Library. Select the image from the Image drop-down list.
• From a URL - Specify the URL source for the software image. When the
upgrade is performed, the CMC sends the URL to the Steelhead appliance,
which obtains the image from the URL directly (as opposed to from the
CMC).
Upgrade Options Select one of the following options:

• Upgrade Now - Upgrades the image immediately
• Schedule Upgrade - Optionally, specify this option to schedule the upgrade
for a specific date and time. Use the following the formats: YYYY/MM/DD,
HH:MM:SS
Reboot Options Select one of the following options:

• Do not reboot after upgrade - Does not reboot the selected appliances or
appliance groups in conjunction with the upgrade.
When this option is selected, the upgraded appliances do not automatically
upgrade when rebooted. To complete the upgrade process, reboot the
appliances using the Reboot operation with the Switch to Backup Partition
option. For details, see “Rebooting Appliances and Appliance Groups” on
page 124.
• Reboot immediately after upgrade - Reboots the selected appliances or
appliance groups immediately after upgrade.
• Schedule a reboot after upgrade - Reboots the selected appliances or
appliance groups to the upgraded version at the specified date and time
(YYYY/MM/DD, HH:MM:SS).
Upgrade Click the check box next to the name of the appliance and appliance groups you
want to change and click Upgrade to install the software image on the selected
appliances or appliance groups.


Starting, Stopping, or Restarting Appliances and Appliance Groups

You can start, stop, and restart selected appliances and appliance groups in the Appliances page.
To start, stop, or restart an appliance or an appliance group
3. Select Start/Stop Services from the operation drop-down list.

Control Description
Service Action Select Start, Stop, or Restart from the drop-down list.
Clean Data Store Specify this option to clean the data store.
Schedule Deferred Service Action Specify the date and time. Use the following formats:
Apply Click Apply to apply your changes to the selected appliances or appliance
groups.

Rebooting Appliances and Appliance Groups

You can reboot selected appliances and appliance groups in the Appliances page.
To reboot an appliance or an appliance group
3. Select Reboot from the operation drop-down list.

Control Description
Switch to the Backup Partition Select this option to have the selected appliances upgrade to loaded versions
when they reboot.
Note: This step is required to complete an upgrade that was configured with the
Do not reboot after upgrade option. For details, see “Upgrading Appliances
and Appliance Groups” on page 120
Schedule Deferred Reboot Specify the date and time for scheduled reboot. Use the following formats:
5. Click Reboot to reboot the selected appliances or appliance groups.


Shutting Down Appliances and Appliance Groups

You can shut down selected appliances and appliance groups in the Appliances page.
To shut down an appliance or an appliance group
3. Select Shutdown from the operation drop-down list.

Control Description
Clean Data Store Specify to clean the data store.
Schedule Deferred Shutdown Specify the date and time. Use the following formats:
Shutdown Select the check box next to the name of the appliance and appliance groups
you want to shut down and click Shutdown.

Setting the Password on Appliances and Appliance Groups

You can set the password on selected appliances and appliance groups in the Appliances page.
To set the password on an appliance or an appliance group
3. Select Set Password from the operation drop-down list.

Control Description
User Type Admin or Monitor in the text box.
Password Specify the password.
Confirm Password Confirm the password.
Set Password Click Set Password to set the specified password.
Note: The CMC sets the password for the user the CMC is using to connect with the Steelhead appliance. The CMC
automatically updates the password that is used by the CMC to connect with the Steelhead appliance.

Unlocking the Secure Vault

You can unlock the Secure Vault on selected appliances and appliance groups in the Appliances page.
When the vault on an appliance is locked, you might be unable to push some configuration settings.
To unlock the secure vault on an appliance or an appliance group
3. Select Unlock Secure Vault from the operation drop-down list.

4. Enter the password and click Unlock Vault to unlock the secure vault on the selected appliances and
appliance groups.

Changing the Secure Vault Password

You can change the password for the Secure Vault on selected appliances and appliance groups in the
Appliances page.
Note: The CMC must already know the current Secure Vault password, which is set on the SSL configuration page of
each appliance. This operation automatically updates the CMC’s stored copy of each selected appliance’s password.
To change the secure vault password on an appliance or an appliance group
3. Select Change Secure Vault Password from the operation drop-down list.
4. Enter and confirm the new vault password.
5. Click Change Password to change the vault password.


Sending CLI Commands to Appliances and Appliance Groups

You can send CLI commands to selected appliances and appliance groups in the Appliances page.
To send CLI commands to an appliance or an appliance group
3. Select Send CLI Commands from the operation drop-down list.


Managing Appliance Groups Working with Policies
Control Description
Text field Paste or type in the set of CLI commands.

Note: Each command must be on a separate line.
Schedule Deferred Command Select this option to schedule a deferred command and specify the date and
Execution time. Use the following formats:
Send Click Send to send the commands.
Working with Policies

This section describes how to configure and apply policies that facilitate centralized management and
configuration of Steelhead appliances. It includes the following sections:
“Understanding Policies and Policy Usage,” next
“Creating Policy Settings” on page 133
“Editing Policy Settings” on page 134
“Assigning Policies” on page 136
Understanding Policies and Policy Usage

This section describes policies and policy usage. It includes the following sections:
“How Policies and Inheritance Work,” next
“Policy Types” on page 131

Working with Policies Managing Appliance Groups
How Policies and Inheritance Work

A policy is a collection of configuration settings that can be applied to Steelhead appliances or groups of
Steelhead appliances. The configuration settings can be inherited by all members of the group.
All groups and Steelhead appliances are contained within the Global group. As a result, all policy
configurations from the Global group are inherited by all child groups and Steelhead appliances. For
details, see “Inheriting or Overriding Policy Settings from a Parent Group” on page 16.
To modify these configurations, you can apply different policies at the group or Steelhead appliance level.
For greater flexibility, you can configure policies to inherit some feature-set values from the parent group
but override others.
The diagram below shows how policy settings flow from the parent group to child groups and Steelhead
appliances:
The blue circles represents policy feature sets at the parent level.
The red squares represents policy feature sets at the child level that override the parent settings.
The green triangles represents policy feature sets at the child level that inherit the parent settings.
Example A Example B Example C
Parent policy parameters: S1 S2 S3 S4 S1 S2 S3 S4 S1 S2 S3 S4
Child policy parameters: S1 S2 S3 S4 S1 S2 S3 S4 S1 S2 S3 S4
Resulting policy config: S1 S2 S3 S4 S1 S2 S3 S4 S1 S2 S3 S4
The resulting policy configuration is a combination of feature sets inherited from the parent and feature sets
from the policy are applied to the child Steelhead appliance or group.
Policy Types
Each policy type is made up of particular RiOS features. Only one of each kind of policy type can be applied
to a group or an appliance.

The following table summarizes the available policies and their respective feature sets.
Type Description
Optimization Policy Use optimization policies to organize appliances in which optimization is a key
component. Optimization policies include the following feature sets:
• General Service Settings • Protocols MS-SQL

• In-Path Rules • Protocols NFS
• Peering Rules • Protocols Lotus Notes
• Service Ports • Protocols Citrix ICA
• Data Store • Windows Domain Auth
• Performance • SSL Main Settings
• Protocols CIFS • SSL Peering
• Protocols CIFS Prepopulation • Certificate Authorities
• Protocols HTTP • SSL Advanced Settings
• Protocols Oracle Forms • Secure Peering (IPSEC)
• Protocols MAPI
System Settings Policy Use system settings policies to organize and manage the following feature sets:
• Announcements • SNMP v3
• Alarms • SNMP ACLs
• Monitored Ports • Email
• SNMP Basic • Logging
Networking Policy Use networking policies to manage the following networking feature sets:
• Host Settings • Flow Export

• WCCP • QoS Classification
• Simplified Routing • QoS Marking
• Asymmetric Routing • Port Labels
• Connection Forwarding
Security Policy Use security policies to manage appliances in which security is a key
component. Security policies include the following feature sets:
• General Security Settings • TACACS+

• User Permissions • Management ACL
• RADIUS • Web Settings
Branch Services Policy Use branch services policies to manage the following feature sets:
• Caching DNS
• RSP Slots
• RSP Dataflow
For details on RiOS feature sets, see the Steelhead Management Console User’s Guide.

Creating Policy Settings

You can create new policies in the Policies page.
To create a new policy
1. Choose Manage > Policies to display the Policies page.
2. To create a new policy, click Create New Policy.

Figure 3-31. Polices Page
Control Description
Policy Name Specify the name for the policy.
Type Select one of the following policy types from the drop-down list:
• Optimization - Configures optimization features.
• System Settings - Configures system settings features.
• Networking - Configures networking features.
• Security - Configures security features.
• Branch Services - Configures branch services features.
For a detailed description of policy types, see “Policy Types” on page 131.
Description Specify a description to help you identify the policy.
Copy Contents From Policy Select a policy from the drop-down list. The default value is None.
Use this feature to duplicate identical feature sets of an existing policy. You can
then modify individual settings in the new policy.
CLI Commands Optionally, paste or type in commands (one command per line) to be pushed to
an appliance using this policy.
Remove Selected Policies Click the check box next to the name of the policy and click Remove Selected
Policies.

4. Click Add to add the new policy to the system.

After creating a new policy, you can modify the feature-set values, as described in “Editing Policy
Editing Policy Settings

You can edit existing policies in the Policies page.
Each type of policy is comprised of a distinct set of parameters. You can configure each parameter
individually or you can configure the policy to inherit the value from the parent policy.
Note: If you delete or rename a policy, you cannot create another policy with the same name until you save the
configuration changes.
To edit an existing policy
2. Click the name of the policy in the list to display the feature sets for that policy.
The feature sets displayed depend on the type of policy. For details, see “Understanding Policies and
Policy Usage” on page 130.
Figure 3-32. Sample Polices Page

3. Select the Enable Page check box next to the feature set page name to override the inheritance of values
from the policies applied to the parent group.
Note: If no pages are checked, the policy will not be pushed.
4. Click the feature set name in the Page column to change the settings of a specific feature set.
The page displays the settings for the selected feature set. This page includes drop-down lists that
enable you to navigate between policies and their feature set pages.
Figure 3-33. Selecting Policy Pages
5. Modify the feature sets as desired.

For details on all policy feature sets and their parameters, see Appendix A, “Policy Parameters and
Settings.”
6. To copy the specified feature set values from another policy, select the policy containing the values you
want to duplicate from the Copy Contents From Policy drop-down list, and click Copy.
Note: This copies only the settings for the current page. For example, if the current page is In-Path Rules, only In-Path
Rule settings are copied. To duplicate entire policy feature sets, see “Creating Policy Settings” on page 133.
7. Click Apply to apply your settings.

Assigning Policies
You assign policies to groups and appliances in the Appliances page.
Policies are optional for groups and appliances. You can apply only one of each type of policy to a group or
appliance.
To assign a policy to a group
2. Click the name of the group you want to display the settings for each type of policy.
3. Use the controls to complete the configuration, as described in the following table.
Setting Description
Optimization Policy Select the optimization policy from the drop-down list. The default
value is None.
System Settings Policy Select the system settings policy from the drop-down list. The
Networking Policy Select the networking policy from the drop-down list. The default
value is None.
Security Policy Select the security policy from the drop-down list. The default value
is None.
Branch Services Policy Select the branch services policy from the drop-down list. The
Comment Enter a comment.

Viewing and Managing System Operation History Managing Appliance Groups
4. Click Apply to apply your settings; click Cancel to cancel your settings.
5. Click Save to save the new settings permanently.
Note: After you have assigned the policies, you must push the configuration to the specified group. For details, see
“Pushing Policies to Appliances and Appliance Groups” on page 118.
Viewing and Managing System Operation History

You can view the operation history for the system including the ID, time-stamp, type, and the status of the
operation in the Operation History page. You can open each operation in the history to view operation
details including the serial number of the appliance, current status of the operation for the appliance, and
messages associated with the operation.
The Operation History page also displays operation details including the serial number of the appliance,
current status of the operation for the appliance, and messages associated with the operation.
Note: Users can only view the operation history of appliances and appliance groups for which they have permission.
To view and manage operation history
1. Choose Manage > Operation History to display the Operation History page.
Figure 3-35. Operation History Page

Managing Appliance Groups Viewing and Managing System Operation History
2. To filter the contents of the operation history, use the controls described in the following table.
Control Description
Operation Type Select one or more operation types as filter criteria.
Operation Status Select one or more operation statuses as filter criteria:

• Success - Specifies that the listed operation succeeded.
• Pending - Specifies that the listed operation is currently pending.
• Failed - Specifies that the listed operation failed.
• Incomplete - Specifies that the listed operation is incomplete.
When selected, operations with that status are included; when unselected they
are excluded.
Appliance Type in an appliance address, serial number using as a sub-string, or regular

expression as filter criteria.
For example, if you type in ABC, the filter would highlight operations that
involved appliances with ABC in the appliance address or serial number.
Timestamp Upper Bound Type in as filter criteria the latest date (YYYY/MM/DD) and time
(HH:MM:SS). For example, the history displays no operations after the date and
time specified.
Timestamp Lower Bound Type in as filter criteria the earliest date (YYYY/MM/DD) and time
(HH:MM:SS). For example, the history displays no operations before the date
and time specified.
Apply Filter Filters the contents of the table in the Operations panel immediately below the
Filter panel.
3. Under Operations, click the Date/Time value to display the appliances, detailed status, and messages
associated with the operation. (Click Cancel to close operation details.)
4. Optionally, under History Management, complete the configuration as described in the following table.
Control Description
Clear History Indicates to clear the history based on one of the following options
• Clear All History - Specify to clear all history.
• Clear History Older Than - Specify date (YYYY/MM/DD) and time
(HH:MM:SS).
Clear Click to clear history based on the above options.

Managing Appliance Backup/Restore Managing Appliance Groups
Managing Appliance Backup/Restore

You can view, delete, and restore configurations of a remote Steelhead appliances in the Appliance Backup/
Restore page.
The CMC collects backups automatically, every day, at 3 a.m, with the filename YYYY.MM.DD -
CONFIG_NAME, where CONFIG_NAME is the name of the active configuration on the Steelhead
appliance. For details on changing the default time for daily backups, see “Performing Backups on an
Appliance” on page 139.
Alternatively, you can use the controls on the Appliance Backup/Restore page to create backups or reset
the appliance to a backup restore point.
This section describes the following:
“Performing Backups on an Appliance,” next
“Restoring a Backup Configuration to an Appliance” on page 140
“Removing Backup Configurations” on page 141
Note: Typically, you do not need to use backups. Riverbed recommends that you restore an appliance to health by re-
sending its configuration policies. If using policies for restoration is not possible, you can use the following procedure
to restore the system to the backup restore point. However, the restore point does not include SSL settings configured
in the SSL page, as described in “Managing or Viewing Appliance SSL Settings” on page 105.
Performing Backups on an Appliance

You back up Steelhead appliance configurations in the Appliance Backups and RMA page.
This section describes how to perform a manual backup and how to set the time for the daily automatic
backup.

Managing Appliance Groups Managing Appliance Backup/Restore
To perform a backup on an appliance
1. Choose Manage > Appliance Backup/Restore to display the Appliance Backup/Restore page.
Figure 3-36. Appliance Backup/Restore Page
This page lists the backups that have been previously saved for the appliance selected in the Source
Appliance drop-down list.
2. To create a manual backup, use the controls as described in the following table.
Control Description
Source Appliance Select the appliance for backup from the drop-down list.
Restoring a Backup Configuration to an Appliance

You restore appliance configurations to a Steelhead appliance in the Appliance Backup/Restore page.
This feature also displays the CLI configuration for the selected Steelhead appliance backup.
To restore configuration settings
2. Select the source appliance from the drop-down to display the Backup Operation information.

Managing Appliance Backup/Restore Managing Appliance Groups
3. Under Backup Operations, enter the name for the backup.

A panel displays the backup details and controls for restoring the backup.
Figure 3-37. Restore Operation Section
4. Under Restore Operation, select one of the backups to be restored.
5. Under Migrate Operation, select the target appliance.

Figure 3-38. Migrate Operation Section
6. Click Migrate.
7. Click Apply to save your settings.
Removing Backup Configurations

You can remove configuration backups in the Appliance Backup/Restore page.
User-generated backups must be removed manually; they are not deleted automatically. However, the
automatic daily backups are automatically deleted as follows:
The first automatic daily backup of the month is automatically deleted after three years.
All other daily automatic backups are automatically deleted after thirty days.
To remove configuration backups
2. Select the appliance from the Source Appliance drop-down list to display the configuration backups for
the specified appliance.
3. Click the check box next to the backup name and click Remove Selected Backups to remove the
configuration backups from the list.

Managing Appliance Groups Configuring Upgrades
Configuring Upgrades
You configure upgrade settings in the Configure Upgrades page. You can also manage Steelhead software
images and enable automatic upgrades on this page.
Note: The upgrade process is only completed when the targeted Steelhead appliances connect to the CMC. Connected
Steelhead appliances upgrade the next time they connect.
Depending on the version of RiOS, many existing models of the Steelhead appliance can be directly
upgraded from 32-bit to 64-bit. Other models (and also depending on the version of RiOS) require a
transitional 32-bit upgrade before a final upgrade to 64-bit. The following constraints apply:
Unsupported models - The following models are no longer supported for upgrading to RiOS v5.5 or
later:
1U / xx00
1U / xx10
Current Supported Models Running 32-bit RiOS version - To upgrade to a 64-bit software image, a
Steelhead appliance must be running RiOS v5.0.5c or higher, with the exception of xx20 models that are
running v4.1.x.
32-bit only models - The following xx50models, regardless of current RiOS version, can be upgraded
only to another 32-bit software image.

Configuring Upgrades Managing Appliance Groups
To configure upgrades
1. Choose Manage > Configure Upgrades to display the Configure Upgrades page.
Figure 3-39. Configure Upgrades Page
2. Under Manage the Image Library, manage Steelhead software images by using the controls described
in the following table.
.
Control Description
Add Image Click to display additional controls for adding images to the CMC image
library.
Image Name Type a name for the image.

To obtain the image, select and configure one of the following options:
• Download from a URL - Specify the URL source for the software image.
When the upgrade is performed, the CMC obtains the image.
• Upload from a Local File - Specify the path for the software image or click
Browse to go to a local file directory. The image is uploaded immediately.
Add Image Adds the specified image to the CMC image library.
Remove Image Click the check box next to the image and click Remove Image.

Managing Appliance Groups Configuring RSP Appliances
3. In the Maximum Concurrent Upgrades field, specify the number of appliances to be concurrently
upgraded. The default value is 15.
For example, if your network has twenty-five appliances, and this values is set to 5, only five
appliances will be upgraded at a time.
4. In the Timeout for upgrades field, specify the seconds. The default value is 10800.
5. Under Configure Automatic Upgrades, use the following controls to automate upgrades.
Control Description
Enable Automatic Steelhead Enables automated upgrades and activates the rest of the controls in this panel.
Upgrades
32-bit Steelhead Image Select from the drop-down list the 32-bit image to which all 32-bit Steelhead
appliances are to be upgraded.
Optionally, specify Do not auto-upgrade to prevent auto-upgrade.
Note: The contents of the drop-list are limited to the 32-bit software images
already in the image library.
64-bit Steelhead Image Select from the drop-down list the 64-bit image to which all 64-bit Steelhead
appliances are to be upgraded.
Optionally, specify Do not auto-upgrade to prevent auto-upgrade.
Transition Image Select from the drop-down list the 32-bit transition image to which all
applicable 32-bit Steelhead appliances are to be upgraded in preparation for
subsequent 64-bit upgrade.
6. Click Apply to apply the settings to the running configuration.

For example, all 32-bit Steelhead appliances are automatically upgraded to the specified 32-bit or
transition image the next time they connect to the CMC.
Configuring RSP Appliances

You configure RSP appliances settings in the RSP Appliances page.
To configure RSP appliances
1. Choose Manage > RSP > RSP Appliances to display the RSP Appliances page.
Figure 3-40. RSP Appliances Page

Configuring RSP Appliances Managing Appliance Groups
2. Click RSP Service to display the RSP Service Operation options.

Figure 3-41. RSP Service Operation Options
Control Description
RSP Service Operation Select Install RSP Service or Manage RSP Service from
the drop-down list.
32-bit RSP Image Select the image from the drop-down list.
64-bit RSP Image Select the image from the drop-down list.
Schedule operation Select option to schedule an operation.

Date and Time. Use the following format: YYYY/MM/
DD HH:MM:SS.
Install Click Install to continue with your settings.

Managing Appliance Groups Configuring RSP Image Library
Configuring RSP Image Library

You configure RSP image library settings in the RSP Image Library page.
To configure RSP image library
1. Choose Manage > RSP > RSP Image Library to display the RSP Image Library page.
Figure 3-42. RSP Image Library Page
2. Click Add Image to display the Add Image options.

Figure 3-43. Add Image Options
Control Description
File Name Type a descriptive name for the image.
From URL Select this option and type the URL to the image.
From Local File (for images Click this option and type the path or click Browse to navigate to the local file
less than 2GB in size) directory.
Add Image Downloads the image to your system.
4. To remove an entry, click the check box next to the name and click Remove Selected Images.

Configuring RSP Package Library Managing Appliance Groups
Configuring RSP Package Library

You configure RSP image library settings in the RSP Package Library page.
To configure RSP package library
1. Choose Manage > RSP > RSP Package Library to display the RSP Package Library page.
2. Click Add Package to display the options.

Figure 3-44. Add Package Page
Control Description
File Name Enter the file name.
From URL Enter the URL.
From Local File (for packages Click Browse to navigate to the file.
less than 2GB in size)
Add Package Click Add Packages to add the package.

Managing Appliance Groups Configuring RSP Package Library

CHAPTER 4 Displaying and Customizing Reports
This chapter describes how to display and customize remote Steelhead appliance reports, download remote
appliance logs, and display and customize CMC reports.
This chapter includes the following sections:
“Displaying Managed Steelheads Reports and Logs,” next
“Displaying Steelhead Diagnostics Reports” on page 197
“Displaying CMC Diagnostics Reports” on page 205
“Exporting Performance Statistics Reports” on page 217
Displaying Managed Steelheads Reports and Logs

This section describes how to create managed Steelhead reports and logs. It includes the following sections:
“Viewing Optimized Throughput Reports,” next
“Viewing Bandwidth Optimization Reports” on page 153
“Viewing Data Reduction Reports” on page 155
“Viewing Traffic Summary Reports” on page 158
“Viewing Connection History Reports” on page 160
“Viewing Connection Forwarding Reports” on page 163
“Viewing Connection Pooling Reports” on page 164
“Viewing HTTP Stats (Steelhead v5+) Reports” on page 166
“Viewing HTTP Stats (Steelhead v4) Reports” on page 170
“Viewing SSL Servers Reports” on page 172
“Viewing NFS Reports” on page 175
“Viewing Data Store SDR-Adaptive Reports” on page 177
“Viewing Data Store Cost Reports” on page 179
“Viewing Data Store Disk Load Reports” on page 181
“Viewing Data Store Hit Rate Reports” on page 182

Displaying and Customizing Reports Displaying Managed Steelheads Reports and Logs
“Viewing Data Store IO Reports” on page 184

“Viewing Data Store Read Efficiency Reports” on page 187
“Viewing DNS Cache Hits Reports” on page 189
“Viewing DNS Cache Utilization Reports” on page 190
“Viewing QoS Stats Dropped Reports” on page 192
“Viewing QoS Stats Sent Reports” on page 194
“Displaying Steelhead Diagnostics Reports” on page 197
Note: Reports are based on data gathered from registered remote Steelhead appliances by the CMC every five minutes.
Viewing Optimized Throughput Reports

The Optimized Throughput report summarizes the throughput or total data transmitted for the application
and time period specified.
The Optimized Throughput report includes Optimized LAN and WAN Link Throughput graphs which
include the following statistics that describe data activity for the application and the time period you
specify.
Field Description
Peak LAN Throughput At <time> on Displays the date and time of the peak data activity.
<date>
95th Percentile LAN Throughput Displays the 95th percentile for data activity. The 95th percentile is
calculated by taking the peak of the lower 95% of inbound and
outbound throughput samples.
Average LAN Throughput Displays the average amount of data transmitted.
Peak WAN Throughput Displays the date and time of the peak data activity.
95th Percentile WAN Throughput At Displays the 95th percentile for data activity. The 95th percentile is
<time> on <date> calculated by taking the peak of the lower 95% of inbound and
outbound throughput samples.
Average WAN Throughput Displays the average amount of data transmitted.
What This Report Tells You

The Optimized Throughput report answers the following questions:
What was the average throughput?
What was the peak throughput?
At what time did the peak throughput occur?

Displaying Managed Steelheads Reports and Logs Displaying and Customizing Reports
About Report Graphs

In bar-graph and line-graph reports, the x-axis (or tick mark) plots time, according to the interval you select.
The y-axis plots the metric of interest, such as gigabytes of bandwidth, percent (%) of data reduction,
connection counts, and the like.
Three triangles near the top margin of the graph point to the value on the x-axis (the time) at which the peak
occurred.
The right margin of the graph points to the value on the y-axis (for example, the percent) that is the average
value for the time period selected.
Pie chart graphs do not indicate peaks or averages. Pie chart graphs represent the aggregate for the time
period selected.
About Report Data

The Riverbed system polls bandwidth and connection metrics every five minutes and can report on
performance for periods as long as one year. However, due to performance and disk space considerations,
data representation in reports for periods longer than an hour are interpolated from aggregate data points.
Note: Be aware that if the CMC and remote appliances lose connectivity with each other, the bandwidth and connection
data during the period of lost connectivity might be skewed. For example, if a remote appliance loses connectivity with
the CMC for six hours, data for the missing six hours appears to be 0 in reports for periods of Last Day or Custom
intervals smaller than one day. However, when the remote appliance re-establishes connectivity, it sends an aggregate
data point for the last day. Thus, report for periods longer than Last Day do reflect bandwidth and connection data
accurately. If you need to analyze data on the remote Steelhead appliance for the missing period, you can view this in
the Management Console for the individual remote appliance.

To view the Optimized Throughput report
1. Choose Reports > Managed Steelheads > Optimized Throughput to display the Optimized Throughput
page.
Figure 4-1. Throughput Page

2. Use the controls to customize the report as described in the following table.
Control Description
Period Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list.
For Custom, enter the Start Time and End Time and click Go. Use the following format:
YYYY/MM/DD HH:MM:SS.
Group Select a group from the drop-down list. The default value is Global or Custom.
You can also select [Custom] to display a drop-down list from which you can select one or
more individual appliances to include in the report.
Traffic Select Bi-directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list.
Application Select the application from the drop-down list. The default value is All.
Refresh Select Off, 5 Minutes, 10 Minutes, or 15 Minutes from the drop-down list.
3. Click Go to display the report with the new settings.
Viewing Bandwidth Optimization Reports

The Bandwidth Optimization report summarizes the overall inbound and outbound bandwidth
improvements for your network. You can create reports according to the time period of your choice,
application, and type of traffic.
The Bandwidth Optimization report includes the following table of statistics that describe bandwidth
activity for the time period you specify.
Field Description
WAN Data Displays the bytes sent and received (depending on direction) over the WAN ports.
LAN Data Displays the bytes sent and received (depending on direction) over the LAN ports.
Total Data Reduction % Displays the total decrease of data transmitted over the WAN, according to the
following calculation:
(Data In – Data Out)/(Data In)
Peak Data Reduction Displays the date and time that the peak data reduction occurred.
Occurred At <time> on
<date>
Optimized Bandwidth Displays the increase in the amount of data transmitted over the WAN, according to
Capacity Increase the following calculation:
1/(1-Reduction Rate)
What this Report Tells You

The Bandwidth Optimization report answers the following questions:
How much bandwidth optimization has occurred?
What was the average and peak amount of data sent?
What was the overall increase in the amount of data that can be transmitted using the Steelhead
appliance?

About Report Graphs

occurred.
period selected.
About Report Data

To view a Bandwidth Optimization report
1. Choose Reports > Managed Steelheads > Bandwidth Optimization to display the Bandwidth
Optimization page.
Figure 4-2. Bandwidth Optimization Page

Control Description
Group Select the group from the drop-down list. The default value is Global or Custom.
Traffic Select Bi-Directional, WAN-to-LAN, or LAN-to-WAN from the drop-down list.
Application Select the application from the drop-down list. The default value is All.
3. Click Go to display the report with the new settings.
Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box.
Viewing Data Reduction Reports

The Data Reduction report summarizes the percent reduction of data transmitted by an application such as
FTP, HTTP, NetBIOS and TCP, traffic in CIFS, and MAPI.
The Data Reduction report includes the following table of statistics that describe data reduction for the
application and the time period you specify.
Field Description
Peak Data Reduction At <time> on Displays the date and time that the peak data reduction occurred.
<date>
Optimized Bandwidth Capacity Increase Specifies the increase in the amount of data transmitted over the WAN,
according to the following calculation:
1/(1-Reduction Rate)

The Data Reduction report answers the following questions:
What was the total reduction in the amount of data that can be transmitted for each application?
What was the peak reduction in the amount of data transmitted for each application?
What was the total increase of data transmitted for the application and time period specified?

About Report Graphs

occurred.
period selected.
About Report Data

To view the Data Reduction report
1. Choose Reports > Managed Steelheads > Data Reduction to display the Data Reduction page.
Figure 4-3. Data Reduction Page

Control Description
For Custom, enter the Start Time and End Time. Use the following format: YYYY/MM/
DD HH:MM:SS.
Group Select the appliance group from the drop-down list. The default value is Global.
Application Select the application from the drop-down list. The default value is All or Custom.
3. Click Go to apply the changes to the report display.

Viewing Traffic Summary Reports

The Traffic Summary report provides a percentage breakdown of the amount of traffic going through the
system by the port and type of traffic. For details on setting ports to be monitored, see “Service Ports” on
page 235.
The Steelhead appliance automatically discovers all the ports in the system that have traffic. The discovered
port along with a label (if one exists) is added to the report. If a label does not exist then an unknown label
is added to the discovered port.
If you want to change the unknown label to a name representing the port, you must add the port with a
new label. All statistics for this new port label are preserved from the time the port was discovered. For
details on adding ports to be monitored, see “Service Ports” on page 235.
Note: The Traffic Summary report displays a maximum of 16 colors for ports. If you have more than 16 ports, the colors
in the report wrap from the beginning.

The Traffic Summary report provides the following table of statistics that describe data activity for the
Control Description
Port Displays the TCP/IP port number and application for each row of statistics.
Reduction Displays the amount of data reduction.
LAN Data Displays the amount of traffic on the LAN.
WAN Data Displays the amount of traffic on the WAN.
Traffic % Displays the percentage of the total traffic each port represents.
About Report Graphs

occurred.
period selected.

About Report Data

To view the Traffic Summary report
1. Choose Reports > Managed Steelheads > Traffic Summary to display the Traffic Summary page.
Figure 4-4. Traffic Summary Page
Control Description
DD HH:MM:SS.
Group Select the appliance group from the drop-down list.
Type Select Optimized, Pass Through, or Both from the drop-down list. The default value is
Optimized.

Control Description
Refresh Set the refresh rate for the report display:

• To refresh the report every 5 minutes, select 5 minutes.
• To turn refresh off, click Off.
Viewing Connection History Reports

The Connection History report summarizes the optimized traffic for the time period specified.
The Connection History report contains the following graphs:
Optimized vs. Pass Through Connections - This graph displays the total number of optimized and
passed-through connections for the time period specified.
Optimized Connections - This graph displays the total number of optimized, established, half-
opened, and half-closed connections for the time period specified.
The Connection History report contains the following table of statistics that summarize connection activity.
Packet Type Description
Total Optimized Displays the total active connections optimized.
Total Optimized (Active) Displays the total number of optimized connections with traffic in the last 60 seconds.
Total Pass Through Displays the total connections passed through, unoptimized.
Forwarded Displays the total number of forwarded connections.
Total Optimized Displays the total established active connections.

(Established)
Total Optimized (Half Displays the total half-opened active connections. A half-opened connection is a TCP
Opened) connection which has not been fully established. Half-opened connections count
toward the connection count limit on the Steelhead appliance because, at any time,
they might become a fully-opened connection.
If you are experiencing a large number of half-opened connections, consider a more
appropriately sized Steelhead appliance.
Total Optimized (Half Displays the total half-closed active connections. Half-closed connections are
Closed) connections which the Steelhead appliance has intercepted and optimized but are in
the process of becoming inactive. These connections are counted toward the
connection count limit on the Steelhead appliance. (Half closed connections might
remain if the client or server does not close their connections cleanly.)
If you are experiencing a large number of half-closed connections, consider a more
appropriately sized Steelhead appliance.

The connection counts for the specified time period are displayed in the following columns:
Group Average. Displays the average of the sum for all of the appliances in the group.
Per Appliance Average. Displays the per appliance average for all of the appliances in the group.
Single Appliance Peak. Peak number of connections for a single appliance in the group.
Peak Time. Timestamp for when the peak number was reached.

The Connection History report answers the following questions:
How many connections were optimized?
How many connections were passed through, unoptimized?
How many connections were half-opened?
How many connections were half-closed?
About Report Graphs

occurred.
period selected.
About Report Data


To view the Connection History report
1. Choose Reports > Managed Steelheads > Connection History to display the Connection History page.
Figure 4-5. Connection History Page
.
Control Description
Period Select Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-
down list.
For Custom, enter the Start Time and End Time and click Redraw. Use the
following format: YYYY/MM/DD HH:MM:SS.

Control Description
Group Specify the appliance group whose connection history you want to view.
Note: The refresh rate does not affect polling. Polling occurs every 5 minutes.
Viewing Connection Forwarding Reports

The Connection Forwarding report summarizes the number of bytes or packets transferred between the
Steelhead appliance and a specified neighbor.

The Connection Forwarding report answers the following questions:
How many bytes were transferred between a Steelhead appliance and a specified neighbor?
How many packets were transferred between a Steelhead appliance and a specified neighbor?
About Report Graphs

The y-axis plots the metric of interest, such as GBs of bandwidth, percent (%) of data reduction, connection
counts, and the like.
occurred.
About Report Data


To view the Connection Forwarding report
1. Choose Reports > Managed Steelheads > Connection Forwarding to display the Connection
Forwarding page.
Figure 4-6. Connection Forwarding Page
.
Control Description
down list.
Statistic Select either Byte Counts or Packet Counts from the drop-down list.
Viewing Connection Pooling Reports

The Connection Pooling report summarizes the current connection pool of connections to peer appliances.


The Connection Pooling report provides the following table of statistics that describe data activity for the
Control Description
Total Requests Specifies the total number of requests for connections to peer appliances.
Total Hits Specifies the total number of successful connections and connections that are
serviced by already existing inner channel connections.
Peak Hits At <time> on Specifies the date and time of the peak number of successful connections and
<date> connections that are serviced by already existing inner channel connections.
About Report Graphs

occurred.
period selected.
About Report Data


To view the Connection Pooling report
1. Choose Reports > Managed Steelheads > Connection Pooling to display the Connection Pooling page.
Figure 4-7. Connection Pooling Page
.
Control Description
down list.
Refresh Select Refresh to refresh the list.

Viewing HTTP Stats (Steelhead v5+) Reports

The HTTP Stats (Steelhead v5+) report summarizes HTTP optimization statistics for the time period
specified.
Note: Separate HTTP statistic reports are provided for appliances running v4.x and those running v5.x and higher. If
an appliance has been upgraded during the requested reporting period, the graph appears incomplete.

The HTTP Stats (Steelhead v5+) report contains the HTTP (%) Hits graph, which displays the following
statistics that summarize HTTP data activity.
Field Description
Total Hit % Displays the total percentage of HTTP objects requested by all three schemes:
URL Learning, Parse and Prefetch, and Metadata Response.
Parse and Prefetch Hit % Displays the percentage of objects that were successfully prefetched.
URL Learning Hit % Displays the percentage of URL learning hits.
Object Prefetch Table Hit % Displays the percentage of prefetch table hits.
Objects Requested Displays the number of HTTP objects requested.
Total Objects Hit Displays the total number of HTTP object hits.
Parse and Prefetch Hits Displays the number of embedded objects that were successfully prefetched.
URL Learning Hits Displays the number of URL learning hits.

Object Prefetch Table Hit Displays the number of prefetch table hits.
Misses Displays the total number of prefetch misses.


The HTTP Stats (Steelhead v5+) report answers the following questions:
What was the overall percent increase in HTTP data transmitted over the WAN?
How many HTTP objects were requested?
How many HTTP objects were successfully obtained and transmitted over the WAN?
How many metadata responses and prefetch hits occurred per HTTP object?
About Report Graphs

occurred.
period selected.
About Report Data


To view the HTTP Stats (Steelhead v5+) report
1. Choose Reports > Managed Steelheads > HTTP Stats (Steelhead v5+) to display the HTTP Stats
(Steelhead v5+) page.
Figure 4-8. HTTP Stats (Steelhead v5+) Page
2. Use the controls to customize the report, as described in the following table.
Control Description
Period Select Last Hour, Last Day, Last Week, Last Month or Custom from the drop-down list.

Viewing HTTP Stats (Steelhead v4) Reports

The HTTP Stats (Steelhead v4) report summarize HTTP optimization statistics for the time period specified.
Note: Separate HTTP statistic reports are provided for appliances running 4.x and those running 5.x and higher. If an
appliance has been upgraded during the requested reporting period, the graph appears incomplete.
The HTTP Stats (Steelhead v4) report contains the HTTP (%) Hits graph, which displays the following
statistics that summarize HTTP data activity.
Field Description
Prefetch Cache Hit % Displays the total percentage of the prefetch cache hit.
Prefetch Hits Displays the total number of prefetch hits.
Prefetch Misses Displays the total number of prefetch misses.
Objects Requested Displays the number of HTTP objects requested.

The HTTP Stats (Steelhead v4) reports answer the following questions:
How many HTTP pages were requested?
How many HTTP pages were optimized?
What was the overall percent increase in HTTP data transmitted over the WAN?
How many HTTP objects were requested?
How many HTTP objects were successfully obtained and transmitted over the WAN?
About Report Graphs

The y-axis plots the metric of interest, such as GB of bandwidth, percent (%) of data reduction, connection
A diamond icon above the top margin of the graph points to the value on the x-axis (the time) at which the
peak occurred.
A diamond icon outside the right margin of the graph points to the value on the y-axis (for example, the
percent) that is the average value for the time period selected.
period selected.

About Report Data

the Steelhead Management Console for the individual remote appliance.
To display the HTTP Stats (Steelhead v4) reports
1. Choose Reports > Managed Steelheads > HTTP Stats (Steelhead v4) to display the HTTP Stats
(Steelhead v4) page.
Figure 4-9. HTTP Stats (Steelhead v4) Page

2. Use the controls to customize the report, as described in the following table.
Control Description
Period Select Last Hour, Last Day, Last Week, Last Month or Custom from the drop-
down list.
For Custom, enter the Start Time and End Time and click Go. Use the following
format: YYYY/MM/DD HH:MM:SS.

Viewing SSL Servers Reports

The SSL Servers report summarizes the SSL server connection requests and connection rate for the time
period specified.
The SSL Servers report contains the following graphs:
SSL Connection Requests (Connections) - Summarizes the connection requests for the time period
specified. The Connection Requests graph includes the following table of statistics that describe data
activity for the application and the time period you specify
.
Field Description
Number of Established Sessions Displays the number of established SSL connections.
Number of Requests Displays the number of SSL requests.
Number of Failed Connections Displays the number of failed SSL connections.
SSL Connection Rate (Connections Per Second) - Summarizes the average number of successfully
completed SSL connections in one second. The SSL connection rate is also called SSL TPS (SSL
Transactions per Second). The SSL Connection Rate graph includes the following table of statistics that
describe data activity for the application and the time period you specify.
Field Description
Average Connection Rate Displays the average connection rate for SSL connections.
Peak Connection Rate At <time> on <date> Displays the peak connection rate for SSL connections for the date
and time.


The SSL Servers report answers the following questions:
What is the number of established SSL connections?
What is the number of SSL requests during specified period of time?
What is the number of failed connections during a specified period of time?
What is the number of concurrent connections open at the current time?
About Report Graphs

occurred.
period selected.
About Report Data


To view the SSL Servers report
1. Choose Reports > Managed Steelheads > SSL Servers to display the SSL Servers page.
Figure 4-10. SSL Servers Page

Control Description
For Custom, type the Start Time and End Time and click Go. Use the following format:

Viewing NFS Reports

The NFS report summarizes NFS optimization statistics for the time period specified. The NFS report
contains the following graph:
Field Description
Local Responses Specifies the number of NFS calls that were responded to locally.
Remote Responses Specifies the number of NFS calls that were responded to remotely (that is, calls that
traversed the WAN to the NFS server).
Total Delayed Specifies the delayed calls which were responded to locally but not immediately (for
example, reads which were delayed while a read ahead was occurring and were responded
to from the data in the read ahead).
Total Reduction % Specifies the percentage decrease of NFS calls over the WAN. For example, you might see an
85% reduction in NFS data (see the Data Reduction or the Traffic Summary report) and a 55%
reduction in the number of NFS calls over the WAN (NFS Statistics report).
Peak Reduction % Specifies the percentage of reduction for the date and time.
At <time> on
<date>
Capacity Increase Specifies the increase in the number of NFS calls that can be transmitted over the WAN.

The NFS report answers the following questions:
How many delayed calls occurred for NFS activity?
What is the reduction in the number of NFS calls that went to the server?
What was the overall decrease in NFS calls transmitted over the WAN?
About Report Graphs


occurred.
About Report Data

To view the NFS report
1. Choose Reports > Managed Steelheads > NFS to display the NFS page.
Figure 4-11. NFS Page

.
Control Description
down list.
Response Select All, Local, Remote, or Delayed from the drop-down list.
The default value is All.
Viewing Data Store SDR-Adaptive Reports

The Data Store SDR-Adaptive report summarizes:
How much adaptive compression is occurring in the data store using legacy mode.The report
combines both the percentage due to local and remote adaptive compression (as signalled by the
peers).
The percentage of the traffic, in bytes, which is adapted to in-memory-only (or transient), compared to
the total SDR traffic (SDR-adaptive mode).

The Data Store SDR-Adaptive report provides the following table of statistics that describe the data activity
for the application and the time period you specify.
Field Description
Maximum Compression Due To Disk Pressure at Specifies the number of maximum compression due to disk
<time> on <date> pressure for the date and time.
Minimum Compression Due To Disk Pressure at Specifies the number of minimum compression due to disk
<time> on <date> pressure for the date and time.
Average Compression Due To Disk Pressure Specifies the number of average compression due to disk
pressure for the date and time.
Maximum Compression Due To In-Path Rule at Specifies the number of maximum compression due to in-
<time> on <date> path rule for the date and time.
Minimum Compression Due To In-Path Rule at Specifies the number of minimum compression due to in-
<time> on <date> path rule for the date and time.
Average Compression Due To In-Path Rule Specifies the number of average compression due to in-
path rule for the date and time.
Maximum In-Memory SDR Due To Disk Pressure at Specifies the number of maximum in-memory SDR due to
<time> on <date> disk pressure for the date and time.

Field Description
Minimum In-Memory SDR Due To Disk Pressure at Specifies the number of minimum in-memory SDR due to
<time> on <date> disk pressure for the date and time.
Average In-Memory SDR Due To Disk Pressure Specifies the number of average in-memory SDR due to
disk pressure for the date and time.
Maximum In-Memory SDR Due To In-Path Rule at Specifies the number of maximum in-memory SDR due to
<time> on <date> in-path rule for the date and time.
Minimum In-Memory SDR Due To In-Path Rule at Specifies the number of minimum in-memory SDR due to
<time> on <date> in-path rule for the date and time.
Average In-Memory SDR Due To In-Path Rule Specifies the number of average in-memory SDR due to in-
path rule for the date and time.
About Report Data


To view the Connection Forwarding report
1. Choose Reports > Managed Steelheads > Data Store SDR-Adaptive to display the Data Store SDR-
Adaptive page.
Figure 4-12. Data Store SDR-Adaptive Page
.
Control Description
down list.
Viewing Data Store Cost Reports

The Data Store Cost report summarizes the relative cost of doing data store operations.

The Data Store Cost report includes a throughput graph which displays the following statistic that describes
data store segment throughput for the date and the time period you specify.

The Data Store Cost report provides the following table of statistics that describe the data activity for the
Field Description
Maximum Cost at <time> on <date> Specifies the number of maximum cost for the date and
time.
About Report Data

To view the Data Store Cost report
1. Choose Reports > Managed Steelheads > Data Store Cost to display the Data Store Cost page.
Figure 4-13. Data Store Cost Page

.
Control Description
down list.
Viewing Data Store Disk Load Reports

The Data Store Disk Load report summarizes the data store disk load due to SDR-only as related to the
benchmarked capacity of the data store. Consider any value under 100 as healthy. Any value higher than
100 might indicate disk pressure. When a value is consistently higher than 100, contact Riverbed
Professional Services for guidance on reconfiguring the data store to alleviate disk pressure.

The Data Store Disk Load report provides the following table of statistics that describe the data activity for
the application and the time period you specify.
Field Description
Maximum Disk Load at <time> on <date> Specifies the number of maximum disk load for the date
and time.
Average Disk Load Specifies the average disk load.
Minimum Disk Load at <time> on <date> Specifies the number of maximum disk load for the date
and time.
About Report Data


To view the Data Store Disk Load report
1. Choose Reports > Managed Steelheads > Data Store Disk Load to display the Data Store Disk Load
page.
Figure 4-14. Data Store Disk Load Page
.
Control Description
down list.
Viewing Data Store Hit Rate Reports

The Data Store Hit Rate report summarizes how many times the data-store disk and memory have seen a
data segment. A hit is a data segment that has been seen before by the data store in the system. When a hit
occurs, the system sends the reference to the data segment rather than the actual data over the WAN.


The Data Store Hit Rate report provides the following table of statistics that describe the data activity for
the application and the time period you specify.
Field Description
Total Hits Specifies the total number of hits against the data store. A hit is a
data segment that has been seen before by the data store in the
system. If a hit has occurred, the system sends the reference to the
data rather than the actual data over the WAN.
Total Misses Specifies the number of misses that occurred. A miss is an

unmatched data segment—the data store has not seen the data
segment before and must send all the data across the WAN. The
data is LZ compressed, if LZ compression is enabled
Maximum Hits at <time> on <date> Specifies the number of maximum hits for the date and time.
Maximum Misses at <time> on <date> Specifies the number of maximum misses for the date and time.
About Report Data


To view the Data Store Hit Rate report
1. Choose Reports > Managed Steelheads > Data Store Hit Rate to display the Data Store Hit Rate page.
Figure 4-15. Data Store Hit Rate Page
.
Control Description
down list.
Viewing Data Store IO Reports

The Data Store I/O report summarizes how the data store disk I/O is performing for the time period
specified. It measures how many random reads and writes are occurring, where a low value indicates the
most random I/O and larger values indicate more sequential I/O.

This report displays the following graphs:
Data Store Cluster Average Reads. Plots the read cluster sizes for the time period you specify.
Data Store Cluster Average Writes. Plots the write cluster sizes for the time period you specify

Data Store Page Reads. Plots the page reads for the time period you specify.
Data Store Page Writes. Plots the page writes for the time period you specify.
About Report Data


To view the Data Store IO report
1. Choose Reports > Managed Steelheads > Data Store IO to display the Data Store IO page.
Figure 4-16. Data Store IO Page

.
Control Description
down list.
Appliance Select an appliance from the drop-down list.
Viewing Data Store Read Efficiency Reports

The Data Store Read Efficiency report summarizes how efficiently the data store disk is performing for the
time period specified. The Data Store Read Efficiency report includes a graph which displays a percentage
breakdown of how much of each segment page has data in it for the time period you specify. This graph
indicates how efficiently the data store is using a page after a disk read operation
About Report Data


To view the Data Store Read Efficiency report
1. Choose Reports > Managed Steelheads > Data Store Read Efficiency to display the Data Store Read
Efficiency page.
Figure 4-17. Data Store Read Efficiency Page
.
Control Description
down list.
Appliances Select an appliance from the drop-down list.

Viewing DNS Cache Hits Reports

The DNS Cache Hits report provides a DNS cache hits graph for the time period specified.
To view DNS cache hits report
1. Choose Reports > Managed Steelheads > DNS Cache Hits to display the DNS Cache Hits page.
Figure 4-18. DNS Cache Hits Page
.
Control Description
down list.
Group Specify the appliance group whose cache hits you want to view.

Viewing DNS Cache Utilization Reports

The DNS Cache Utilization report provides a DNS cache utilization graph for the time period specified.
To view DNS cache utilization report
1. Choose Reports > Managed Steelheads > DNS Cache Utilization to display the DNS Cache Utilization
page.
Figure 4-19. DNS Cache Utilization Page
.
Control Description
down list.
Group Specify the appliance group whose cache hits you want to view.


Viewing QoS Stats Dropped Reports

The QoS Stats Dropped report contains the following graphs:
QoS Pre-Enforcement - Displays the total number of bits dropped before enforcement of the QoS
parameters for the time period specified.
QoS Enforced/Dropped - Displays the total number of bits dropped after QoS enforcement parameters
have been set for the time period specified.
The QoS Stats Dropped report contains the following table of statistics that summarize QoS activity.
Field Description
Peak All Throughput At Specify the date and time of the peak QoS throughput of the specified classes.
<time> on <date>

The QoS Stats Dropped report answers the following questions:
How many bits transmitted over the WAN for the QoS class?
How many data packets were dropped for the QoS class?
When did the peak data transmission occur for the QoS class?
About Report Graphs

occurred.
period selected.
About Report Data


To view the QoS Stats Dropped report
1. Choose Reports > Managed Steelheads > QoS Stats Dropped to display the QoS Stats Dropped page.
Figure 4-20. QoS Stats Dropped Page
Control Description
Appliance Select from the drop-down list the appliance for which you want to display statistics.
Classes Select All or Custom from the drop-down list and click the arrows to add or delete them
from the list. You can display a maximum of 8 classes.
Statistic Select Bit Counts or Packet Counts from the drop-down list.

Viewing QoS Stats Sent Reports

The QoS Stats Sent report summarizes the number of bytes and packets transmitted for the QoS class or an
aggregate of all classes for the time period specified.
The QoS Stats Sent report contains the following graphs:
QoS Pre-Enforcement - Displays the total number of bits sent before enforcement of the QoS
parameters for the time period specified.
QoS Enforced/Sent - Displays the total number of bits sent after QoS enforcement parameters have
been set for the time period specified.
The QoS Stats Sent report contains the following table of statistics that summarize QoS activity during peak
pre-enforcement and peak post-enforcement time periods.
Field Description
Peak All Throughput At Displays the date and time of the peak QoS throughput of the specified classes.
<time> on <date>

The QoS Stats Sent report answers the following questions:
How many bits were transmitted over the WAN for the QoS class?
How many data packets were sent for the QoS class?
When did the peak data transmission occur for the QoS class?

About Report Graphs

The y-axis plots the metric of interest, such as GB of bandwidth, percent (%) of data reduction, connection
occurred.
period selected.
About Report Data


To view the QoS Stats Sent report
1. Choose Reports > Managed Steelheads > QoS Stats Sent to display the QoS Stats Sent page.
Figure 4-21. QoS Stats Sent Page
Control Description
DD HH:MM:SS.
Classes Select All or Custom from the drop-down list and click the arrows to add or delete them
from the list. You can display a maximum of 8 classes.
Statistic Select Bit Counts or Packet Counts from the drop-down list.

Displaying Steelhead Diagnostics Reports Displaying and Customizing Reports
Displaying Steelhead Diagnostics Reports

This section describes how to display Steelhead diagnostic reports and logs. It includes the following
sections:
“Viewing CPU Utilization Reports,” next
“Viewing Memory Paging Reports” on page 199
“Viewing Appliance Details Reports” on page 200
“Viewing Health Check Details Reports” on page 203
“Downloading Group Logs Reports” on page 203
“Viewing Expiring Certificates Reports” on page 204
“Viewing Data Store Status Reports” on page 205

Displaying and Customizing Reports Displaying Steelhead Diagnostics Reports
Viewing CPU Utilization Reports

The CPU Utilization report summarizes the percentage of the CPU used on the CMC machine within the
time period specified.
Typically, a CMC operates on approximately 30-40% CPU capacity during non-peak hours and
approximately 60-70% capacity during peak hours. CMC CPU usage should not exceed 90%.

The CPU Utilization report answers the following questions:
How much of the CPU is being used?
What is the average and peak percentage of the CPU being used?
About Report Graphs

occurred.
period selected.
To view the CPU Utilization report
1. Choose Reports > Steelhead Diagnostics > CPU Utilization to display the CPU Utilization page.
Figure 4-22. CPU Utilization Page

Control Description
Period Select Last Minute, 5 Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom
from the drop-down list.
YYYY/MM/DD HH:MM:SS
Refresh Select a refresh rate from the drop-down list:

• To refresh the report every 10 seconds, select 10 seconds.
Viewing Memory Paging Reports

The Memory Paging report provides the total number of memory pages, per second, utilized by the CMC
in the time period specified.
The Memory Paging report includes the following table of statistics that describe memory paging activity
for the time period you specify.
Field Description
Total Pages Swapped Out Displays the total number of pages swapped. If 100 pages are swapped
approximately every two hours the CMC is functioning properly. If
thousands of pages are swapped every few minutes, contact Riverbed
Technical Support at https://support.riverbed.com.
Average Pages Swapped Out Displays the average number of pages swapped. If 100 pages are
swapped every couple of hours the CMC is functioning properly. If
thousands of pages are swapped every few minutes, contact
Riverbed Technical Support at https://support.riverbed.com.
Maximum Pages Swapped out at Specifies the number of maximum pages swapped out for the date and
<time> on <date> time.

The Memory Paging report answers the following questions:
How much memory is being used?
What is the average and peak amount of memory pages swapped?
About Report Graphs


occurred.
period selected.
To view the Memory Paging report
1. Choose Reports > Steelhead Diagnostics > Memory Paging to display the Memory Paging page.
Figure 4-23. Memory Paging Page
Control Description

Viewing Appliance Details Reports

The Appliance Details report displays details about the connected appliances such as status, performance,
connection counts, and peers.

The Appliance Details report provides the following statistics for an appliance.
Field Description
Status Provides high level status for the appliance: Healthy, Warning, Critical. Also
provides hardware model number, software version details, and links to the
appliance logs.
Performance Reduction. Displays the total decrease of data transmitted over the WAN.
Peak Throughput. Displays the peak data transmitted.
Datastore Usage. Displays the percent of data store usage.
Connection Counts Established. Displays the total established active connections.
Half Opened. Displays the total half-opened active connections. A half-opened

connection is a TCP connection in which the connection has not been fully
established. Half-opened connections count toward the connection count limit on
the appliance because, at any time, they might become a fully opened connection.
If you are experiencing a large number of half-opened connections, you might
consider a more appropriately sized appliance.
Half Closed. Displays the total half-closed active connections. Half-closed

connections are connections which the appliance has intercepted and optimized but
are in the process of becoming inactive. These connections are counted toward the
connection count limit on the appliance. (Half closed connections might remain if
the client or server does not close their connections cleanly.)
If you are experiencing a large number of half-closed connections, you might
consider a more appropriately sized appliance.
Pass-Through. Displays the total connections passed through, unoptimized when

the connection limit has been reached.
Total. Displays the sum of the counts described above.
Peers Displays the IP address, name, model, version, and license information for peer
appliances.
Config View Appliance Config. Displays the appliance configuration.
System Detail Displays the system detail.

To view appliance details report
1. Choose Reports > Steelhead Diagnostics > Appliance Details to display the Appliance Details page.
2. Select the appliance you want to view from the drop-down list to display the information.
Figure 4-24. Appliance Details Page

Viewing Health Check Details Reports

The Health Check report displays details about the health of the appliances.

The Health Check details report provides the following health checks for an appliance.
Field Description
Gateway Test Pings each configured gateway.
Cable Swap Test Tests if LAN and WAN ports are correctly facing their respective networks.
Duplex Test Tests a given interface for correct duplex settings.
Peer Reachability Test Sends a test probe to a specified peer.
IP-Port Reachability Test Tests if a specified IP address and optional port are connected.
To view health check details report
1. Choose Reports > Steelhead Diagnostics > Health Check to display the Health Check page.
2. Select the appliance you want to view from the drop-down list to display the Health Check Details page.
Figure 4-25. Health Check Page
Downloading Group Logs Reports

You can download log files from either an appliance or an appliance group in the Download Logs page.
To download log files report
1. Choose Reports > Steelhead Diagnostics > Download Logs to open the Download Logs page.
Figure 4-26. Download Logs Page
2. Under Download Logs, select either the Appliance or Group radio button.

3. Select the intended appliance or appliance group from the drop-down list.
4. Click Download.
The logs are now available as a tar file.
Viewing Expiring Certificates Reports

The Expiring Certificates report displays the SSL certificates that have expired or will expire within sixty
days. The report displays certificate location, policy or appliance to which it is applied, and the certificate
name.

The Expiring Certificates report answers the following questions:
What certificates are expired or within sixty days of expiring?
Where are the certificates applied?
What is the certificate location?
To view the Expiring Certificates report

Choose Reports > Steelhead Diagnostics > Expiring Certificates to display the Expiring Certificates
page.
Figure 4-27. Expiring Certificates Page

Displaying CMC Diagnostics Reports Displaying and Customizing Reports
Viewing Data Store Status Reports

The Data Store Status report summarizes the current status and state of the data store synchronization
process.

The Data Store Status report answers the following questions:
Is the synchronization connection active?
Is the Steelhead appliance in the Catch-up or Keep-up phase of data store synchronization?
What percentage of the data store is unused?
About Report Data

To view the Data Store Status report
1. Choose Reports > Steelhead Diagnostics > Data Store Status to display the Data Store Status page.
Figure 4-28. Data Store Status Page
2. Select an appliance from the drop-down list.
Displaying CMC Diagnostics Reports

This section describes how to display CMC diagnostics reports and logs. It includes the following sections:
“Viewing the Alarm Status Report,” next
“Viewing CPU Utilization Report” on page 208
“Viewing Memory Paging Report” on page 208
“Viewing User Logs Report” on page 209

Displaying and Customizing Reports Displaying CMC Diagnostics Reports
“Downloading User Logs Report” on page 211

“Viewing System Logs Reports” on page 212
“Downloading System Log Files Reports” on page 213
“Viewing the System Dumps List Report” on page 213
“Viewing Process Dump List Reports” on page 214
“Viewing the TCP Dumps List Reports” on page 214
Viewing the Alarm Status Report

The Alarm Status report provides the status for the CMC alarms and includes the following alarm
information.
Alarm Description
CPU Utilization Whether the system has reached the CPU threshold for any of the CPUs in the CMC. If
the system has reached the CPU threshold, check your settings. For details, see
“Alarms” on page 265.
If your alarm thresholds are correct, reboot the CMC. For details, see “Rebooting
Appliances and Appliance Groups” on page 124.
Note: If more than 100 MB of data is moved through a CMC while performing PFS
synchronization, the CPU utilization might become high and result in a CPU alarm.
This CPU alarm should not be cause for concern.
External Backups Whether the automatic backup has succeeded.
Fan Error Whether the system has detected a problem with the fans. Fans in 3U systems can be
replaced. Contact Riverbed Technical Support at http://www.riverbed.com and file a
trouble ticket to order a replacement fan. For details on replacing fans, see the Upgrade
and Maintenance Guide.
IPMI Indicates there has been a physical security intrusion triggering an Intelligent Platform
Management Interface (IPMI) error. The following events trigger the IPMI alarm:
• chassis intrusion (physical opening and closing of the appliance case)
• memory errors (correctable or uncorrectable ECC memory errors)
• hard drive faults or predictive failures
• power supply status or predictive failure
The option to reset the alarm appears only after the service triggers the IPMI alarm. To
reset the alarm, click Clear the IPMI alarm now.
Licensing Indicates whether your licenses are current.
Link State Whether the system has detected a link that is down. You are notified via SNMP traps,
email, and alarm status.
Memory Error Whether the system has encountered a memory error.
Memory Paging Whether the system has reached the memory paging threshold. If 100 pages are
swapped approximately every two hours the CMC is functioning properly. If
thousands of pages are swapped every few minutes, then reboot the CMC. For details,
see “Rebooting Appliances and Appliance Groups” on page 124. If rebooting does not
solve the problem, contact Riverbed Technical Support at https://
support.riverbed.com.

Alarm Description
Power Supply Indicates an inserted power supply cord does not have power, as opposed to a power
supply slot with no power supply cord inserted.
Process Dump Staging Indicates that the system has detected an error while trying to create a snapshot. Please
Directory Inaccessible contact Riverbed Technical Support to correct the issue.
Secure Vault Indicates the secure vault is locked or an error has occurred while initializing the
secure vault.
When the vault is locked, SSL traffic is not optimized and you cannot encrypt the data
store
SSL Certificates Indicates an SSL certificate has failed to re-enroll automatically within the Simple
Certificate Enrollment Protocol (SCEP) polling interval.
System Disk Full Whether the system partitions (not the data store) are almost full. For example, /var
which is used to hold logs, statistics, system dumps, TCP dumps, and so forth.
Temperature Whether the CPU temperature has exceeded the critical threshold. The default value
for the rising threshold temperature is 70º C; the default reset threshold temperature is
67º C.

The Alarm Status report answers the following question:
What is the current status of the CMC?
To view the Alarm Status report

Choose Reports > CMC Diagnostics > Alarm Status to display the Alarm Status page.
Figure 4-29. Alarm Status Page

Viewing CPU Utilization Report

The CPU Utilization report summarizes the percentage of the CPU used within the time period specified.

The CPU Utilization report answers the following questions:
How much of the CPU is being used?
What is the average and peak percentage of the CPU being used?
About Report Graphs

occurred.
period selected.
To view the CPU Utilization report
1. Choose Reports > CMC Diagnostics > CPU Utilization to display the CPU Utilization page.
2. Use the controls to customize the reports as described in the following table.
Control Description
Period Select Last Minute, 5 Minutes, Last Hour, Last Day, Last Week, Last Month,
or Custom from the drop-down list.
For Custom, enter the Start Time and End Time and click Go. Use the
following format:
YYYY/MM/DD HH:MM:SS

Go Displays the report.
Viewing Memory Paging Report

The Memory Paging report provides the total number of memory pages, per second, utilized in the time
period specified. It includes the following table of statistics that describe memory paging activity for the
time period you specify.

To view the memory paging report
1. Choose Reports > CMC Diagnostics > Memory Paging to display the Memory Paging page.
Figure 4-30. Memory Paging Page
2. Use the controls to customize the reports as described in the following table.
Control Description
Period Select Last Minute, 5 Minutes, Last Hour, Last Day, Last Week, Last Month,
or Custom from the drop-down list.
For Custom, enter the Start Time and End Time and click Go. Use the
following format:
YYYY/MM/DD HH:MM:SS

Go Displays the report.
Viewing User Logs Report

You can view user logs in the View User Logs page. View users logs to monitor user activity. The most recent
log events are listed first.

To view user logs
1. Choose Reports > CMC Diagnostics > User Logs to display the User Logs page.
Figure 4-31. User Logs Page

Control Description
Show Select Current Log or one of the archived logs from the drop-down list.
Lines per page Specify the number of lines you want to display on the page.
Jump to Select one of the following options from the drop-down list:
• Page - Specify the number of pages you want to display.
• Time - Specify the date and time (MM/DD HH:MM) of the pages you want to
display.
Filter Select one of the following options from the drop-down list:
• <Regular Expression> - Specifies a regular expression on which to filter the log.
• Error or higher - Displays Error level logs or higher.
• Warning or higher - Displays Warning level logs or higher.
• Notice or higher - Displays Notice level logs or higher.
• Info or higher - Displays Info level logs or higher.
Downloading User Logs Report

You can download user logs in the User Logs Download page.
To download user logs
1. Choose Reports > CMC Diagnostics > User Logs Download to display the User Logs Download page.
Figure 4-32. User Logs Download Page
2. Click the name of the log to save the log to disk.

You can download both compressed and uncompressed logs.
3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so
that it is empty again.

Viewing System Logs Reports

You can view system logs reports in the System Logs page. View system logs to monitor system activity and
to troubleshoot problems. The most recent log events are listed first.
To view system logs
1. Choose Reports > CMC Diagnostics > System Logs to display the System Logs page.
Figure 4-33. System Logs Page
Control Description
Show Select Current Log or one of the archived logs from the drop-down list.
Lines per page Specify the number of lines you want to display on the page.
Jump to Select one of the following options from the drop-down list:
• Page - Specify the number of pages you want to display.
• Time - Specify the time for the log you want to display.
Filter Select one of the following options from the drop-down list:
• <Regular Expression> - Specify a regular expression on which to filter the log.
• Error or higher - Displays the Error level logs or higher.
• Warning or higher - Displays the Warning level logs or higher.
• Notice or higher - Displays the Notice level logs or higher.
• Info or higher - Displays the Info level logs or higher.

Downloading System Log Files Reports

You can download system logs reports in the System Logs Download page. Download system logs to
monitor system activity and to troubleshoot problems.
To download system logs
1. Choose Reports > CMC Diagnostics > System Logs Download to display the System Logs Download
page.
Figure 4-34. System Logs Download Page
2. Click the name of the log to save the log to disk.

You can download both compressed and uncompressed logs.
3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so
that it is empty again.
Viewing the System Dumps List Report

You can display and download system dumps reports in the System Dumps page.
A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose
problems in the system.
To view system dump files
1. Choose Reports > CMC Diagnostics > System Dumps to display the System Dumps page.
Figure 4-35. System Dumps Page

2. Click the filename to open a file or save the file to disk.
3. Select Include statistics check box and click Generate System Dump to generate a new system dump.
Tip: To remove an entry, click the check box next to the name and click Remove Selected.
Viewing Process Dump List Reports

You can display and download process dump reports in the Process Dumps page.

A process dump is a saved copy of memory including the contents of all memory, bytes, hardware registers,
and status indicators. It is periodically taken to restore the system in the event of failure. Process dump files
can help you diagnose problems in the system.
To view system dump files
1. Choose Reports > CMC Diagnostics > Process Dumps to display the Process Dumps page.
Figure 4-36. Process Dumps Page
2. Click the filename to open a file or save the file to disk.
3. To remove an entry, click the check box next to the name and click Remove Selected.
Viewing the TCP Dumps List Reports

You can display and download TCP dumps reports in the TCP Dumps page.

TCP dump files contain summary information for every Internet packet received or transmitted on the
interface. TCP dump files can help you diagnose problems in the system.

To view TCP data you must run the tcpdump tool using the Riverbed CLI. For details, see the Riverbed
Command-Line Interface Reference Manual.
To view TCP dump files
1. Choose Reports > CMC Diagnostics > TCP Dumps to display the TCP Dumps page.
2. Click Add a New TCP Dump to display the information.

Figure 4-37. TCP Dumps Page

Control Description
Add a New TCP Dump Displays the controls for creating a TCP trace dump.
Capture Interfaces Captures the TCP trace dump on the selected interface. You can select All, primary, or
aux. Click only one interface per trace dump. The default setting is none. You must
specify a capture interface.
Capture Name Specify the name of the capture file. The default filename uses the following format:
hostname_interface_timestamp.cap
Where hostname is the hostname of the Steelhead appliance, interface is the name of the
interface selected for the trace (for example, lan0_0, wan0_0), and timestamp is in the
YYYY-MM-DD-HH-MM-SS format.
If this trace dump relates to an open Riverbed Support case, specify the capture filename
case_number where number is your Riverbed Support case number; for example,
case_12345.
Note: The .cap file extension is not included with the filename when it appears in the
capture queue.
Capture Duration Specify how long the capture runs, in seconds. The default value is 30. Leave this value
(Seconds) blank to initiate a continuous trace. When a continuous trace reaches the maximum space
allocation of 100 MB, the oldest file is overwritten.
Maximum Capture Size Specify the maximum capture file size in MBs. The default value is 100. The
(MB) recommended maximum capture file size is 1024 MBs (1 GB).
Buffer Size Optionally, specify the maximum number of packets allowed to queue up while awaiting
processing by the TCP trace dump. The default value is 154.
Snap Length Optionally, specify the snap length value for the trace dump. Specify 0 for a full packet
capture (recommended for CIFS, MAPI, and SSL traces). The default value is 1518.
Number of Files to Specify how many TCP trace dump files to rotate. The default value is 5.
Rotate
Capture VLAN Packets Captures only VLAN-tagged packets within a trace dump for a trunk port (802.1Q).
Enabling this setting filters the trace dump by capturing only VLAN-tagged packets. This
setting applies to physical interfaces only because logical interfaces (inpath0_0, mgmt0_0)
do not recognize VLAN headers.
Source IP(s) Specify the source IP addresses. Separate multiple IP addresses with a comma. The
default setting is all IP addresses.
Source Port(s) Specify the source ports. Separate multiple ports with a comma. The default setting is all
ports.
Destination IP(s) Specify the destination IP addresses. Separate multiple IP addresses with a comma. The
default setting is all IP addresses.
Destination Port(s) Specify the destination ports. Separate multiple ports with a comma. The default setting
is all ports.

Exporting Performance Statistics Reports Displaying and Customizing Reports
Control Description
Custom Flags Specify custom flags to capture unidirectional traces; for example:
To capture all traffic to or from a single host
host x.x.x.x
To capture all traffic between a pair of hosts

host x.x.x.x and host y.y.y.y
To capture traffic between two hosts and the inner channels between two Steelhead
appliances:
(host x.x.x.x and host y.y.y.y) or (host a.a.a.a and host b.b.b.b)
Schedule Dump Schedules the trace dump to run at a later date and time.
Start Date and Time Specify a date to initiate the trace dump in the following format: YYYY/MM/DD
Specify a time to initiate the trace dump in the following format: HH:MM:SS
Add Adds the TCP trace dump to the capture queue.
Tip: To remove an entry, click the check box next to the name and click Remove Selected.
Exporting Performance Statistics Reports

The following section describes how to export appliance information and statistics reports.
You can export performance statistics in CSV format in the Export report. The CSV format allows you to
easily import the statistics into spreadsheets and databases. You can open the CSV file in any text editor.
The CSV file contains commented lines (comments beginning with the # character) at the beginning of the
file. These comments report what host generated the file, the report that was generated, time boundaries,
the time the export occurred, and the version of the CMC the file was exported from. The statistical values
are provided in columns: the first column is the date and time of the statistic sample, the columns that
follow contain the data.

Displaying and Customizing Reports Exporting Performance Statistics Reports
To export appliance information
1. Choose Reports > Export to display the Export page.
2. Select the Export Appliance Information radio button to export the appliance information.
Figure 4-38. Export Page
Control Description
Export Destination and Format Complete the following options for exporting appliance statistics:
• Export To. Select one of the following options:
– Email. Enter the complete email address for the recipient.
– URL from the drop-down list. Use the format
[scp|ftp]://username:password@host/path/filename
• Email Addresses. Type an email address or a URL, depending on the option
selected above.
• Format. Select HTML or CSV format.
To export statistics
1. Choose Reports > Export to display the Export page.

Exporting Performance Statistics Reports Displaying and Customizing Reports
2. Select the Export Statistics radio button to export the appliance statistics.
Figure 4-39. Reports > Export Page

Displaying and Customizing Reports Exporting Performance Statistics Reports
Control Description
Export Destination and Format Complete the following options for exporting appliance statistics:
• Export To. Select Email or URL from the drop-down list.
• Email Addresses. Type an email address or a URL, depending on the option
selected above.
• Format. Select HTML or CSV format.
Groups Click the check boxe(s) to select group(s) to be included in the export.
Appliances Click the check boxe(s) to select appliances to be included in the export.
Statistics Click the check boxe(s) to include any of the following statistic types in the
report:
• Bandwidth Optimization. Specify Ports and select Traffic Direction.
• Data Reduction. Specify Ports and select Traffic Direction (Bi-Directional,
WAN-to-LAN, LAN-to-WAN).
• Throughput. Specify Ports and select Traffic Direction (Bi-Directional,
WAN-to-LAN, LAN-to-WAN).
• Connection History. Click to include connection history in the export.
• Traffic Summary. Select Traffic Type from the drop-down menu (Optimized,
Passthrough, or Both).
Period and Granularity Specify one of the following options:
• Most recent period. Specify the time period in days (between 1 and 60).
• Granularity. Granularity determines how many statistic data points are used
when the data is exported. Higher granularity is more accurate. For graphs
(which appear when you choose HTML as the format) sometimes a lower
granularity reduces the jerkiness and gives a smoother and easier to
understand graph. For CSV export, it reduces the amount of exported data.
Select one of the following options from the drop-down list:
– Maximum. Specify a data point every 5 minutes.
– High. Specify a data point every hour.
– Medium. Specify a data point every day.
– Low. Specify a data point every week.
Execution Specify one of the following options:

• Export Now. Exports data when you click Export.
• Schedule Export. Exports data based on the following settings:
– Date. Specify the date using the YYYY/MM/DD format.
– Time. Specify the time using the HH:MM:SS format.
– Frequency. Select export frequency from the drop-down list (Once Only,
Daily, Weekly, Monthly).
Export Exports your data based on your settings.

APPENDIX A Policy Parameters and Settings
This appendix describes how to configure feature sets contained in optimization, system, network, and
security policies. It includes the following sections:
“Viewing Policy Configurations,” next
“Optimization Policy Settings” on page 224
“System Settings Policies” on page 264
“Networking Policy Settings” on page 277
“Security Policy Settings” on page 298
“Branch Services Settings” on page 304
This appendix assumes you are familiar with configuring and managing Steelhead appliances. It does not
include detailed overviews of the individual feature sets associated with the policies. For details on RiOS
feature sets, see the Steelhead Management Console User’s Guide.
This appendix does not summarize the settings for System Settings Policies. These are described in the
system administration section of this guide. For details, see “Configuring System Settings” on page 39.
Viewing Policy Configurations

This section describes how to view policy configurations and quickly navigate among policy feature sets.
To view policy configurations
2. Click the name of the policy in the Policy Name column.

Policy Parameters and Settings Viewing Policy Configurations
The Editing <policy type> <policy name> panel displays. The lower part of the panel lists the feature
sets specific to the policy type and whether or not they are set to be inherited.
Figure 4-40. Sample Policy Editing Panel
In this panel, you can modify the settings described in the following table.
Setting Description
Description Specify a description to help you identify the policy.
CLI Commands Optionally, paste or type in commands (one command per line) to be pushed to
an appliance using this policy.
Rename Policy Optionally, click and type a new name for the policy.
Enable Page Select the check box to enable the feature set.
Unselected feature sets are ignored by the policy and the default value is used
when pushed to appliances. For details, see “Understanding Policies and Policy
Usage” on page 130.
Apply Applies the modifications to the running configuration.

Viewing Policy Configurations Policy Parameters and Settings
3. To access policy feature sets, click the name of the feature set In the Page column to display the Editing
<policy name, feature set> page.
Figure 4-41. Sample Editing Policy Page
4. Modify the settings.
5. To copy the specified feature set values from another policy, select the policy containing the values you
want to duplicate from the Copy Contents From Policy drop-down list and click Copy.
Note: This copies only the settings for the current page. For example, if the current page is In-Path Rules, only In-Path
Rule settings are copied. To duplicate entire policy feature sets, see “Creating Policy Settings” on page 133.
6. Click Apply to apply the settings to the running configuration.
7. To go to other policies and feature sets, use the controls at the top of the page as described in the
following table.
Control Description
Editing <Policy Type> Policy Select the policy name from the drop-down list.
Note: The policies are categorized by type: Networking, Optimization,
Security, and System.
Page Select the policy feature set to be accessed.

Note: Because different policy types have different feature sets, the contents of
this drop-down list are determined by the policy selected in the Editing <Policy
Type> Policy drop-down list.

Policy Parameters and Settings Optimization Policy Settings
Optimization Policy Settings

The following section describes Optimization Policy feature set. It includes the following sections:
“General Service Settings,” next
“In-Path Rules” on page 226
“Peering Rules” on page 233
“Service Ports” on page 235
“Data Store” on page 236
“Performance” on page 238
“Protocols CIFS” on page 240
“Protocols CIFS Prepopulation” on page 243
“Protocols HTTP” on page 244
“Protocols Oracle Forms” on page 247
“Protocols MAPI” on page 249
“Protocols MS-SQL” on page 251
“Protocols NFS” on page 252
“Protocols Lotus Notes” on page 254
“Protocols Citrix ICA” on page 254
“Windows Domain Auth” on page 255
“SSL Main Settings” on page 255
“SSL Peering” on page 257
“Certificate Authorities” on page 260
“SSL Advanced Settings” on page 260
“Secure Peering (IPSEC)” on page 262
The following procedures assume you have already created an Optimization Policy. For details on how to
create a new policy, see “Creating Policy Settings” on page 133.
General Service Settings

You can review general service settings in the General Service Settings page. For details, see the Steelhead
Management Console User’s Guide.
Control Description
In-Path Settings Enables in-path support.
Out-of-Path Settings Enables out-of-path support.

Optimization Policy Settings Policy Parameters and Settings
Control Description
Connection Settings Per-Source IP Connection Limit. Restricts half-opened connections on a source

IP address initiating connections (that is, the client machine). Set this feature to
block a source IP address that is opening multiple connections to invalid hosts
or ports simultaneously (for example, a virus or a port scanner).
This feature does not prevent a source IP address from connecting to valid hosts
at a normal rate. Thus, a source IP address could have more established
connections than the limit. The default value is 4096. The appliance counts the
number of half opened connections for a source IP address (connections that
check if a server connection can be established before accepting the client
connection). If the count is above the limit, new connections from the source IP
address are passed through unoptimized. If you have a client connecting to
valid hosts or ports at a very high rate, some of its connections might be passed
through even though all of the connections are valid.
Maximum Connection Pooling Size. Specify the maximum number of TCP
connections in a connection pool. Connection pooling enhances network
performance by reusing active connections instead of creating a new connection
for every request.
Connection pooling is useful for protocols which create a large number of short-
lived TCP connections, such as HTTP. To optimize such protocols, a connection
pool manager maintains a pool of idle TCP connections, up to the maximum
pool size. When a client requests a new connection to a previously visited
server, the pool manager checks the pool for unused connections and returns
one if available. Thus, the client and the Steelhead appliance do not have to
wait for a three-way TCP handshake to finish across the WAN. If all
connections currently in the pool are busy and the maximum pool size has not
been reached, the new connection is created and added to the pool.
When the pool reaches its maximum size, all new connection requests are
queued until a connection in the pool becomes available or the connection
attempt times out. The default value is 20. A value of 0 specifies no connection
pool.
Important: You must restart the Steelhead appliance after changing this setting.
Tip: Viewing the Connection Pooling report can help determine whether to
modify the default setting. If the report indicates an unacceptably low ratio of
pool hits per total connection requests, increase the pool size.
Failover Settings Enables failover support.
Apply Applies your settings.

In-Path Rules
You can review in-path rules, configure additional ones, and remove them, in the In-Path Rules page. For
details on in-path rules, see the Steelhead Management Console User’s Guide.
Control Description
Add a New In-Path Rule Displays the controls for adding a new rule.
Type Select one of the following rule types from the drop-down list:
• Auto-Discover - Uses the auto-discovery process to determine if a remote
Steelhead appliance is able to optimize the connection attempting to be
created by this SYN packet. By default, auto-discover is applied to all IP
addresses and ports that are not secure, interactive, or default Riverbed
ports. Defining in-path rules modifies this default setting.
• Fixed-Target - Skips the auto-discovery process and uses a specified remote
Steelhead appliance as an optimization peer. You must specify at least one
remote target Steelhead appliance to optimize (and, optionally, which ports
and backup Steelhead appliances), and add rules to specify the network of
servers, ports, port labels, and out-of-path Steelhead appliances to use.
• Pass-Through - Allows the SYN packet to pass through the Steelhead
appliance unoptimized. No optimization is performed on the TCP
connection initiated by this SYN packet. You define pass-through rules to
exclude subnets from optimization. Traffic is also passed through when the
Steelhead appliance is in bypass mode. (Pass through of traffic might occur
because of in-path rules or because the connection was established before
the Steelhead appliance was put in place or before the Steelhead service
was enabled.)
• Discard - Drops the SYN packets silently. The Steelhead appliance filters
out traffic that matches the discard rules. This process is similar to how
routers and firewalls drop disallowed packets: the connection-initiating
device has no knowledge of the fact that its packets were dropped until the
connection times out.
• Deny - Drops the SYN packets, sends a message back to its source, and
resets the TCP connection being attempted. Using an active reset process
rather than a silent discard allows the connection initiator to know that its
connection is disallowed.
Position Select start, end, or a rule number from the drop-down list.
Steelhead appliances evaluate rules in numerical order starting with rule 1. If
the conditions set in the rule match, then the rule is applied, and the system
moves on to the next packet. If the conditions set in the rule do not match, the
system consults the next rule. For example, if the conditions of rule 1 do not
match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no
further rules are consulted.
In general, list rules in the following order:
1. Deny 2. Discard 3. Pass-through 4. Fixed-target 5. Auto-Discover
Note: The default rule, Auto-Discover, which optimizes all remaining traffic
that has not been selected by another rule, cannot be removed and is always
listed last.
Source Subnet Specify the subnet IP address and netmask for the source network. Use the
following format: XXX.XXX.XXX.XXX/XX
Or, you can specify all or 0.0.0.0/0 as the wildcard for all traffic.
(1 of 7)

Control Description
Destination Subnet Specify the subnet IP address and netmask for the destination network. Use the
following format: XXX.XXX.XXX.XXX/XX
Or, you can specify all or 0.0.0.0/0 as the wildcard for all traffic.
Port - Specify the destination port number, port label, or all.
Target Appliance IP Address Specify the target appliance address for a fixed-target rule.
Port - Specify the target port number for a fixed-target rule.
Backup Appliance IP Address Specify the backup appliance address for a fixed-target rule.
Port - Specify the backup destination port number for a fixed-target rule.
VLAN Tag ID Select the VLAN identification number from the drop-down list to set the
VLAN tag identification number. All specifies the rule applies to all VLANs;
Untagged specifies the rule applies to non-tagged connections.
RiOS supports VLAN v802.1q. To configure VLAN tagging, configure in-path
rules to apply to all VLANs or to a specific VLAN. By default, rules apply to all
VLAN values unless you specify a particular VLAN ID. Pass-through traffic
maintains any pre-existing VLAN tagging between the LAN and WAN
interfaces.
Preoptimization Policy Select a traffic type from the drop-down list:

• None - If the Oracle Forms, SSL, or Oracle Forms over SSL preoptimization
policy is turned on and you want to turn it off for a port, select none. This is
the default setting.
• Oracle Forms - Enables preoptimization processing for Oracle Forms.
• Oracle Forms over SSL - Enables preoptimization processing for both the
Oracle Forms and SSL encrypted traffic through SSL secure ports on the
client-side Steelhead appliance. You must also set the Latency Optimization
Policy to HTTP.
Note: If the server is running over a standard secure port, for example, port
443, the Oracle Forms over SSL in-path rule needs to be before the default
secure port pass-through rule in the in-path rule list.
• SSL - Enables preoptimization processing for SSL encrypted traffic through
SSL secure ports on the client-side Steelhead appliance.
(2 of 7)

Control Description
Optimization Policy Optionally, if you have selected Auto-Discover or Fixed Target, you can
configure the following types of optimization policies:
• Normal - Perform LZ compression and SDR.
• SDR-Only - Perform SDR; do not perform LZ compression.
• SDR-M - Performs data reduction entirely in memory, which prevents the
Steelhead appliance from reading and writing to and from the disk.
Enabling this option can yield high LAN-side throughput because it
eliminates all disk latency. Both Steelhead appliances must be running
RiOS v6.0.
• Compression-Only - Perform LZ compression; do not perform SDR.
• None - Do not perform SDR or LZ compression.
To configure optimization policies for the FTP data channel, define an in-path
rule with the destination port 20 and set its optimization policy. Setting QoS for
port 20 on the client-side Steelhead appliance effects passive FTP, while setting
the QoS for port 20 on the server-side Steelhead appliance effects active FTP.
To configure optimization policies for the MAPI data channel, define an in-
path rule with the destination port 7830 and set its optimization policy.
Latency Optimization Policy Select one of the following policies from the drop-down list:
• Normal - Perform all latency optimizations (HTTP is activated for ports 80
and 8080). This is the default setting.
• HTTP - Activate HTTP optimization on connections matching this rule.
• None - Do not activate latency optimization on connections matching this
rule. For Oracle Forms over SSL encrypted traffic, you must set the Latency
Optimization Policy to HTTP.
Tip: Setting the Latency Optimization Policy to None excludes HTTP latency
optimizations.
(3 of 7)

Control Description
Neural Framing Mode Optionally, if you have selected Auto-Discover or Fixed Target, you can select
a neural framing mode for the in-path rule. Neural framing enables the system
to select the optimal packet framing boundaries for SDR. Neural framing
creates a set of heuristics to intelligently determine the optimal moment to
flush TCP buffers. The system continuously evaluates these heuristics and uses
the optimal heuristic to maximize the amount of buffered data transmitted in
each flush, while minimizing the amount of idle time that the data sits in the
buffer. You can specify the following neural framing settings:
• Never - Never use the Nagle algorithm. All the data is immediately
encoded without waiting for timers to fire or application buffers to fill past
a specified threshold. Neural heuristics are computed in this mode but are
not used.
• Always - Always use the Nagle algorithm. All data is passed to the codec
which attempts to coalesce consume calls (if needed) to achieve better
fingerprinting. A timer (6 ms) backs up the codec and causes leftover data
to be consumed. Neural heuristics are computed in this mode but are not
used.
• TCP Hints - This is the default setting which is based on the TCP hints. If
data is received from a partial frame packet or a packet with the TCP PUSH
flag set, the encoder encodes the data instead of immediately coalescing it.
Neural heuristics are computed in this mode but are not used.
• Dynamic - Dynamically adjust the Nagle parameters. In this option, the
system discerns the optimum algorithm for a particular type of traffic and
switches to the best algorithm based on traffic characteristic changes.
For different types of traffic, one algorithm might be better than others. The
considerations include: latency added to the connection, compression, and
SDR performance.
To configure neural framing for an FTP data channel, define an in-path rule
with the destination port 20 and set its optimization policy. To configure neural
framing for a MAPI data channel, define an in-path rule with the destination
port 7830 and set its optimization policy.
(4 of 7)

Control Description
Auto Kickoff Enables kickoff, which resets pre-existing connections to force them to go
through the connection creation process again. If you enable kickoff,
connections that pre-exist when the optimization service is started are re-
established and optimized.
Generally, connections are short lived and kickoff is not necessary. It is suitable
for certain long-lived connections, such as data replication, and very
challenging remote environments. For example, in a remote branch-office with
a T1 and a 35 ms round-trip time, you would want connections to migrate to
optimization gracefully, rather than risk interruption with kickoff.
RiOS v6.1 provides three ways to enable kickoff:
• Globally for all existing connections on the Configure > Optimization >
General Service Settings page.
• For a single pass-through or optimized connection on the Current
Connections report, one connection at a time.
• For all existing connections that match an in-path rule and the rule has
kickoff enabled.
In most deployments, you do not want to set automatic kickoff globally
because it disrupts all existing connections. When you enable kick off using an
in-path rule, once the Steelhead detects packet flow that matches the IP and
port specified in the rule, it sends an RST packet to the client and server
maintaining the connection to try to close it. Next, it sets an internal flag to
prevent any further kickoffs until the optimization service is once again
restarted.
Note: If no data is being transferred between the client and server the
connection is not reset immediately. It resets the next time the client or server
tries to send a message. Therefore, when the application is idle, it may take a
while for the connection to reset.
By default, auto kickoff per in-path rule is disabled.
The service applies the first matching in-path rule for an existing connection
that matches the source and destination IP and port; it does not consider a
VLAN tag ID when determining whether to kick off the connection.
Consequently, the service automatically kicks off connections with matching
source and destination addresses and ports on different VLANs.
The source and destination of a pre-existing connection cannot be determined
because the Steelhead appliance did not see the initial TCP handshake whereas
an in-path rule specifies the source and destination IP address to which the rule
should be applied. Hence this connection for this IP address pair is matched
twice, once as source to destination and the other as destination to source to
find an in-path rule.
For example, the following in-path rule will kick off connections from
10.11.10.10/24 to 10.12.10.10/24 and 10.12.10.10/24 to 10.11.10.10/24.
Src 10.11.10.10/24 Dst 10.12.10.10/24 Auto Kickoff enabled
The first matching in-path rule will be considered during the kickoff check for
a pre-existing connection. If the first matching in-path rule has kickoff enabled,
then that pre-existing connection will be reset.
Important: Specifying automatic kickoff per in-path rule enables kickoff even
when you disable the global kickoff feature. When global kickoff is enabled, it
overrides this setting. You set the global kickoff feature using the Reset Existing
Client Connections on Start Up feature, which appears on the Configure >
Optimization > General Service Settings page.
Note: This feature pertains only to auto-discover and fixed-target rule types and
is dimmed and unavailable for the other rule types.
(5 of 7)

Control Description
WAN Visibility Mode Enables WAN visibility, which pertains to how packets traversing the WAN are
addressed. RiOS v5.0 or later offers three types of WAN visibility: correct
addressing, port transparency, and full address transparency.
You configure WAN visibility on the client-side Steelhead appliance (where the
connection is initiated). The server-side Steelhead appliance must also support
WAN visibility (RiOS v5.0 or later).
Select one of the following modes from the drop-down list:
• Correct Addressing - Turns WAN visibility off. Correct addressing uses
Steelhead appliance IP addresses and port numbers in the TCP/IP packet
header fields for optimized traffic in both directions across the WAN. This
is the default setting.
• Port Transparency - Port address transparency preserves your server port
numbers in the TCP/IP header fields for optimized traffic in both
directions across the WAN. Traffic is optimized while the server port
number in the TCP/IP header field appears to be unchanged. Routers and
network monitoring devices deployed in the WAN segment between the
communicating Steelhead appliances can view these preserved fields.
Use port transparency if you want to manage and enforce QoS policies that
are based on destination ports. If your WAN router is following traffic
classification rules written in terms of client and network addresses, port
transparency enables your routers to use existing rules to classify the traffic
without any changes.
Port transparency enables network analyzers deployed within the WAN
(between the Steelhead appliances) to monitor network activity and to
capture statistics for reporting by inspecting traffic according to its original
TCP port number.
Port transparency does not require dedicated port configurations on your
Steelhead appliances.
Note: Port transparency only provides server port visibility. It does not provide
client and server IP address visibility, nor does it provide client port visibility.
• Full Transparency - Full address transparency preserves your client and
server IP addresses and port numbers in the TCP/IP header fields for
optimized traffic in both directions across the WAN. It also preserves
VLAN tags. Traffic is optimized while these TCP/IP header fields appear to
be unchanged. Routers and network monitoring devices deployed in the
WAN segment between the communicating Steelhead appliances can view
these preserved fields.
If both port transparency and full address transparency are acceptable
solutions, port transparency is preferable. Port transparency avoids potential
networking risks that are inherent to enabling full address transparency. For
details, see the Steelhead Appliance Deployment Guide.
However, if you must see your client or server IP addresses across the WAN,
full transparency is your only configuration option.
Important: Enabling full address transparency requires symmetrical traffic
flows between the client and server. If any asymmetry exists on the network,
enabling full address transparency might yield unexpected results, up to and
including loss of connectivity. For details, see the Steelhead Appliance Deployment
Guide.
(6 of 7)

Control Description
WAN Visibility Mode (continued) RiOS v6.0 includes an option for using Full Transparency with a stateful
firewall. A stateful firewall examines packet headers, stores information, and
then validates subsequent packets against this information. If your system uses
a stateful firewall, the following option is available:
• Full Transparency w/Reset - Enables full address and port transparency
and also sends a forward reset between receiving the probe response and
sending the transparent inner channel SYN. This ensures the firewall does
not block inner transparent connections because of information stored in
the probe connection. The forward reset is necessary because the probe
connection and inner connection use the same IP addresses and ports and
both map to the same firewall connection. The reset clears the probe
connection created by the Steelhead appliance and allows for the full
transparent inner connection to traverse the firewall. Both the client-side
and server-side Steelhead appliances must be running RiOS v6.0.
Notes:
• For details on configuring WAN visibility and its implications, see the
Steelhead Appliance Deployment Guide.
• WAN visibility works with auto-discover in-path rules only. It does not
work with fixed-target rules or server-side out-of-path Steelhead appliance
configurations.
• To turn full transparency on globally by default, create an in-path auto-
discover rule, select Full, and place it above the default in-path rule and
after the Secure, Interactive, and RBT-Proto rules.
• You can configure a Steelhead appliance for WAN visibility even if the
server-side Steelhead appliance does not support it, but the connection is
not transparent.
• You can enable full transparency for servers in a specific IP address range
and you can enable port transparency on a specific server. For details, see
the Steelhead Appliance Deployment Guide.
• The Top Talkers report displays statistics on the most active, heaviest users
of WAN bandwidth, providing some WAN visibility without enabling a
WAN Visibility Mode.
Description Describe the rule to facilitate administration.
Add Adds the rule to the list. The Management Console redisplays the In-Path
Rules table and applies your modifications to the running configuration, which
is stored in memory.
Remove Selected Rules Click the check box next to the name and click Remove Selected Rules.
Move Selected Rules Moves the selected rules. Click the arrow next to the desired rule position; the
rule moves to the new position.
(7 of 7)
Tip: If necessary, you can re-order your rules. In the In-Path Rules table, use the drop-down lists in the Rule column.
Tip: The default rule, which optimizes all remaining traffic that has not been selected by another rule, cannot be
removed and is always listed last.

Peering Rules
You configure peering rules for the selected optimization policy in the Peering Rules page.
Automatic peering is disabled by default. For details on automatic peering, see the Steelhead Management
Console User’s Guide.
Control Description
Enable Automatic Peering Enables enhanced automatic peering. With automatic peering the Steelhead
appliance automatically finds the furthest Steelhead appliance along the
connection path of the TCP connection and optimization occurs there. For
example, in a deployment with four Steelhead appliances (A, B, C, D), where D
represents the appliance that is furthest from A, the Steelhead appliance
automatically finds D. This simplifies configuration and makes your
deployment more scalable.
By default, automatic peering is enabled. If you do not enable automatic
peering, the Steelhead appliance uses regular auto-discovery. With regular
auto-discovery, the Steelhead appliance finds the first remote Steelhead
appliance along the connection path of the TCP connection and optimization
occurs there. For example, if you had a deployment with four Steelhead
appliances (A, B, C, D) where D represents the appliance that is furthest from A,
the Steelhead appliance automatically finds B, then C, and finally D and
optimization takes place in each.
For a detailed information about deployments that require automatic peering,
see the Steelhead Appliance Deployment Guide.
Enable Extended Peer Table Enables support for up to 20,000 peers on high-end server-side Steelhead
appliances (models 5520, 6020, 6050, and 6120) to accommodate large Steelhead
client deployments. The data store maintains the peers in groups of 1,024 in the
global peer table.
Riverbed recommends enabling the extended peer table if you have more than
4,000 peers.
By default, this option is disabled and it is unavailable on Steelhead appliance
models that do not support it.
After enabling this option you must clear the data store and stop and restart the
service.
Important: Before enabling this feature you should have a thorough
understanding of performance and scaling issues. When deciding whether to
use extended peer table support, you need to compare it with a serial cluster
deployment. For more information on serial clusters, see the Steelhead Appliance
Deployment Guide.
Important: After enabling extended peer table support, you cannot install a
RiOS software version earlier than v5.5 without first clearing the data store.
Tip: To delete a rule from the Peering Rules table, click the down arrow in the Number column next to the rule and
choose remove.
Tip: The default rule cannot be removed and is always listed last.

Important: After the CMC has applied your settings, you can verify whether changes have had the intended effect by
reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is
stored in memory to the active configuration file (or Save As any filename you choose). For details on saving
configurations, see “User Permissions” on page 299.
To add a new peering rule use the configurations described in the following table.
Control Description
Rule Type Determines which action the Steelhead appliance takes on the connection.
Select one of the following rule types from the drop-down list:
• Auto. Allows built-in functionality to determine the response for peering
requests (performs the best peering possible). If the receiving Steelhead
appliance is not using automatic auto-discovery, this has the same effect as
the Accept peering rule action. If automatic auto-discovery is enabled, the
Steelhead appliance only becomes the optimization peer if it is the last
Steelhead appliance in the path to the server.
• Accept. Accepts peering requests that match the source-destination-port
pattern. The receiving Steelhead appliance responds to the probing
Steelhead appliance and becomes the remote-side Steelhead appliance (that
is, the peer Steelhead appliance) for the optimized connection.
• Passthrough. Allows pass-through peering requests that match the source
and destination port pattern. The receiving Steelhead appliance does not
respond to the probing Steelhead appliance, and allows the SYN+probe
packet to continue through the network
Insert Rule At Determines the order in which the system evaluates the rule. Select start, end,
or a rule number from the drop-down list.
The system evaluates rules in numerical order starting with rule 1. If the
conditions set in the rule match, then the rule is applied and the system moves
on to the next rule. For example, if the conditions of rule 1 do not match, rule 2
is consulted. If rule 2 matches the conditions, it is applied, and no further rules
are consulted.
The Rule Type of a matching rule determines which action the Steelhead
appliance takes on the connection.
Source Subnet Specify an IP address/mask for the traffic source, or you can specify all or
0.0.0.0/0 as the wildcard for all traffic.
Use the following format: XXX.XXX.XXX.XXX/XX
Destination Subnet Specify an IP address/mask pattern for the traffic destination, or you can
specify all or 0.0.0.0/0 as the wildcard for all traffic.
Use the following format: XXX.XXX.XXX.XXX/XX
Port Specify the destination port number, port label, or all.
Peer IP Address Specify the IP addresses of the probing Steelhead appliance.

Control Description
SSL Capability Enables an SSL Capability flag, which specifies a criteria for matching an
incoming connection with one of the rules in the peering rules table. This flag is
typically set on a server-side Steelhead appliance.
Select one of the following options from the drop-down list to determine how to
process attempts to create secure SSL connections:
• No Check. The peering rule does not determine whether the server
Steelhead appliance is present for the particular destination IP address and
port combination.
• Capable. The peering rule determines that the connection is SSL-capable if
the destination port is 443 (irrespective of the destination port value on the
rule), and the destination IP and port do not appear on the bypassed servers
list. The Steelhead appliance accepts the condition and, assuming all other
proper configurations and that the peering rule is the best match for the
incoming connection, optimizes SSL.
• Incapable. The peering rule determines that the connection is SSL-incapable
if the destination IP and port appear in the bypassed servers list. The service
adds a server to the bypassed servers list when there is no SSL certificate for
the server or for any other SSL handshake failure. The Steelhead appliance
passes the connection through unoptimized without affecting connection
counts.
Note: Riverbed recommends that you use in-path rules to optimize SSL
connections on non-443 destination port configurations.
Description Specify a description to help you identify the peering relationship.
Add Adds a peering rule to the list.
Service Ports
You can configure service port settings for the selected optimization policy in the Service Ports page.
For details on the service ports, see the Steelhead Management Console User’s Guide.
The Service Ports page contains the following groups of settings:
“Service Port Settings,” next
“Service Ports” on page 236
Service Port Settings

In this panel, you can display and modify service port settings for an optimization policy.
Control Description
Service Ports Specify ports in a comma-separated list. The default service ports are 7800 and
7810.
Default Port Select the default service port from the drop-down list. The default service
ports are 7800 and 7810.

Service Ports
In this panel, you can manage service port mappings for an optimization policy, as described in the
following table.
Control Description
Add a New Service Port Mapping Displays the controls to add a new mapping.
Destination Port Specify a destination port number.
Service Port Specify a port number.
Add Adds the port numbers.
Data Store
You can display and modify data store settings for the selected optimization policy on the Data Store page.
The Data Store page contains the following groups of settings:
“General Settings,” next
“Data Replication Setting” on page 237
“Disk Layout Setting” on page 238
General Settings
In this panel, you can specify data store encryption for an optimization policy, as described in the following
table.
Control Description
Data Store Encryption Type Select one of the following encryption types from the drop-down list. The
encryption types are listed from the least to the most secure.
• None. Turns off data encryption.
• AES_128. Encrypts data using the AES cryptographic key length of 128 bits.
Important: You must clear the data store and reboot the Steelhead service on the Steelhead appliance after turning on,
changing, or turning off the encryption type. After you clear the data store, the data cannot be recovered. If you do not
want to clear the data store, reselect your previous encryption type and reboot the service. The Steelhead appliance uses
the previous encryption type and encrypted data store. For details, see “Rebooting Appliances and Appliance Groups”
on page 124.

Data Replication Setting

In this panel, you can specify the data replication options for an optimization policy, as described in the
following table.
Setting Description
Default This setting is enabled by default and works for most implementations. The
default setting:
• Provides the most data reduction.
• Reduces random disk seeks and improves disk throughput by discarding
very small data margin segments that are no longer necessary. This Margin
Segment Elimination (MSE) process provides network-based disk
defragmentation.
• Writes large page clusters.
• Monitors the disk write I/O response time to provide more throughput.
SDR-Adaptive Legacy. Includes the default settings and also:

• Balances writes and reads.
• Monitors both read and write disk I/O response and, based on statistical
trends, can employ a blend of disk-based and non-disk-based data
reduction techniques to enable sustained throughput during periods of high
disk-intensive workloads.
Advanced. Maximizes LAN-side throughput dynamically under different data
work loads. This switching mechanism is governed with a throughput and
bandwidth reduction goal using the available WAN bandwidth.
Upgrade notes: If you have enabled SDR-Adaptive prior to upgrading to RiOS
v6.0, the default setting is SDR-Adaptive Legacy.
If you did not change the SDR-Adaptive setting prior to upgrading to RiOS 6.0,
the default setting is SDR-Adaptive Advanced.
Important: Use caution with this setting, particularly when you are optimizing
CIFS or NFS with prepopulation. Please contact Riverbed Technical Support for
more information.
SDR-M Performs data reduction entirely in memory, which prevents the Steelhead
appliance from reading and writing to and from the disk. Enabling this option
can yield high LAN-side throughput because it eliminates all disk latency. This
is typically the preferred configuration mode for SAN replication
environments.
SDR-M is most efficient when used between two identical high-end Steelhead
appliance models; for example, 6050 - 6050. When used between two different
Steelhead appliance models, the smaller model limits the performance.
After enabling SDR-M on both the client-side and the server-side Steelhead
appliances, restart both Steelheads to avoid performance degradation.
Important: You cannot use peer data store synchronization with SDR-M.

Disk Layout Setting

In this panel, you can select the disk layout setting as described in the following table.
Control Description
FIFO Specifies a replacement algorithm that replaces data in the order that they are
received (first in, first out).
Riverbed LRU Specifies a replacement algorithm that replaces the least recently used data in
the data store, which improves hit rates when the data in the data store are not
equally used. This is the default setting.
Important: After changing the data store data replication settings, you can verify whether changes have had the
intended effect by reviewing the Throughput report. Choose Reports > Optimization > Throughput. For details on
viewing reports, see “Displaying Steelhead Diagnostics Reports” on page 197.
Performance
You can configure service performance policy settings for the selected optimization policy in the
Performance page. For details on Performance optimization, see the Steelhead Management Console User’s
Guide.
The Performance page contains the following groups of settings:
“TCP Optimization” on page 238
“Buffer Settings” on page 238
“Data Store” on page 239
“Adaptive Data Streamlining Modes” on page 239
“CPU Settings” on page 239
TCP Optimization
In this panel, enable or disable TCP optimization, as described in the following table.
Control Description
Enable HighSpeed TCP Enables HighSpeed TCP settings.
Use Default Steelhead TCP Optimization Enables default Steelhead TCP optimization. settings.
Buffer Settings
In this panel, select buffer settings for the optimization policy performance feature set as described in the
following table.
Control Description
LAN Send Buffer Size Specify the send buffer size used to send data out of the LAN. The default value
is 81920.
LAN Receive Buffer Size Specify the receive buffer size used to receive data from the LAN. The default
value is 32768.

Control Description
WAN Default Send Buffer Size Specify the send buffer size used to send data out of the WAN. The default
value is 262140.
WAN Default Receive Buffer Size Specify the receive buffer size used to receive data from the WAN. The default
value is 262140.
Data Store
In this panel, specify the segment replacement policy as described in the following table
Control Description
Data Store Segment Replacement Select one of the following options:

Policy
• FIFO. First In First Out.
• Riverbed LRU. Riverbed proprietary LRU.
Adaptive Data Streamlining Modes

In this panel, specify the data streamlining mode as described in the following table.
Mode Description
Default Specifies the default streamlining mode.
SDR-Adaptive Specifies the SDR-adaptive streamlining mode. Used to dynamically use the
resources (disk, CPU, memory) as best possible while providing maximum
performance in the system.
SDR-M Specifies the SDR-M streamlining mode. This feature uses both SDR and LZ,
but prevents the Steelhead appliance from going to disk to read or write
segments and performs reductions entirely in memory. This is very useful for
very high-speed applications.
CPU Settings
In this panel, select the CPU settings for the optimization policy as described in the following table.
Setting Description
Compression Level Specifies the relative trade-off of data compression for LAN throughput speed.
Generally, a lower number provides faster throughput and slightly less data
reduction.
Select a data store compression value of 1 (minimum compression, uses less
CPU) through 9 (maximum compression, uses more CPU) from the drop-down
list. The default value is 1.
Riverbed recommends setting the compression level to 1 in high-throughput
environments such as data center to data center replication.

Setting Description
Adaptive Compression Detects LZ data compression performance for a connection dynamically and
turns it off (sets the compression level to 0) momentarily if it is not achieving
optimal results. Improves end-to-end throughput over the LAN by maximizing
the WAN throughput. By default, this setting is disabled.
Multi-Core Balancing Enables multi-core balancing which ensures better distribution of workload
across all CPUs, thereby maximizing throughput by keeping all CPUs busy.
Core balancing is useful when handling a small number of high-throughput
connections (approximately 25 or less). By default, this setting is disabled.
Pt
Protocols CIFS
You can display and modify CIFS optimization feature settings for the selected optimization policy in the
CIFS page.
The CIFS page contains the following groups of settings:
“Settings,” next
“Overlapping Open Optimization (Advanced)” on page 242
“SMB Settings” on page 243
Settings
In this panel, you can select the CIFS options for an optimization policy, as described in the following table.
Control Description
Enable Latency Optimization Enables latency optimization. This is the default setting.
Only clear this check box if you want to disable latency optimization. Typically,
you disable latency optimization to troubleshoot problems with the system.
Important: Latency optimization must be enabled (or disabled) on both
Steelhead appliances.
Disable Write Optimization Disables write optimization.

Disable write optimization only if you have applications that assume and
require write-through in the network. If you disable write optimization, the
Steelhead appliance still provides optimization for CIFS reads and for other
protocols, but you might experience a slight decrease in overall optimization.
Most applications operate safely with write optimization because CIFS allows
you to explicitly specify write-through on each write operation. However, if
you have an application that does not support explicit write-through
operations, you must disable it in the Steelhead appliance.
If you do not disable write-through, the Steelhead appliance acknowledges
writes before they are fully committed to disk, to speed up the write operation.
The Steelhead appliance does not acknowledge the file close until the file is
safely written.

Control Description
Optimize Connections with Prevents Windows SMB signing. This is the default setting.
Security Signatures (that do not
require signing) This feature automatically stops Windows SMB signing. SMB signing prevents
the Steelhead appliance from applying full optimization on CIFS connections
and significantly reduces the performance gain from a Steelhead deployment.
Because many enterprises already take additional security precautions (such as
firewalls, internal-only reachable servers, and so forth), SMB signing adds little
additional security, at a significant performance cost (even without Steelhead
appliances).
Before you enable this feature, consider the following factors:
• If the client-side machine has Required signing, enabling this feature
prevents the client from connecting to the server.
• If the server-side machine has Required signing, the client and the server
connect but you cannot perform full latency optimization with the
Steelhead appliance. Domain controllers default to Required.
Important: If your deployment requires SMB signing, you can optimize signed
CIFS messages using the RiOS v5.5.x Enable SMB Signing feature.
For detailed information about SMB signing and the performance cost
associated with it, see the Steelhead Appliance Installation and Configuration Guide.
Enable Dynamic Write Throttling Enables CIFS dynamic throttling mechanism which replaces the current static
buffer scheme. If you enable CIFS dynamic throttling, it is activated only when
there are sub-optimal conditions on the server-side causing a backlog of write
messages; it does not have a negative effect under normal network conditions.
Enable SMBv1 Backward Improves SMB optimization for Windows Vista users. Select to perform latency
Compatibility and SDR optimizations on SMB traffic on the client-side Steelhead appliance.
Without this feature, Steelhead appliances perform only SDR optimization
without improving CIFS latency. This feature enables SMBv1 for Vista-to-Vista
and Vista-Windows Server 2008 CIFS connections instead of SMBv2 (similar to
Vista-to-pre-Vista CIFS connections). While the Steelhead appliances are fully
compatible with the SMBv2 included in Vista, they deliver the best performance
using SMBv1.
Important: You must restart the client Steelhead service after enabling the
SMBv1 Backward Compatibility Mode.

Control Description
Enable Applock Optimization Enables CIFS latency optimizations to improve read and write performance for
Microsoft Word and Excel documents when multiple users have the file open.
By default, this setting is disabled.
This feature enhances the Enable Overlapping Open Optimization feature by
identifying and obtaining locks on read write access at the application level.
The overlapping open optimization feature handles locks at the file level.
Note: Enable the applock optimization feature on the client-side Steelhead
appliance. The client-side Steelhead appliance must be running RiOS v5.5 or
later.
Enable Print Optimization Improves centralized print traffic performance. For example, when the print
server is located in the data center and the printer is located in the branch office,
enabling this option speeds the transfer of a print job spooled across the WAN
to the server and back again to the printer. By default, this setting is disabled.
Enabling this option requires an optimization service restart.
This option supports Windows XP (client), Vista (client), Windows 2003
(server), and Windows 2008 (server).
Both the client and server-side Steelhead appliance must be running RiOS v6.0.
Note: This feature does not improve optimization for a Windows Vista client
printing over a Windows 2008 server, because this client and server pair uses a
different print protocol.
Overlapping Open Optimization (Advanced)

In this panel, you can enable overlapping open optimization for an optimization policy, as described in the
following table.
Control Description
Enable Overlapping Open Enables overlapping opens to obtain better performance with applications that
Optimization perform multiple opens on the same file (for example, CAD applications). By
default, this setting is disabled.
Enable this setting on the client-side Steelhead appliance.
With overlapping opens enabled the Steelhead appliance optimizes data where
exclusive access is available (in other words, when locks are granted). When an
oplock is not available, the Steelhead appliance does not perform application
level latency optimizations but still performs SDR and compression on the data
as well as TCP optimizations.
Note: If a remote user opens a file that is optimized using the overlapping opens
feature and a second user opens the same file, they might receive an error if the
file fails to go through a v3.x.x or later Steelhead appliance or if it does not go
through a Steelhead appliance (for example, certain applications that are sent
over the LAN). If this occurs, you should disable overlapping opens for those
applications.
Use the radio buttons to set either an include list or exclude list of file types
subject to overlapping opens optimization
Optimize only the following Specify a list of extensions you want to include in overlapping opens
extensions (comma separated) optimization.
Optimize all except the following Specify a list of extensions you do not want to include, for example, you should
extensions (comma separated) specify any file extensions that Enable Applock Optimization is being used for.
Apply Click Apply to apply your settings.

SMB Settings
In this panel, you configure the settings as described in the following table.
Control Description
Enable SMB Signing Enables CIFS traffic optimization in transparent mode by providing bandwidth
optimizations (SDR and LZ), TCP optimizations, and CIFS latency
optimizations even when the CIFS messages are signed.
By default, this setting is disabled. You must enable this feature on the server-
side Steelhead appliance.
Note: If you enable this feature without first joining a Windows Domain, a
message tells you that the Steelhead appliance must join a domain before it can
support SMB signing.
SMB Mode Select one of the following SMB signing modes from the drop-down list:
• Transparent Mode. Enables SMB signed packets with transparent
authentication. Transparent mode eliminates the need to define delegation
trust. This is the default setting in RiOS v6.0; however, if you enabled SMB
signing in RiOS v5.5 and have since upgraded to v6.0, delegation mode is
enabled by default.
• Delegation Mode. Enables SMB signed packets with delegate user
authentication. Use this mode if you have previously enabled SMB Signing
with RiOS v5.5.x.
Note: If you switch between transparent and delegation modes you must restart
the optimization service.
Protocols CIFS Prepopulation

You can display and modify CIFS prepopulation feature settings for the selected optimization policy in the
CIFS Prepopulation page. CIFS prepopulation enables you to warm Steelhead appliances with data from a
CIFS share.
Control Description
Enable Prepopulation Click to prepopulate the Steelhead appliance with data from the listed CIFS
shares.
Enable Transparent Click to enable the Steelhead appliance to listen for updates on the listed CIFS
Prepopulation Support shares.
Add a New Prepopulation Share Displays the controls for adding a new prepopulation CIFS share.
Remote Path Specify the path to the CIFS share.
Account Specify the account number on the CIFS share.
Password Set the password for accessing the CIFS share.
Synchronization Enable Click to enable the following synchronization options:

• Sync Schedule Date, Time. Sets date (YYYY/MM/DD) and time
(HH:MM:SS) for synchronizing the Steelhead appliance with the server.
• Sync Interval. Set number and select Minutes, Hours, Days, or Disabled
from the drop-down list.

Control Description
Comment Optionally, include a comment that describes the share configuration.
Add Adds the new CIFS share configuration to the policy definition.
Remove Selected Click the check box next to the name of the CIFS share configuration and click
Remove Selected.
Protocols HTTP
For details on HTTP optimization, see the Steelhead Management Console User’s Guide.
The HTTP page contains the following groups of settings:
“HTML Tags to Prefetch” on page 245
“Server Subnet Setting” on page 246
Settings
In this panel, you can set general HTTP settings for an optimization policy, as described in the following
table.
Control Description
Enable HTTP Optimization Enables HTTP acceleration, which prefetches and stores objects embedded in
Web pages to improve HTTP traffic performance. By default, HTTP
optimization is enabled.
Minimum Object Prefetch Table Specify this option to set the minimum number of seconds the objects are stored
Time in the local object prefetch table. The default is 60 seconds.
This setting specifies the minimum lifetime of the stored object. During this
lifetime, any qualified If-Modified-Since (IMS) request or regular request from
the client receives an HTTP 304 response, indicating that the resource for the
requested object has not changed since stored.
Maximum Object Prefetch Table Specify this option to set the maximum number of seconds the objects are
Time stored in the local object prefetch table. The default is 86,400 seconds.
This setting specifies the maximum lifetime of the stored object. During this
lifetime, any qualified If-Modified-Since (IMS) request or regular request from
the client receives an HTTP 304 response, indicating that the resource for the
requested object has not changed since stored.
Object Prefetch Table Extensions Specify the object extensions to store, separated by commas. By default the
Steelhead appliance stores .jpg, .gif, .js, .png, and .css object extensions.
Note: These extensions are only for objects stored in the object prefetch table
and do not affect other prefetch types.
Extensions to Prefetch Specify object extensions to prefetch, separated by commas. By default the
Steelhead appliance prefetches .jpg, .gif, .js, .png, and .css object extensions.
Note: These extensions are only for URL Learning and do not affect other
prefetch types.

HTML Tags to Prefetch

In this panel, you can specify HTML tags for prefetching for an optimization policy, as described in the
following table.
Note: These tags are for Parse and Prefetch only and do not affect other prefetch types.
Control Description
Add a Prefetch Tag Displays the controls to add an HTML tag.
Tag Name Specify the tag name.
Attribute Specify the tag attribute.
Add Adds the tag.
After you apply your settings, you can verify whether changes have had the desired effect by reviewing
related reports. When you have verified appropriate changes, you can write the active configuration that is
stored in memory to the active configuration file (or Save As any filename you choose). For details on saving
configurations, see “Managing Configuration Files” on page 88.

Server Subnet Setting

In this panel, you can manage HTTP server subnet configurations for an optimization policy, as described
in the following table.
Control Description
Add a Server Subnet Displays the controls for adding a server subnet. The server must support keep-
alive.
Server Subnet Specify an IP address and mask pattern for the server subnet on which to set up
the HTTP optimization scheme. Use the format: XXX.XXX.XXX.XXX/XX
Basic Tuning
Strip Compression Removes the accept-encoding lines from the HTTP compression header. An
accept-encoding directive compresses content rather than using raw HTML.
Enabling this option improves the performance of the Steelhead appliance data
reduction algorithms. By default, strip compression is enabled.
Insert Cookie Adds a cookie to HTTP applications that do not already have one. HTTP
applications frequently use cookies to keep track of sessions. The Steelhead
appliance uses cookies to distinguish one user session from another. If an HTTP
application does not use cookies, the client Steelhead appliance inserts one so
that it can track requests from the same client. By default, this setting is
disabled.
Insert Keep Alive Uses the same TCP connection to send and receive multiple HTTP requests and
responses, as opposed to opening a new one for every single request and
response. Specify this option when using the URL Learning or Parse and
Prefetch features with HTTP v1.0 or HTTP v1.1 applications using the
Connection Close method. By default, this setting is disabled.
Prefetch Schemes
URL Learning Enables URL Learning, which learns associations between a base URL request
and a follow-on request. Stores information about which URLs have been
requested and which URLs have generated a 200 OK response from the server.
This option fetches the URLs embedded in style sheets or any JavaScript
associated with the base page and located on the same host as the base URL.
URL Learning works best with non-dynamic content that does not contain
session-specific information. URL Learning is enabled by default.
Your system must support cookies and persistent connections to benefit from
URL Learning. If your system has cookies turned off and depends on URL
rewriting for HTTP state management, or is using HTTP v1.0 (with no keep-
alives), you can force the use of cookies using the Add Cookie option and force
the use of persistent connections using the Insert Keep Alive option.
Parse and Prefetch Enables Parse and Prefetch, which parses the base HTML page received from
the server and prefetches any embedded objects to the client-side Steelhead
appliance. This option complements URL Learning by handling dynamically
generated pages and URLs that include state information. When the browser
requests an embedded object, the Steelhead appliance serves the request from
the prefetched results, eliminating the round-trip delay to the server.
The prefetched objects contained in the base HTML page can be images, style
sheets, or any Java scripts associated with the base page and located on the
same host as the base URL.
Parse and Prefetch requires cookies. If the application does not use cookies, you
can insert one using the Insert Cookie option.

Control Description
Object Prefetch Table Enables the Object Prefetch Table, which stores HTTP object prefetches from
HTTP GET requests for cascading style sheets, static images, and Java scripts in
the Object Prefetch Table. When the browser performs If-Modified-Since (IMS)
checks for cached content or sends regular HTTP requests, the client-side
Steelhead appliance responds to these IMS checks and HTTP requests, cutting
back on round trips across the WAN.
Authentication Tuning
Reuse Auth Allows an unauthenticated connection to serve prefetched objects, as long as

the connection belongs to a session whose base connection is already
authenticated.
This option is most effective when the Web server is configured to use per-
connection NTLM or Kerberos authentication.
Force NTLM In the case of negotiated Kerberos and NTLM authentication, forces NTLM.
Kerberos is less efficient over the WAN because the client must contact the
Domain Controller to answer the server authentication challenge and tends to
be employed on a per-object basis.
Riverbed recommends enabling Strip Auth Header along with this option.
Strip Auth Header Removes all credentials from the request on an already authenticated
connection. This works around Internet Explorer behavior that re-authorizes
connections that have previously been authorized.
connection NTLM authentication.
Important: If the Web server is configured to use per-connection Kerberos
authentication, enabling this option might cause authentication failure.
Gratuitous 401 Prevents a WAN round trip by issuing the first 401 containing the realm choices
from the client-side Steelhead appliance.
Riverbed recommends enabling Strip Auth Header along with this option.
connection NTLM authentication or per-object Kerberos authentication.
Important: If the Web server is configured to use per-object Kerberos
authentication or per-connection NTLM authentication, enabling this option
might cause additional delay.
Add Adds the subnet.
Tip: To modify subnet configuration properties, in the table row for the configuration, use the drop-down lists to
modify configuration settings as described above.
Protocols Oracle Forms

You can configure Oracle Forms support for the selected optimization policy in the Oracle Forms page.

For details on the Oracle Forms feature, see the Steelhead Management Console User’s Guide.
Control Description
Enable Oracle Forms Enables Oracle Forms optimization in native mode, also known as socket mode.
Optimization Oracle Forms native mode optimization is enabled by default. Disable this
option only to turn off Oracle Forms optimization; for example, if your network
users do not use Oracle applications.
Enable HTTP Mode Enables Oracle Forms optimization in HTTP mode. All internal messaging
between the forms server and the Java client is encapsulated in HTTP packets.
In RiOS v6.0, HTTP mode is enabled by default. You must also click the Enable
Oracle Forms Optimization check box to enable HTTP mode.
Note: If you change the Oracle Forms setting, you must restart the Steelhead service. For details, see “Starting, Stopping,
or Restarting Appliances and Appliance Groups” on page 123.
If you have not already done so, add an in-path rule for Oracle Forms traffic. The rule must have the
following properties.
Property Value
Type Auto-discover or Fixed-target
Destination Subnet/Port Specify the server IP address (for example, 10.11.41.14/32), and a port number:
9000 - native mode, using the default forms server
8000 - HTTP mode
Preoptimization Policy Oracle Forms or Oracle Forms over SSL
Optimization Policy Normal
Latency Optimization Policy Normal
Neural Framing Mode Always

Protocols MAPI
You can display and modify MAPI optimization settings for the selected optimization policy on the MAPI
page. For details on the MAPI optimization, see the Steelhead Management Console User’s Guide.
Control Description
Enable MAPI Optimization Enables MAPI optimization.

By default, MAPI optimization is enabled. Only clear this check box to disable
MAPI optimization. Typically, you disable MAPI optimization to troubleshoot
problems with the system. For example, if you are experiencing problems with
Outlook clients connecting with Exchange, you can disable MAPI latency
acceleration (while continuing to optimize with SDR for MAPI).
Exchange Port Specify the MAPI Exchange port for optimization. Typically, you do not need to
modify the default value, 7830.
If you have changed the MEISI port in your Exchange Server environment,
change port 7830 to the static port number you have configured in your
Exchange environment. For further information about changing (MEISI) ports,
see the Microsoft Exchange Information Store Interface at:
https://support.microsoft.com/kb/270836/en-us
Enable MAPI NSPI Enables MAPI Name Service Provider Interface (NSPI) optimization.
By default, NSPI optimization is disabled.
NSPI is the address book subcomponent of the Exchange protocol. Enable this
feature to perform latency optimization for the connection when using the
Exchange 2000 Server or when the client is not using Cached Exchange mode.
NSPI Port Specify the NSPI port. The default value is 7840.
Enable MAPI Exchange 2003 Enables MAPI 2003 acceleration. By default, this option is enabled. This feature
Acceleration increases optimization of traffic between Exchange 2003 and Outlook 2003.
Note: For out-of-path deployments, to optimize MAPI Exchange 2003, you must
define fixed-target, in-path rules that specify the following ports on the client-
side Steelhead appliance: the Microsoft end-point mapper port: 135; the
Steelhead appliance port for Exchange traffic: 7830; the Steelhead appliance port
for Exchange Directory NSPI traffic: 7840.
Enable MAPI Exchange 2007 Enables native MAPI 2007 acceleration. By default, this option is enabled. If you
Acceleration have Outlook 2007 and Exchange 2003 or 2007 in your environment, this option
increases optimization of traffic between Exchange and Outlook 2007.
Sharing calendars between Outlook 2007 and Exchange 2007 increases the
number of connections (anywhere from 1 to 2 extra connections per each user
sharing calendars). The connections are persistent and remain even when users
are not actively checking other user’s calendars. Enabling this option helps
keep connection counts at sustained, low levels, thereby increasing
optimization.

Control Description
Enable Encrypted Optimization Enables encrypted MAPI RPC traffic optimization between Outlook and
Exchange. By default, this option is disabled.
The basic steps to enable encrypted optimization are:
1. Go to Configure > Networking > Windows Domain and join the server-side
Steelhead appliance to the same Windows Domain that the Exchange server
belongs to and operates as a member server.
2. Verify that Outlook is encrypting traffic.
3. Enable this option on all Steelhead appliances involved in optimizing MAPI
encrypted traffic.
4. Windows 7 MAPI clients must use Delegation mode. Use the default
Transparent mode for all other clients.
5. Make sure that both Enable MAPI Exchange 2003 Acceleration and Enable
MAPI Exchange 20073 Acceleration are enabled. Both options are enabled by
default.
6. Restart the service on all Steelhead appliances that have this option enabled.
Note: Both the server-side and client-side Steelhead appliances must be running
RiOS v5.5.x or later.
Note: When this option is enabled and Enable MAPI Exchange 2007
Acceleration is disabled on either Steelhead appliance, MAPI Exchange 2007
acceleration remains in effect for unencrypted connections.
Transparent Mode Provides encrypted MAPI with transparent NTLM authentication. By default,
this setting is enabled with encrypted MAPI optimization.
Transparent mode supports all Windows servers, including Windows 2008 R2
(assuming they are not in domains with NTLM disabled). Transparent mode
does not support Windows 7 clients or Windows 2008 R2 domains with NTLM
disabled. Windows 7 clients must use Delegation mode.
In RiOS v6.1, transparent mode includes support for trusted domains, wherein
users are joined to a different domain from the filer being accessed.
Delegation Mode Provides encrypted MAPI optimization using the Kerberos delegation facility.
Select this mode if you are encrypting MAPI traffic for Windows 7 or earlier
client versions. Both the server-side and client-side Steelhead appliances must
be running RiOS v6.1.
Note: CIFS SMB Signing and Encrypted MAPI optimization share the delegate
user account. If you enable delegation mode for both features, the delegate user
account must have delegation privileges for both features as well. If you are
upgrading from RiOS v6.0, a delegation account might already be in place for
CIFS SMB Signing.
In RiOS v6.1, delegation mode includes support for trusted domains, wherein
users are joined to a different domain from the filer being accessed.
Delegation mode requires additional configuration. To configure delegation
mode, choose Configure > Optimization > Windows Domain Authentication.

Control Description
Enable Transparent Enables MAPI transparent prepopulation.

Prepopulation
Transparent prepopulation provides a mechanism for sustaining Microsoft
Exchange MAPI connections between the client and server even after the
Outlook client has shut down. This allows mail data to be delivered between
the Exchange server and the client-side Steelhead appliance while the Outlook
client is offline or inactive. When a user logs into their Outlook client, the mail
data is already prepopulated on the client-side Steelhead appliance. This
accelerates the first access of the client’s e-mail.
Transparent prepopulation creates virtual MAPI connections to the Exchange
server for Outlook clients that are offline. When the remote Steelhead appliance
detects that an Outlook client has shut down, the virtual MAPI connections are
triggered. The remote Steelhead appliance uses these virtual connections to pull
mail data from the Exchange server over the WAN link.
Enable this feature to allow email data to be delivered between the Exchange
server and the client-side Steelhead appliance while the Outlook client is
offline. When a user logs in to their MAPI client, the mail has already been seen
by the client-side Steelhead appliance and is retrieved with LAN-like
performance.
Max Connections Specify the maximum number of virtual MAPI connections to the Exchange
server for Outlook clients that have shut down. Setting the maximum
connections limits the aggregate load on all Exchange servers through the
configured Steelhead appliance. The default value varies by model; for
example, on a 5520 the default is 3750.
You must configure the maximum connections on both the client and server-
side of the network.
Poll Interval (minutes) Sets the number of minutes you want the appliance to check the Exchange
server for newly-arrived email for each of its virtual connections. The default
value is 20.
Time Out (hours) Specify the number of hours after which to time-out virtual MAPI connections.
When this threshold is reached, the virtual MAPI connection is terminated. The
time-out is enforced on a per-connection basis. Time-out prevents a build up of
stale or unused virtual connections over time. The default value is 96.
Protocols MS-SQL
You can configure MS-SQL support in the MS-SQL page.
For details on the MS-SQL feature, see the Steelhead Management Console User’s Guide.
Control Description
Enable MS-SQL Optimization Increases optimization for Microsoft Project.

The MS-SQL feature also optimizes other database applications, but you must
define SQL rules to obtain maximum optimization. If you are interested in
enabling the MS-SQL feature for other database applications, contact Riverbed
Professional Services.
MS-SQL Prefetch Fetch-Next Enables prefetching requests to request the next row in MS Project. This feature
is enabled by default. The server-side Steelhead appliance prefetches sequential
row results and the client-side Steelhead appliance caches them.

Control Description
Max Number of Pre- Specify the number of requests to pre-acknowledge before waiting for a server
Acknowledgements response to be returned. The default value is 30.
MS-SQL Ports Specify a comma-separated list of port numbers for MS-SQL servers. By
default, 1433 is optimized; if you specify other ports they are optimized instead.
Protocols NFS
You can display and modify NFS optimization settings for the selected optimization policy on the NFS
page.
For details on the NFS optimization, see the Steelhead Management Console User’s Guide.
The NFS page contains the following groups of settings:
“Override NFS Protocol Settings” on page 253
Settings
In this panel, you can display and modify NFS protocol settings for an optimization policy, as described in
the following table.
Control Description
Enable NFS Optimization Enables NFS optimization. You enable NFS optimization where NFS
performance over the WAN is impacted by a high-latency environment. By
default, this feature is enabled.
NFS v2 and v4 Alarms Enables alarm notification when NFS v2 and NFS v4 traffic is detected. When
triggered, the alarm provides a link to this page and a button to reset the alarm.

Control Description
Default Server Policy Select one of the following server policies for NFS servers:
• Global Read-Write. Specifies a policy that provides data consistency rather
than performance. All of the data can be accessed from any client, including
LAN-based NFS clients (which do not go through the Steelhead appliances)
and clients using other file protocols such as CIFS. This option severely
restricts the optimization that can be applied without introducing
consistency problems. This is the default configuration.
• Custom. Specifies a custom policy for the NFS server.
• Read-only. Specifies that the clients can read the data from the NFS server
or volume but cannot make changes.
The default server policy is used to configure any connection to a server which
does not have a policy.
Default Volume Policy Select one of the following volume policies for NFS volumes:
• Global Read-Write. Specifies a policy that provides data consistency rather
than performance. All of the data can be accessed from any client, including
LAN-based NFS clients (which do not go through the Steelhead appliances)
and clients using other file protocols such as CIFS. This option severely
restricts the optimization that can be applied without introducing
consistency problems. This is the default configuration.
• Custom. Specifies a custom policy for the NFS volume.
The default volume policy is used to configure a volume that does not have a
policy.
Override NFS Protocol Settings

In this panel, you can manage NFS server configurations for an optimization policy, as described in the
following table.
Control Description
Add a New NFS Server Displays the controls to add an NFS server configuration.
Server Name Specify the name of the server.
Server IP Addresses Specify the IP addresses of the servers, separated by commas, and click Add
Server.
Add Adds the configuration to the NFS Servers list.
Tip: To modify server properties, in the table row for the server, click the NFS Server Name to display controls you can
use to modify server properties. Complete the configuration as above.

Editing Override NFS Protocol Settings

In this panel, you can edit override NFS server configurations for an optimization policy, as described in the
following table.
Control Description
Server IP Addresses Specify the IP address of the servers, separated by commas, and click Add
Server.
Default Server Policy Select one of the following server policies:

• Global Read-Write. Specifies a policy that provides a trade-off of
performance for data consistency. All of the data can be accessed from any
client, including LAN-based NFS clients (which do not go through the
Steelhead appliances) and clients using other file protocols like CIFS. This
option severely restricts the optimizations that can be applied without
introducing consistency problems. This is the default configuration.
• Custom. Specifies a custom policy for the NFS server.
Default Volume Policy Select one of the following volume policies:

• Global Read-Write. Specifies a policy that provides a trade-off of
performance for data consistency. All of the data can be accessed from any
client, including LAN-based NFS clients (which do not go through the
Steelhead appliances) and clients using other file protocols such as CIFS.
This option severely restricts the optimizations that can be applied without
introducing consistency problems. This is the default configuration.
• Custom. Specifies a custom policy for the NFS volume.
Default Volume Click the check box to enable the current volume as default.
Protocols Lotus Notes

You can display and modify Lotus Notes optimization settings for the selected optimization policy on the
Lotus Notes page.
Control Description
Enable Lotus Notes Optimization Enables Lotus Notes optimization. By default, Lotus Notes optimization is
disabled.
Lotus Notes Port Specify the Lotus Notes port for optimization.
Protocols Citrix ICA

You can display and modify Citrix ICA optimization settings for the selected optimization policy on the
Protocols Citrix ICA page. For more detail, see the Steelhead Management Console User’s Guide.

Control Description
Enable Citrix ICA Optimization Enables Citrix ICA optimization. By default, Citrix ICA optimization is
disabled.
ICA Port Specify the port on the Presentation Server for inbound traffic. The default port
is 1494.
Session Reliability (CGP) Port Specify the port number for Common Gateway Protocol (CGP) connections.
CGP uses the session reliability port to keep the session window open even if
there is an interruption on the network connection to the server. By default, this
setting is 2598.
Apply Click Apply to apply your settings to the running configuration.
Windows Domain Auth

You can display and modify Windows domain auth optimization settings for the selected optimization
policy on the Windows Domain Auth page. For more detail, see the Steelhead Management Console User’s
Guide.
In this panel, you can delegate account configuration as described in the following table.
Control Description
Add a New User Displays the controls to add a new user.
Active Directory Domain Name Specify the active directory domain name.
Username Specify the user name.
Password Specify the password.
In this panel, you can edit server rules as described in the following table.
Control Description
Manual Delegation Mode Select this option for manual delegation.

• Allow delegated authentication to these servers (Delegate-Only).
• Allow delegated authentication to all servers except the following
(Delegate-All-Except).
Auto Delegation Mode Select this option for auto delegation.

• Allow delegated authentication to all servers except the following
(Delegate-All-Except).
Apply Applies your settings.
SSL Main Settings

You can display and modify SSL Main optimization settings for the selected optimization policy on the SSL
Main Settings page. For more detail, see the Steelhead Management Console User’s Guide.

Control Description
Enable SSL Optimization Enables SSL optimization, which accelerates applications that use SSL to
encrypt traffic. By default, this option is disabled. You can choose to enable SSL
optimization only on certain sessions (based on source and destination
addresses, subnets, and ports), or on all SSL sessions, or on no SSL sessions at
all. An SSL session that is not optimized simply passes through the Steelhead
appliance unmodified.
Add a New SSL Certificate Displays the controls to add a new server certificate.
Name Specify a name for the proxy certificate (required when generating a certificate,
leave blank when importing a certificate).
Import Existing Private Key and Imports the key and certificate.
CA-Signed Public Certificate
Click this option if the existing private key and CA-signed certificate are located
(One File in PEM or PKCS12
in one file. The page expands displaying Private Key and CA-Signed Public
formats)
Certificate controls for browsing to the key and certificate files or a text box for
copying and pasting the key and certificate.
The private key is required regardless of whether you are adding or updating.
Import Single File Local File. Browse to the local file.
Text. Paste the contents of the file
Server List Enter the server list in the text box.
Import Existing Private Key and Imports the key and certificate.
CA-Signed Public Certificate
Click this option if the existing private key and CA-signed certificate are located
(Two Files in PEM or DER
formats) in two files. The page expands displaying Private Key and CA-Signed Public
Certificate controls for browsing to the key and certificate files or text boxes for
copying and pasting the keys and certificates.
Import Private Key Local File. Browse to the local file.
Key Text. Paste the contents of the file.
Import Public Certificate Local File. Browse to the local file.
Generate New Private Key and Click this option to generate a new private key and self-signed public
Self-Signed Public Certificate certificate.
Private Key Cipher. Select the key length from the drop-down list.
Cipher Bits. Select the key length from the drop-down list.
Common Name Specify the common name of a certificate. To facilitate configuration, you can
use wildcards in the name; for example, *.nbttech.com. If you have three origin
servers using different certificates such as webmail.nbttech.com,
internal.nbttech.com, and marketingweb.nbttech.com, on the server-side
Steelhead appliance, all three server configurations may use the same certificate
name *.nbttech.com.
Organization Name Specify the organization name (for example, the company).
Organization Unit Name Specify the organization unit name (for example, the section or department).
Locality Specify the city.

Control Description
State Specify the state.
Country Specify the country
Email Address Specify the email address of the contact person.
Validity Period Specify how many days the certificate is valid.
Add Adds the server certificate.
SSL Peering
You configure SSL peers for the selected optimization policy in the SSL Peering page.
For details on SSL, see the Steelhead Management Console User’s Guide.
The SSL Peering page contains the following groups of settings:
“SSL Secure Peering Settings,” next
“Trusted Peer Certificates” on page 259
“Mobile Trust” on page 259
“Trusted Peers” on page 259

SSL Secure Peering Settings

In this panel, you can manage SSL secure peering for an optimization policy, as described in the following
table.
Control Description
Traffic Type Select one of the following traffic types from the drop-down list:
• SSL Only. The peer client-side Steelhead appliance and the server-side
Steelhead appliance authenticate each other and then encrypt and optimize
all SSL traffic; for example, HTTPS traffic on port 443. This is the default
setting.
• SSL and Secure Protocols. The peer client-side Steelhead appliance and the
server-side Steelhead appliance authenticate each other and then encrypt
and optimize all traffic traveling over the following secure protocols: SSL,
SMBsigned, and encrypted MAPI. When you select this traffic type, SMB-
signing and MAPI encryption must be enabled. Enabling this option
requires an optimization service restart.
• All. The peer client-side Steelhead appliance and the server side Steelhead
appliance authenticate each other and then encrypt and optimize all traffic.
Only the optimized traffic is secure; pass-through traffic is not. Enabling this
option requires an optimization service restart.
Fallback to No Encryption Specifies that the Steelhead appliance optimizes but does not encrypt the
connection when it is unable to negotiate a secure, encrypted inner channel
connection with the peer. This is the default setting. Enabling this option
requires an optimization service restart.
Important: Riverbed strongly recommends enabling this setting on both the
client-side and the server-side Steelhead appliances, especially in mixed
deployments where one Steelhead appliance is running RiOS v6.0 and the other
Steelhead is running an earlier RiOS version.
This option applies only to non-SSL traffic and is unavailable when you select
SSL Only as the traffic type.
Clear the check box to pass through connections that do not have a secure
encrypted inner channel connection with the peer. Use caution when disabling
this setting, as doing so specifies that you strictly do not want traffic optimized
between non-secure Steelhead. Consequently, configurations with this setting
disabled risk the possibility of dropped connections. For example, consider a
configuration with a client-side Steelhead running RiOS v5.5.x or earlier and a
server-side Steelhead running RiOS v6.0. When this setting is disabled on the
server-side Steelhead and All is selected as the traffic type, it will not optimize
the connection when a secure channel is unavailable, and might drop it.

Trusted Peer Certificates

In this panel, you can manage trusted entities for an optimization policy, as described in the following table.
Control Description
Add a New Trusted Entity Displays the controls for adding trusted entities.
Trust Existing CA Select an existing CA from the drop-down list.
Trust New Certificate Adds a new CA or peer certificate. The Steelhead appliance supports RSA and
DSA for peering trust entities.
Optional Local Name Optionally, specify a local name for the entity (for example, the fully qualified
domain name).
Local File Browse to the local file.
Cert Text Paste the content of the certificate text file into the text box.
Add Adds the trusted entity (or peer) to the trusted peers list.
Mobile Trust
In this panel, you can manage mobile trust for an optimization policy, as described in the following table.
Control Description
Add a New Mobile Entity Displays the controls for adding a trusted Steelhead Mobile Controller entity.
Optional Local Name Optionally, specify a local name for the entity (for example, the fully qualified
domain name).
Local File Browse to the local file.
Cert Text Paste the content of the certificate text file into the text box.
Add Adds the trusted entity (or peer) to the trusted peers list.
Trusted Peers
In this panel, you can choose trust options for an optimization policy.
Control Description
Trust Selected Peers Specify this option to trust only SSL-capable or disconnected appliances.
Trust All Peers Specify this option trust all peers.
Update Updates the policy to reflect the new settings.

Certificate Authorities
In this panel, you can choose certificate authorities for an optimization policy.
Control Description
Add a New Certificate Optional Local Name. Specify the local name.
Authority
Local File. Browse to the local certificate authority file.
Cert Text. Paste the certificate authority into the text box and click Add.
Add Adds the certificate authority
SSL Advanced Settings

You configure SSL advanced settings for the selected optimization policy in the SSL Advanced Settings
page.
For details on SSL, see the Steelhead Management Console User’s Guide.
The SSL Advanced Settings page contains the following groups of settings:
“Chain Discovery,” next
“Steelhead Mobile Security Mode” on page 261
“Client Side Session Reuse” on page 261
“Peer Ciphers” on page 261
“Client Ciphers” on page 262
“Server Ciphers” on page 262
Chain Discovery
In this panel, you can choose chain discovery settings for an optimization policy.
Control Description
Enable SSL Server Certificate Synchronizes the chain certificate configuration on the server-side Steelhead
Chain Discovery appliance with the chain certificate configuration on the back-end server. The
synchronization occurs after a handshake fails between the client-side and
server-side Steelhead appliance. By default, this option is disabled.
Enable this option when you replace an existing chain certificate on the back-end
server with a new chain to ensure that the certificate chain remains in sync on
both the server-side Steelhead appliance and the back-end server.
Note: This option never replaces the server certificate. It updates the chain
containing the intermediate certificates and the root certificate in the client
context.

Steelhead Mobile Security Mode

In this panel, you can choose Steelhead Mobile Security settings for an optimization policy.
Control Description
High Security Mode Click to enforce the advanced SSL protocol on the Steelhead Mobile Clients for
increased security (v5.5.x or later).
Mixed Security Mode Click to allow Steelhead Mobile Clients to run in any SSL mode.
Client Side Session Reuse

In this panel, you can choose client side session reuse settings for an optimization policy.
Control Description
Enable Distributed SSL Enable on a client-side Steelhead appliance to reuse the original session when
Termination the client reconnects to an SSL server. Reusing the session provides two benefits:
it lessens the CPU load because it eliminates expensive asymmetric key
operations and it shortens the key negotiation process by avoiding WAN round-
trips to the server. By default, this option is disabled.
Both the client-side and server-side Steelheads must be configured to optimize
SSL traffic.
Timeout Specify the amount of time the client can reuse a session with an SSL server after
the initial connection ends. The range is 6 minutes to 24 hours. The default value
is 10 hours.
Enabling this option requires an optimization service restart.
Apply Applies the settings.
Peer Ciphers
In this panel, you can choose peer ciphers settings for an optimization policy.
Control Description
Add a New Peer Cipher Displays the controls for adding a new peer cipher.
Cipher Select the cipher type for communicating with peers from the drop-down list.
You must specify at least one cipher for peers, clients, and servers for SSL to
function properly.
The default cipher setting is DEFAULT which represents a variety of high
strength ciphers that allow for compatibility with many browsers and servers
Insert Cipher At Select start, end, or the cipher number from the drop-down list. The default
cipher, if used, must be rule number 1.
Hint The Hint text box displays information about the cipher.
Add Adds the cipher to the list.
Show Effective Overall Cipher Displays the effective overall cipher list.
List

Client Ciphers
In this panel, you can choose client cipher settings for an optimization policy.
Control Description
Add a New Client Cipher Displays the controls for adding a new client cipher.
Cipher Select the cipher type for communicating with clients from the drop-down
list.You must specify at least one cipher for peers, clients, and servers for SSL to
function properly. The default cipher setting is DEFAULT which represents a
variety of high strength ciphers that allow for compatibility with many browsers
and servers.
Insert Cipher At Select start, end, or a cipher number from the drop-down list. The default cipher,
if used, must be rule number 1.
List
Server Ciphers
In this panel, you can choose server cipher settings for an optimization policy.
Control Description
Add a New Server Cipher Displays the controls for adding a new server cipher.
Cipher Select the cipher type for communicating with servers from the drop-down list.
You must specify at least one cipher for peers, clients, and servers for SSL to
function properly.
The default cipher setting is DEFAULT which represents a variety of high
strength ciphers that are compatible with many browsers and servers.
Insert Cipher At Select start, end, or a cipher number from the drop-down list. The default cipher,
if used, must be rule number 1.
List
Secure Peering (IPSEC)

You configure secure peering for the selected optimization policy in the Secure Peering (IPSEC) page.
For details on secure peering, see the Steelhead Management Console User’s Guide.
The Secure Peering (IPSEC) page contains the following groups of settings:
“General Settings,” next
“Secure Peers” on page 264

General Settings
In this panel, you can choose general settings for an optimization policy.
Control Description
Enable Authentication and Enables authentication between Steelhead appliance. By default, this option is
Encryption disabled.
Enable Prefetch Forward Secrecy Enables additional security by renegotiating keys at specified intervals. If one
key is compromised, subsequent keys are secure because they are not derived
from previous keys. By default, this option is enabled.
Encryption Policy Select one of the following encryption methods from the drop-down list:
• DES. Encrypts data using the Data Encryption Standard algorithm. DES is
the default value.
• 3DES. Appears when a valid Enhanced Cryptography License Key is
installed on the appliance. Encrypts data using the Triple Digital Encryption
Standard with a 168-bit key length. This standard is supported for
environments where AES has not been approved, but is both slower and
less secure than AES.
• AES256. Appears when a valid Enhanced Cryptography License Key is
installed. Encrypts data using the Advanced Encryption Standard (AES)
cryptographic key length of 256 bits. Provides the highest security.
Optionally, select an algorithm from the method 2, 3, 4, or 5 drop-down lists
to create a prioritized list of encryption policies for negotiating between
peers.
• AES. Appears when a valid Enhanced Cryptography License Key is
installed on the appliance. Encrypts data using the Advanced Encryption
Standard (AES) cryptographic key length of 128 bits.
• NULL. Specifies the null encryption algorithm.
• None. Does not apply an encryption policy.
Note: Peer Steelhead appliances must both have a valid Enhanced
Cryptography License Key installed to use 3DES, AES, or AES256. When a
Steelhead appliance has the valid Enhanced Cryptography License Key installed
and an IPSec encryption level is set to 3DES or AES, and a peer Steelhead
appliance does not have a valid Enhanced Cryptography License Key installed,
the appliances uses the highest encryption level set on the appliance without the
key.
Authentication Policy Select one of the following authentication methods from the drop-down list:
MD5. Specifies the Message-Digest 5 algorithm, a widely-used cryptographic
hash function with a 128-bit hash value. This is the default value.
SHA-1. Specifies the Secure Hash Algorithm, a set of related cryptographic
hash functions. SHA-1 is considered to be the successor to MD5.
Optionally, select an algorithm from the method 2 drop-down list to create a
secondary policy for negotiating the authentication method to use between
peers. If the first authentication policy negotiation fails, the peer Steelhead
appliances use the secondary policy to negotiate authentication
Time Between Key Specify the number of minutes between quick-mode renegotiation of keys
Renegotiations using the Internet Key Exchange (IKE) protocol.
IKE uses public key cryptography to provide the secure transmission of a secret
key to a recipient so that the encrypted data can be decrypted at the other end.
The default value is 240 minutes.
Enter the Shared Secret Specify the shared secret. All the Steelhead appliances in a network for which
you want to use IPsec must have the same shared secret.

Policy Parameters and Settings System Settings Policies
Control Description
Confirm the Shared Secret Confirm the shared secret.
Apply Applies your configurations.
Secure Peers
In this panel, you can choose secure peers for an optimization policy.
Control Description
Add a New Secure Peer Displays the controls to add a new secure peer.
Peer IP Address Specify the IP address for the peer Steelhead appliance (in-path interface) for
which you want to make a secure connection.
Add Adds the peer specified in the Peer IP Address text box. If a connection has not
been established between the two Steelhead appliances that are configured to
use IPsec security, the peers list does not display the peer Steelhead appliance
status as mature.
Note: Adding a peer causes a short service disruption (3-4 seconds) to the peer
that is configured to use IPsec security.
System Settings Policies

The following section describes the System Settings Policy feature set. It includes the following sections:
“Announcements,” next
“Alarms” on page 265
“Monitored Ports” on page 269
“SNMP Basic” on page 270
“SNMP v3” on page 271
“SNMP ACLs” on page 271
“Email” on page 273
“Logging” on page 273
Announcements
You can change announcement settings for the selected system settings policy in the Announcements page.
Control Description
Login Message Type a message in the text box to appear on the Login page.
MOTD Type a message in the text box to appear on the Home page.
Apply Applies the changes to the current configuration.

System Settings Policies Policy Parameters and Settings
Alarms
You can change alarm settings for the selected system settings policy in the Alarms page.

For details on alarms, see “Setting Alarm Parameters” on page 40.
Control Description
CPU Utilization Enables an alarm if the average and peak threshold for the CPU utilization is exceeded.
When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or
reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has
fallen below the reset threshold.
By default, this alarm is enabled, with a rising threshold of 90% and a reset threshold of
70%.
Rising Threshold. Specify the rising threshold. When an alarm reaches the rising
threshold, it is activated. The default value is 90%.
Reset Threshold. Specify the reset threshold. When an alarm reaches the lowest or reset
threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen
below the reset threshold. The default value is 70%.
Temperature Enables an alarm when the CPU temperature exceeds the rising threshold. When the CPU
returns to the reset threshold, the rising alarm is cleared. The default value for the rising
threshold temperature is 80º C; the default reset threshold temperature is 67º C.
Rising Threshold. Specify the rising threshold (º C). When an alarm reaches the rising
threshold, it is activated. The default value is 80º.
Reset Threshold. Specify the reset threshold (º C). When an alarm reaches the lowest or
reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has
fallen below the reset threshold. The default value is 67º.
Data Store Wrap Enables an alarm if data in the data store is replaced with new data before the time period
Frequency specified.
Threshold. Specify the number of days before the data store is replaced. The default
value is 1 day.
Network Interface Enables an alarm if the system has encountered a large number of packet errors in your
Duplex Errors network. Make sure the speed and duplex settings on your system match the settings on
your switch and router.
By default, this alarm is enabled.
Network Interface Link Enables an alarm and sends an email notification when a link goes down. By default, this
Errors alarm is disabled.
For WAN/LAN interfaces, an alarm is only triggered if in-path support is enabled for
that WAN/LAN pair.
Fan Error Enables an alarm when an appliance fan error is detected.
Memory Error Enables an alarm when an appliance memory error is detected.
Extended Memory Enables the memory paging alarm. If 100 pages are swapped every couple of hours, the
Paging Activity system is functioning properly. If thousands of pages are swapped every few minutes,
contact Riverbed Technical Support at
https://support.riverbed.com.
System Disk Full Enables an alarm when a system disk full condition is detected.
System Details Report Enables an alarm if a system component has encountered a problem.

Control Description
Software Version Enables an alarm if there is a mismatch between software versions in the Riverbed
Mismatch system.
Asymmetric Routes Enables an alarm if asymmetric routing is detected, an entry is placed in the asymmetric
routing table and any subsequent connections from that IP-address pair are passed
through unoptimized. Further connections between these hosts are not optimized until
that particular asymmetric routing cache entry times out.
Secure Vault Enables an alarm when an error is detected while initializing the secure vault. This alarm
provides links to the Secure Vault page and also appears on the Reports > Diagnostics >
Alarm Status page.
When the vault is locked, SSL traffic is not optimized and you cannot encrypt the data
store. You can unlock the vault with a password.
To unlock the vault, click the link to display the Configure > Security > Secure Vault page
and click Unlock Secure Vault.
When the alarm indicates the password needs to be rekeyed, you can use the default
password or reset the password as follows:
To clear the alarm using the default password, click Change Password.
To clear the alarm using a non-default password, type a new password and click Unlock.
Expiring SSL Enables an alarm if an SSL certificate is due to expire within 60 days or an expired SSL
Certificates certificate is detected.
SSL Peering Certificate Enables an alarm when the Steelhead appliance requests a Simple Certificate Enrollment
SCEP Automatic Re- Protocol (SCEP) server to dynamically re-enroll an SSL peering certificate and the request
enrollment fails. The Steelhead appliance uses SCEP to dynamically re-enroll a peering certificate to
be signed by a certificate authority. The alarm clears automatically when the next
automatic re-enrollment succeeds.
You can clear the alarm without waiting for the next automatic re-enrollment to succeed
with the following CLI command:
protocol ssl peering auto-reenroll last-result clear-alarm
For more information, see the Riverbed Command-Line Interface Reference Manual.
Certificate Revocation Enables an alarm when a Certificate Revocation List (CRL) verification on the server
List certificate fails. A CRL includes any digital certificates that have been invalidated before
their expiration date, including the reasons for their revocation and the names of the
issuing certificate signing authorities. A CRL prevents the use of digital certificates and
signatures that have been compromised. The certificate authorities that issue the original
certificates create and maintain the CRLs.
You can clear and disable the alarm with the following CLI command:
no stats alarm crl_error enable

Control Description
Connection Enables an alarm when the connection has been lost because requests have not been
Forwarding Ack acknowledged by a connection forwarding neighbor within the set time-out threshold.
Timeout This alarm clears automatically the next time all neighbors receive an ACK from this
neighbor and the latency of that acknowledgment is less than the set threshold.
By default, this alarm is enabled and the time-out period is 1,000 milliseconds (1 second).
You can change the time-out period with the following CLI command:
in-path neighbor ack-timer-intvl <milliseconds>
This alarm includes all connection forwarding neighbors. For example, if a Steelhead
appliance has three neighbors, the alarm triggers even if any one of the neighbors are in
error. Similarly, the alarm clears only when all three neighbors are no longer in error.
Connection Enables an alarm when the connection cannot be established with a connection
Forwarding forwarding neighbor.
Connection Failure
Connection Enables an alarm when the connection is lost since the end of stream was received from
Forwarding Lost Due the connection forwarding neighbor.
To End of Stream
Connection Enables an alarm when the connection has been lost with the connection forwarding
Forwarding Lost neighbor due to a communication error.
Connection Error
Connection Enables an alarm when the connection forwarding neighbor has not responded to a keep-
Forwarding Keep Alive alive message within the specified time-out interval, indicating that the connection has
Timeout been lost. The alarm clears automatically when all neighbors of the Steelhead appliance
are responding to keep-alive messages within the time-out interval.
By default, this alarm is enabled. The alarm triggers after the number of keep-alive
packets that are lost exceeds the keep-alive count. The default keep-alive count is 3
packets and the default keep-alive interval is 1 second.
You can change the number of packets that must be lost before the alarm triggers and the
interval between keep-alive packets with the following CLI commands:
show in-path neighbor
in-path neighbor keepalive count <count>
in-path neighbor keepalive interval <seconds>

Control Description
Connection Enables an alarm when the amount of latency between connection forwarding neighbors
Forwarding Latency has exceeded the specified threshold. The neighbor latency is the time difference between
Exceeded when the request was sent and the ACK was received.
By default, this alarm is enabled and the latency threshold is 100 milliseconds.
The alarm clears automatically when the latency falls below the specified threshold, set
with the following CLI commands:
stats alarm cf_latency_exceeded rising clear-threshold <threshold>
stats alarm cf_latency exceeded rising error-threshold <threshold>
Connection Enables an alarm when the Steelhead appliance has timed-out while waiting for an
Forwarding Read initialization message from the connection forwarding neighbor.
Information Timeout
By default, this alarm is enabled and the default time-out period is 10,000 milliseconds (10
seconds).
You can change the time-out interval with the following CLI command:
in-path neighbor read-timeout <milliseconds>
RSP General Alarm (Appears when RSP is installed.) Enables an alarm for general RSP problems including:
• no available memory for RSP
• an incompatible RSP image is installed
• Virtual Machines are enabled but not currently powered on
• a watchdog activates for any slot that has a watchdog configured.
RSP License is Close to (Appears when RSP is installed.) Enables an alarm if an RSP license is due to expire
Expiration within seven days.
RSP License is Expired (Appears when RSP is installed.) Enables an alarm when an RSP license has expired.
Monitored Ports
You can specify monitored port for the selected system settings policy in the Monitored Ports page.
Control Description
Add Port Displays the controls to add a new port.
Port Number Specify the port to be monitored.

Control Description
Add Displays the controls for adding a port.
SNMP Basic
The SNMP page contains the following groups of settings:
“SNMP Server Settings,” next
“Adding a New Trap Receiver” on page 270
SNMP Server Settings

In this panel, you can enable the reporting of events to an SNMP agent, as described in the following table.
Control Description
Enable SNMP Traps Specify this option to enable SNMP traps.
System Contact Specify the user name for the SNMP contact.
System Location Specify the physical location of the router.
Read-Only Community Specify a string to identify the read-only community. For example: Read-only.
Name
Adding a New Trap Receiver

In this panel, you can manage SNMP trap receivers as described in the following table.
Control Description
Add New Trap Receiver Displays the controls for configuring new trap receivers.
Receiver IP Address Specify the IP address for the SNMP trap. For details on SNMP traps sent to
configured servers, see “Setting SNMP Basic Parameters and Trap Receivers” on
page 43.
Destination Port Specify the destination port.
Receiver Type Select v1, v2c, or v3 from the drop-down list to specify the SNMP software
version.
Community Specify the SNMP community name.
Enable Receiver Enables the new trap receiver.
Add Adds the new configuration to the Trap Receiver list.

SNMP v3
You can change SNMP v3 settings policy in the SNMP v3 page.
Control Description
Add a New User Displays the controls to add a new user.
User Name Specify the user name.
Authentication Select a authentication method from the drop-down list:

Protocol
• MD5. Specifies the Message-Digest 5 algorithm, a widely-used cryptographic hash
function with a 128-bit hash value. This is the default value.
• SHA-1. Specifies the Secure Hash Algorithm, a set of related cryptographic hash
functions. SHA-1 is considered to be the successor to MD5.
Authentication Optionally, click either Supply a Password or Supply a Key to use while authenticating
users.
Password Specify a password. The password must have a minimum of eight characters.
Add Adds the user.
SNMP ACLs
The SNMP ACLs page contains the following groups of settings:
“Security Names,” next
“Groups” on page 272
“Views” on page 272
“Access Policies” on page 272
Security Names
In this panel, you can change security name settings policy in the SNMP ACLs page.
Control Description
Add a New Security Displays the controls to add a security name.

Name
Security Name Specify a name to identify a requestor (allowed to issue gets and sets). The security name
may make changes to the View Based Access Control Model (VACM) security name
configuration.
Note: Traps for v1 and v2c are independent of the security name.
Community String Specify the password-like community string to control access. Use a combination of
uppercase, lowercase, and numerical characters to reduce the chance of unauthorized
access to the Steelhead appliance.
Note: If you specify a read-only community string (located on the SNMP Basic page under
SNMP Server Settings), it takes precedence over this community name and allows users to
access the entire MIB tree from any source host. If this is not desired, delete the read-only
community string.

Control Description
Source IP Address and Specify the host IP address and mask bits to which you permit access using the security
Mask name and community string.
Add Adds the security name.
Groups
In this panel, you can change group settings policy in the SNMP ACLs page.
Control Description
Add a New Group Displays the controls to add a new group.
Group Name Specify a group name.
Security Model and Click the + button and select a security model from the drop-down list:
Name Pairs
• v1 or v2c displays another drop-down menu; select a security name.
• usm displays another drop-down menu, select a user.
To add another Security Model and Name pair, click the + button.
Add Adds the group name and security model and name pairs.
Views
In this panel, you can change view settings policy in the SNMP ACLs page.
Control Description
Add a New View Displays the controls to add a new view.
View Name Specify a descriptive view name to facilitate administration.
Includes Specify the Object Identifiers (OIDs) to include in the view, separated by commas; for
example, .1.3.6.1.2.1.1.
By default, the view excludes all OIDs. You can specify .iso or any subtree or subtree
branch. You can specify an OID number or use its string form; for example,
.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model
Excludes Specify the OIDs to exclude in the view, separated by commas. By default, the view
excludes all OIDs.
Add Adds the view
Access Policies
In this panel, you can change access settings policy in the SNMP ACLs page.
Control Description
Add a New Access Displays the controls to add a new access policy.
Policy
Group Name Select a group name from the drop-down list.

Control Description
Security Level Determines whether a single atomic message exchange is authenticated. Select one of the
following from the drop-down list:
• No Auth. Does not authenticate packets and does not use privacy. This is the default
setting.
• Auth. Authenticates packets but does not use privacy.
A security level applies to a group, not to an individual user.
Read View Select a view from the drop-down list.
Add Adds the policy to the policy list.
Email
You can change email notification settings for the selected system settings policy in the Email page.
Control Description
SMTP Server Specify the SMTP server. You must have external DNS and external access for SMTP
traffic for this feature to function.
Important: Make sure you provide a valid SMTP server to ensure that the users you
specify receive email notifications for events and failures.
SMTP Port Specify the port number for the SMTP server.
Report Events via Specify this option to report events through email. Specify a list of email addresses to
Email receive the notification messages. Separate addresses by spaces, semicolons, commas, or
vertical bars.
Report Failures via Specify this option to report failures through email. Specify a list of email addresses to
Email receive the notification messages. Separate addresses by spaces, semicolons, commas, or
vertical bars.
Report Failures to Specify this option to report serious failures such as system crashes to Riverbed Technical
Technical Support Support.
Specify the email addresses to which to send notification messages. Separate addresses by
spaces, semicolons, commas, or vertical bars.
Riverbed recommends that you activate this feature so that problems are promptly
corrected.
Important: This option does not automatically report a disk drive failure. In the event of
a disk drive failure, please contact Riverbed Technical Support at support@riverbed.com.
Logging
You can configure remote logging servers, log rotation and filtering, and log viewing preferences for the
selected system settings policy in the Logging page.
The Logging page contains the following groups of settings:
“Logging Configuration,” next
“Adding a New Log Server” on page 275
“Adding a New Process Logging Filter” on page 276

Logging Configuration
In this panel, you can configure logging settings for the system policy, as described in the following table.
Control Description
Minimum Severity Select the minimum severity level for the system log messages. The log contains all
messages with this severity level or higher. Select one of the following levels from the
drop-down list:
operations.
Note: This control applies to the system log only. It does not apply to the user log.
Maximum Number of Specify the maximum number of logs to store. The default value is 10.
Log Files
Lines Per Log Page Specify the number of lines per log page. The default value is 100.
Rotate Based On Specify one of the following rotation options:

• Time. Select Day, Week, or Month from the drop-down list.
• Disk Space. Specify how much disk space, in megabytes, the log uses before it rotates.
The default value is 16 MB.

Adding a New Log Server

In this panel, you can manage log servers for the system policy, as described in the following table.
Control Description
Add a New Log Server Displays the controls for configuring new log servers.
Server IP Specify the server IP address.
Minimum Severity Select the minimum severity level for the log messages. The log contains all messages
with this severity level or higher. Select one of the following levels from the drop-down
list:
operations.
Add Adds the server to the list.

Adding a New Process Logging Filter

In this panel, you can add and manage process logging filters for the system policy, as described in the
following table.
Control Description
Add a New Process Displays the controls to add a new process logging filter.
Logging Filter
Process Select one of the following from the drop-down list:

• cifs - CIFS Optimization
• rgp - Central Management Client
• rgpd - Central Management Client Daemon
• cli- Command Line Interface
• mgmtd - Device Control and Management
• http - HTTP Optimization
• hald - Hardware Abstraction Daemon
• notes - Lotus Notes Optimization
• mapi - MAPI Optimization
• nfs - NFS Optimization
• pm- Process Manager
• sched - Process Scheduler
• virt_wrapped - RSP VMware Interface
• rspd - RSP Watchdog
• statsd - Statistics Collector
• wdt - Watchdog Timer
• webasd - Web Application Process
Minimum Severity Select one of the following from the drop-down list:
operations.
Add Applies your configurations.

Networking Policy Settings Policy Parameters and Settings
Networking Policy Settings

The following section describes the Networking Policy feature set. It includes the following sections:
“Host Settings,” next
“WCCP” on page 279
“Simplified Routing” on page 284
“Asymmetric Routing” on page 284
“Connection Forwarding” on page 285
“Flow Export” on page 286
“QoS Classification” on page 288
“QoS Marking” on page 294
“Port Labels” on page 298
The following procedures assume you have already created a Networking Policy. For details on how to
create a new policy, see “Creating Policy Settings” on page 133.
Host Settings
You can view and modify general host settings for the selected networking policy in the Host Settings page.
The Host Settings page contains the following groups of settings:
“DNS Settings,” next
“Hosts” on page 278
“Proxies” on page 278
“Date and Time” on page 278
DNS Settings
In this panel, you can manage DNS settings for a networking policy, as described in the following table.
Control Description
Primary DNS Server IP Address Specify the IP address for the primary name server.
Secondary DNS Server IP Optionally, specify the IP address for the secondary name server.
Address
Tertiary DNS Server IP Address Optionally, specify the IP address for the tertiary name server.
DNS Domain List Specify an ordered list of domain names.

If you specify domains the system automatically finds the appropriate domain
for each of the hosts that you specify in the system.

Policy Parameters and Settings Networking Policy Settings
Hosts
In this panel, you can manage host names and addresses for a networking policy, as described in the
following table.
Control Description
Add a New Host Displays the controls for adding a new host.
IP Address Specify the IP address for the host.
Hostname Specify a hostname.
Add Adds the host.
Tip: To modify the host-IP mapping, in the table row for the mapping, click the hostname to display controls you can
use to modify the mapping. Complete the configuration as above.
Proxies
In this panel, you can set a proxy address for a networking policy.
Control Description
Web/FTP Proxy IP Address Specify the IP address for the Web/FTP proxy.
Port Specify the port for the Web/FTP proxy.
Date and Time

In this panel, you can NTP servers for the host setting of a networking policy, as described in the following
table.
Control Description
Use NTP Time Synchronization Check this box to use NTP time synchronization
Add a New NTP Server Click to display control for configuring a new NTP server.
Hostname or IP Address Specify the IP address for the NTP server.
Version Select the NTP server version from the drop-down list: 3 or 4.
Enabled Enable or disable the connection to the NTP server.
Time Zone Select a time zone from the drop-down list. The default value is GMT.
Add Adds the NTP server to the table list.

Tip: To modify server properties, in the table row for the server, click the server name to display controls you can use
to modify the properties. Complete the configuration as above.
WCCP
You can enable WCCP service groups for the selected networking policy in the WCCP page.
For details on WCCP, see the Steelhead Management Console User’s Guide.
The WCCP page contains the following groups of settings:
“WCCP Service Groups,” next
“Adding a New Service Group” on page 280
WCCP Service Groups

In this panel, you can enable WCCP service groups.
Control Description
Enable WCCP v2 Support Enables WCCP v2 support on all groups added to the Service Group list.
Multicast TTL Specify the TTL boundary for the WCCP protocol packets. The default value is
1.

Adding a New Service Group

In this panel, you can manage WCCP service groups, as described in the following table.
Control Description
Add a New Service Group Displays the controls for adding a new service group.
Interface Select a Steelhead appliance interface to participate in a WCCP service group.

RiOS v6.1 allows multiple Steelhead interfaces to participate in WCCP on one
or more routers for redundancy (RiOS v6.0 and earlier allows a single Steelhead
interface). If one of the links goes down, the router can still send traffic to the
other active links for optimization.
You must include an interface with the service group ID. More than one
Steelhead appliance in-path interface can participate in the same service group.
For WCCP configuration examples, see the Steelhead Appliance Deployment
Guide.
If multiple Steelhead appliances are used in the topology, they must be
configured as neighbors.
Service Group ID Enables WCCP v2 support on all groups added to the Service Group list.
Specify a number from 0 to 255 to identify the service group on the router. A
value of 0 specifies the standard HTTP service group. Riverbed recommends
that you use WCCP service groups 61 and 62.
Note: The service group ID is local to the site where WCCP is used.
Note: The service group number is not sent across the WAN.
Password/Confirm Password Optionally, assign a password to the Steelhead appliance interface. This
password must be the same password that is on the router. WCCP requires that
all routers in a service group have the same password. Passwords are limited to
8 characters.
Priority Specify the WCCP priority for traffic redirection. If a connection matches
multiple service groups on a router, the router chooses the service group with
the highest priority. The range is 0-255. The default value is 200.
The priority value must be consistent across all Steelhead appliances within a
particular service group.

Control Description
Weight Specify the percentage of connections that are redirected to a particular

Steelhead appliance interface, which is useful for traffic load balancing and
failover support. The number of TCP, UDP, or ICMP connections a Steelhead
appliance supports determines its weight. The more connections a Steelhead
appliance model supports, the heavier the weight of that model. In RiOS v6.1
you can modify the weight for each in-path interface to manually tune the
proportion of traffic a Steelhead interface receives.
A higher weight redirects more traffic to that Steelhead interface. The ratio of
traffic redirected to a Steelhead interface is equal to its weight divided by the
sum of the weights of all the Steelhead interfaces in the same service group. For
example, if there are two Steelhead appliances in a service group and one has a
weight of 100 and the other has a weight of 200, the one with the weight 100
receives 1/3 of the traffic and the other receives 2/3 of the traffic.
However, since it is generally undesirable for a Steelhead with two WCCP in-
path interfaces to receive twice the proportion of traffic, for Steelhead
appliances with multiple in-paths connected, each of the in-path weights is
divided by the number of that Steelhead's interfaces participating in the service
group.
For example, if there are two Steelhead appliances in a service group and one
has a single interface with weight 100 and the other has two interfaces each
with weight 200, the total weight will still equal 300 (100 + 200/2 + 200/2). The
one with the weight 100 receives 1/3 of the traffic and each of the other's in-
path interfaces receives 1/3 of the traffic.
The range is 0-65535. The default value corresponds to the number of TCP
connections your Steelhead appliance supports.
Failover Support
To enable single in-path failover support with WCCP groups, define the service
group weight to be 0 on the backup Steelhead appliance. If one Steelhead
appliance has a weight 0, but another one has a non-zero weight, the Steelhead
appliance with weight 0 does not receive any redirected traffic. If all the
Steelhead appliances have a weight 0, the traffic is redirected equally among
them.
The best way to achieve multiple in-path failover support with WCCP groups
in RiOS v6.1 is to use the same weight on all interfaces from a given Steelhead
appliance for a given service group. For example, suppose you have Steelhead
A and Steelhead B with two in-path interfaces each. When you configure
Steelhead A with weight 100 from both inpath0_0 and inpath0_1 and Steelhead
B with weight 200 from both inpath0_0 and inpath0_1, RiOS distributes traffic
to Steelhead A and Steelhead B in the ratio of 1:2 as long as at least one interface
is up on both Steelhead appliances.
In a service group, if an interface with a non-zero weight fails, its weight
transfers over to the weight 0 interface of the same service group.
For details on using the weight parameter to balance traffic loads and provide
failover support in WCCP, see the Steelhead Appliance Deployment Guide.

Control Description
Encapsulation Scheme Specifies the method for transmitting packets between a router or a switch and
a Steelhead appliance interface. Select one of the following encapsulation
schemes from the drop-down list:
• Either - Use Layer-2 first; if Layer-2 is not supported, GRE is used. This is
the default value.
• GRE - Generic Routing Encapsulation. The GRE encapsulation method
appends a GRE header to a packet before it is forwarded. This can cause
fragmentation and imposes a performance penalty on the router and switch,
especially during the GRE packet de-encapsulation process. This
performance penalty can be too great for production deployments.
• L2 - Layer-2 redirection. The L2 method is generally preferred from a
performance standpoint because it requires fewer resources from the router
or switch than the GRE does. The L2 method modifies only the destination
Ethernet address. However, not all combinations of Cisco hardware and IOS
revisions support the L2 method. Also, the L2 method requires the absence
of L3 hops between the router or switch and the Steelhead appliance.

Control Description
Assignment Scheme Determines which Steelhead interface in a WCCP service group the router or
switch selects to redirect traffic to for each connection. The assignment scheme
also determines whether the Steelhead interface or the router processes the first
traffic packet. The optimal assignment scheme achieves both load balancing
and failover support. Select one of the following schemes from the drop-down
list:
• Either - Uses Hash assignment unless the router does not support it. When
the router does not support Hash, it uses Mask. This is the default setting.
• Hash - Redirects traffic based on a hashing scheme and the Weight of the
Steelhead interface, providing load balancing and failover support. This
scheme uses the CPU to process the first packet of each connection,
resulting in slightly lower performance. However, this method generally
achieves better load distribution. Riverbed recommends Hash assignment
for most Steelhead appliances if the router supports it. The Cisco switches
that do not support Hash assignment are the 3750, 4000, and 4500-series,
among others.
Your hashing scheme can be a combination of the source IP address,
destination IP address, source port, or destination port.
• Mask - Redirects traffic operations to the Steelhead appliances, significantly
reducing the load on the redirecting router. Mask assignment processes the
first packet in the router hardware, using less CPU cycles and resulting in
better performance.
Mask assignment in RiOS v5.0.1 and earlier is limited to one Steelhead
appliance per service group. The Steelhead appliance with the lowest in-
path IP address receives all the traffic. This scheme provides high
availability. You can have multiple Steelhead appliances in a service group
but only the Steelhead appliance with the lowest in-path IP address receives
all the traffic. If the Steelhead appliance with the lowest in-path IP address
fails, the Steelhead appliance with the next lowest in-path IP address
receives all of the traffic. When the Steelhead appliance with the lowest in-
path IP address recovers, it again receives all of the traffic.
Mask assignment in RiOS v5.0.2 and later supports load-balancing across
multiple active Steelhead appliances. This scheme bases load-balancing
decisions (for example, which Steelhead appliance in a service group
optimizes a given new connection) on bits pulled out, or masked, from the IP
address and the TCP port packet header fields.
Mask assignment in RiOS v6.1 supports load-balancing across multiple
active Steelhead appliance interfaces in the same service group.
The default mask scheme uses an IP address mask of 0x1741, which is
applicable in most situations. However, you can change the IP mask by
clicking the service group ID and changing the service group settings and
flags.
In multiple Steelhead environments, it is often desirable to send all users in
subnet range to the same Steelhead. Using mask provides a basic ability to
leverage a branch subnet and Steelhead to the same Steelhead in a WCCP
cluster.
Important: If you use mask assignment you must ensure that packets on every
connection and in both directions (client-to-server and server-to-client), are
redirected to the same Steelhead appliance. For details, see the Steelhead
Appliance Deployment Guide.
For details and best practices for using assignment schemes, see the Steelhead
Appliance Deployment Guide.
Router IP Address(es) Specify a multicast group IP address or a unicast router IP address. You can
specify up to 32 routers.

Control Description
Add Adds the service group.
Remove Selected Groups Click the check box next to the name and click Remove Selected Groups.
Simplified Routing
You can enable simplified routing for the selected networking policy in the Simplified Routing page.
For details on simplified routing, see theSteelhead Management Console User’s Guide
Control Description
Collect Mappings From Select one of the following options from the drop-down list:
• None. Do not collect mappings.
• Destination Only. Collects destination MAC data. Use this option in
connection forwarding deployments. This is the default setting.
• Destination and Source. Collect mappings from destination and source
MAC data. Use this option in connection forwarding deployments.
• All. Collect mappings for destination, source, and inner MAC data. Also
collect data for connections that are un-natted (that is, connections that are
not translated using NAT). Riverbed recommends that you use this option
to maximize the effects of simplified routing.
Asymmetric Routing
You enable asymmetric route detection for the selected optimization policy in the Asymmetric Routing
page.
For details on asymmetric routing, see the Steelhead Management Console User’s Guide.

You can also use the Steelhead CLI to detect and analyze asymmetric routes. For details, see the Riverbed
Command-Line Interface Reference Manual or the Steelhead Appliance Deployment Guide.
Control Description
Enable Asymmetric Routing Detects asymmetric routes in your network.

Detection
Enable Asymmetric Routing Enables pass-through traffic if asymmetric routing is detected.

Pass-Through
If asymmetric routing is detected, the pair of IP addresses, defined by the client
and server addresses of this connection, is cached on the Steelhead appliance.
Further connections between these hosts are passed through unoptimized until
that particular asymmetric routing cache entry times out.
Detecting and caching asymmetric routes does not optimize these packets. If
you want to optimize asymmetric routed packets you must make sure that the
packets going to the WAN always go through a Steelhead appliance either by
using a multi-port Steelhead appliance, connection forwarding, or using
external ways to redirect packets, such as WCCP or PBR.
For detailed information, see the Steelhead Appliance Deployment Guide.
Connection Forwarding
You configure connection forwarding for a network with multiple paths from the server in the Connection
Forwarding page.
For details on connection forwarding, see the Steelhead Management Console User’s Guide.
The Connection Forwarding page contains the following groups of settings:
“Connection Forwarding Settings,” next
“Adding a New Neighbor” on page 286
Connection Forwarding Settings

In this panel, you can enable connection forwarding for a networking policy, as described in the following
table.
Control Description
Enable Connection Forwarding When checked, this option enables connection forwarding by default on all
neighbors added to the peer list. The default port for connection forwarding is
7850.
Port Specify the port number to use as the default for the neighbor Steelhead
appliance in-path port. The default value is 7850.
Keep-Alive Interval Specify the number of seconds to use as the default interval for ping commands
between neighbor Steelhead appliance.
Keep-Alive Count Specify the number of tries to use as the default number of failed ping attempts
before an appliance terminates a connection with a neighbor. The default value
is 3.

Control Description
In-Path Neighbor Failure Allows neighbor failure so connections may be handled by another Steelhead
appliance.
Multiple Interface Support Select this option to enable communication between the CMC and the Steelhead
appliance on multiple interfaces, ensuring continued connection in the event
one interface fails.
Adding a New Neighbor

In this panel, you can manage connection forwarding neighbors for a networking policy, as described in the
following table.
Control Description
Add a New Neighbor Click to display the controls to add a new neighbor.
Hostname Specify a name.
In-Path IP Address Specify the in-path IP address for the neighbor Steelhead appliance. When you
define a neighbor, you must specify the appliance in-path IP address, not the
primary IP address.
Port Specify the in-path port for the neighbor Steelhead appliance. The default value
is 7850.
Additional IP Addresses Adds a neighbor Steelhead appliance to the neighbor list.
Flow Export
You configure flow export for a network from the server in the Flow Export page.
For details on flow export, see the Steelhead Management Console User’s Guide.
The Flow Export page contains the following groups of settings:
“Flow Export and Top Talker Settings,” next
“Enable Interfaces” on page 287
“Adding a New Flow Collector” on page 287

Flow Export and Top Talker Settings

In this panel, you can manage flow export, as described in the following table.
Control Description
Enable Flow Export Enables flow export support. By default, this setting is disabled.
Enable Top Talkers Click to continuously collect statistics for the most active traffic flows. A traffic
flow consists of data sent and received from a single source IP address and port
number to a single destination IP address and port number over the same
protocol.
The most active, heaviest users of WAN bandwidth are called the Top Talkers. A
flow collector identifies the top consumers of the available WAN capacity (the
top 50 by default) and displays them in the Top Talkers report. Collecting
statistics on the Top Talkers provides visibility into WAN traffic without
applying an in-path rule to enable a WAN visibility mode.
You can analyze the Top Talkers for accounting, security, troubleshooting, and
capacity planning purposes. You can also export the complete list in CSV
format.
The collector gathers statistics on the Top Talkers based on the proportion of
WAN bandwidth consumed by the top hosts, applications, and host and
application pair conversations. The statistics track pass-through or optimized
traffic, or both. Data includes TCP or UDP traffic, or both (configurable on the
Top Talkers report page).
You must enable Flow Export before you enable Top Talkers. A NetFlow
collector is not required for this feature. Enabling Top Talkers automatically sets
the Active Flow Timeout to 60 seconds. Optionally, click a time period to adjust
the collection interval:
• 24-hour Report Period (Higher Granularity). For a five-minute granularity
(the default setting).
• 48-hour Report Period (Lower Granularity). For a ten-minute granularity.
Disable Top Talkers Click to stop collecting statistics on the most active or inactive users of WAN
bandwidth.
Enable Interfaces
In this panel, you can enable interfaces for a networking policy.
Select the interfaces to include when adding a new Flow collector.
Adding a New Flow Collector

In this panel, you can add and manage flow collector for a networking policy, as described in the following
table.
Control Description
Add a New Flow Collector Displays the controls to add a Flow collector.
Collector IP Address Specify the IP address for the Flow collector.
Port Specify the UDP port the Flow collector is listening on. The default value is
2055.

Control Description
Version Select one of the following versions from the drop-down list:
• CascadeFlow. Use with Cascade v8.4 or later.
• CascadeFlow-compatible. Use with Cascade v8.34 or earlier.
• NetFlow v5. Enables ingress flow records.
• Netflow v9. Enables both ingress and egress flow records.
For details on the Netflow v9 templates, flow record field descriptions, and
Riverbed-specific fields, see the Steelhead Appliance Deployment Guide.
CascadeFlow and CascadeFlowcompatible are enhanced versions of flow
export to Riverbed Cascade.
Packet Source Interface Select the interface to use as the source IP address of the flow packets (Primary
or Aux) from the drop-down list. NetFlow records sent from the Steelhead
appliance appear to be sent from the IP address of the selected interface
LAN Address Causes the TCP/IP addresses and ports reported for optimized flows to contain
the original client and server IP addresses and not those of the Steelhead
appliance. The default setting displays the IP addresses of the original client
and server without the IP address of the Steelhead appliance.
This setting is unavailable with NetFlowv9, because the optimized flows are
always sent out with both the original client server IP addresses and the IP
addresses used by the Steelhead appliance.
Capture Interface primary Specify the traffic type to export to the flow collector. Select one of the following
types from the drop-down list:
• All. Exports both optimized and non optimized traffic.
• Optimized. Exports optimized traffic.
• Optimized-lan. Exports optimized LAN traffic when WCCP is enabled.
• Optimized-wan. Exports optimized WAN traffic when WCCP is enabled.
• Passthrough. Exports pass-through traffic.
• None. Disables traffic flow export. The default value is All for LAN and
WAN interfaces, for all four collectors.
The default value for the other interfaces (Primary, rios_lan, and rios_wan) is
None.
Enable Filter (CascadeFlow and NetFlow v9 only) Click to filter flow reports by IP/subnets
or IP:ports included in the Filter list. When disabled, reports include all IP/
subnets.
Filter (CascadeFlow and NetFlow v9 only) Specify the IP/subnet or IP:port to include
in the report, one entry per line, up to 25 filters maximum.
Add Adds the settings.
QoS Classification
You configure QoS classes for the selected networking policy in the QoS Classification page.
For details on QoS (flat and hierarchical), see the Steelhead Management Console User’s Guide.

The QoS Classification page contains the following groups of settings:

“General QoS Settings,” next
“Adding a New QoS Class” on page 290
“Adding a New QoS Rule” on page 293
General QoS Settings

In this panel, you can enable and set QoS classification and enforcement, as described in the following table.
Control Description
Enable QoS Classification and Enables QoS classification. Traffic is not classified until at least one WAN
Enforcement interface is enabled.
Note: Complete the basic steps before enabling this option, as your changes
take effect immediately.
To disable QoS, clear this check box and restart the optimization service.
Mode Click to enable a QoS structure:
• Flat mode creates all classes at the same level.
• Hierarchical mode creates a tree structure that can contain children of class
parents. Use this feature to segregate traffic based on flow source or
destination and apply different shaping rules to each child. Use a
hierarchical structure to effectively manage and support remote sites with
different bandwidth characteristics.
Note: Selecting a QoS mode does not enable QoS traffic classification. The
Enable QoS Classification and Enforcement check box must be selected before
traffic optimization begins.
Network Interfaces Specify a WAN interface <XXXX-X> to enable and then specify its bandwidth
link rate (kbps).
The link rate is the bottleneck WAN bandwidth, not the interface speed out of the
WAN interface into the router or switch. For example, if your Steelhead
appliance connects to a router with a 100 Mbps link, do not specify this
value—specify the actual WAN bandwidth (for example, T1, T3).
Important: Different WAN interfaces can have different WAN bandwidths; you
must enter the bandwidth link rate correctly for QoS to function properly.

Adding a New QoS Class

In this panel, you can manage QoS classes, as described in the following table.
Control Description
Add a New QoS Class Displays the controls for adding a class.
Class Name Specify a name for the QoS class.
Latency Priority The latency priority indicates how delay-sensitive a traffic class is to the QoS
scheduler. Select the latency priority for the class from the drop-down list
(highest priority to lowest):
• Real-Time. Specifies real-time traffic class. Traffic that is your highest
priority should be given this value; for example, VoIP, video conferencing.
• Interactive. Specifies an interactive traffic class. For example, Citrix, RDP,
telnet and ssh.
• Business Critical. Specifies the business critical traffic class. For example,
Thick Client Applications, ERPs, and CRMs.
• Normal Priority. Specifies a normal priority traffic class. For example,
Internet browsing, file sharing, and email.
• Low Priority. Specifies a low priority traffic class. For example, FTP, backup,
replication, other high-throughput data transfers, and recreational
applications such as audio file sharing.
These are minimum priority guarantees; if better service is available, it is
provided. For example, if a class is specified as low priority and the higher
priority classes are not active, then the low priority class receives the highest
possible available priority for the current traffic conditions. This parameter
controls the priority of the class relative to the other classes.
Important: The latency priority describes only the delay sensitivity of a class,
not how much bandwidth it is allocated, nor how important the traffic is
compared to other classes. Therefore, it is common to configure low latency
priority for high-throughput, non-packet delay sensitive applications like FTP,
backup, and replication.
Guaranteed Bandwidth Specify the minimum amount of bandwidth (as a percentage) to guarantee to a
traffic class when there is bandwidth contention. All of the classes combined
cannot exceed 100%. During contention for bandwidth, the class is guaranteed
the amount of bandwidth specified. The class receives more bandwidth if there
is unused bandwidth remaining.
In hierarchical mode, excess bandwidth is allocated based on the relative ratios
of guaranteed bandwidth. The total minimum guaranteed bandwidth of all
QoS classes must be less than or equal to 100% of the parent class.
A default class is automatically created with guaranteed bandwidth of .01%.
Traffic that does not match any of the rules is put into the default class.
Riverbed recommends that you change the guaranteed bandwidth of the
default class to the appropriate value.
The guaranteed bandwidth calculated based on this percentage should be no
less than 1 kbps.

Control Description
Link Share Weight Applies to flat mode only. Specify the weight for the class. The link share
weight determines how the excess bandwidth is allocated among sibling
classes. Link share does not depend on the minimum guaranteed bandwidth.
By default, all the link shares are equal.
Classes with a larger weight are allocated more of the excess bandwidth than
classes with a lower link share weight.
You cannot specify a Link Share Weight in H-QoS. In H-QoS, the link share
weight is the same proportion as the guaranteed bandwidth of the class.
The Link Share Weight does not apply to MX-TCP queues.
Upper Bandwidth Specify the maximum allowed bandwidth (as a percentage) a class receives as a
percentage of the parent class guaranteed bandwidth. The limit is applied even
if there is excess bandwidth available.
Upper Bandwidth does not apply to MX-TCP queues.
Connection Limit Optionally, specify the maximum number of optimized connections for the
class. When the limit is reached, all new connections are passed through
unoptimized.
In hierarchical mode, a parent class connection limit does not affect its child.
Each child class optimized connection is limited by the connection limit
specified for their class. For example, if B is a child of A, and the connection
limit for A is set to 5, while the connection limit for B is set to 10, the connection
limit for B is 10. Connection limit is supported only in in-path configurations. It
is not supported in out-of-path or virtual-in-path configurations.
Connection Limit is supported only in in-path configurations. It is not
supported in out-of-path or virtual-in-path configurations.
Connection Limit does not apply to the packet-order queue or Citrix ICA
traffic.

Control Description
Queue Optionally, select one of the following queue methods for the leaf class from the
drop-down list (the queue does not apply to the inner class) :
• SFQ. Shared Fair Queueing (SFQ) is the default queue for all classes.
Determines Steelhead appliance behavior when the number of packets in a
QoS class outbound queue exceeds the configured queue length. When SFQ
is used, packets are dropped from within the queue in a round-robin
fashion, among the present traffic flows. SFQ ensures that each flow within
the QoS class receives a fair share of output bandwidth relative to each
other, preventing bursty flows from starving other flows within the QoS
class.
• FIFO. Transmits all flows in the order that they are received (first in, first
out). Bursty sources can cause long delays in delivering time-sensitive
application traffic and potentially to network control and signaling
messages.
• MXTCP. Has very different use cases than the other queue parameters. MX-
TCP also has secondary effects that you need to understand before
configuring:
– When optimized traffic is mapped into a QoS class with the MX-TCP
queuing parameter, the TCP congestion control mechanism for that
traffic is altered on the Steelhead appliance. The normal TCP behavior of
reducing the outbound sending rate when detecting congestion or
packet loss is disabled, and the outbound rate is made to match the
minimum guaranteed bandwidth configured on the QoS class.
– You can use MX-TCP to achieve high-throughput rates even when the
physical medium carrying the traffic has high loss rates. For example,
MX-TCP is commonly used for ensuring high throughput on satellite
connections where a lower-layer-loss recovery technique is not in use.
– Another usage of MX-TCP is to achieve high throughput over high-
bandwidth, high-latency links, especially when intermediate routers do
not have properly tuned interface buffers. Improperly tuned router
buffers cause TCP to perceive congestion in the network, resulting in
unnecessarily dropped packets, even when the network can support
high-throughput rates.
Important: Use caution when specifying MX-TCP. The outbound rate for
the optimized traffic in the configured QoS class immediately increases to
the specified bandwidth, and does not decrease in the presence of network
congestion. The Steelhead appliance always tries to transmit traffic at the
specified rate. If no QoS mechanism (either parent classes on the Steelhead
appliance, or another QoS mechanism in the WAN or WAN infrastructure)
is in use to protect other traffic, that other traffic might be impacted by
MX-TCP not backing off to fairly share bandwidth.
When MX-TCP is configured as the queue parameter for a QoS class, the
following parameters for that class are also affected:
Link share weight. The link share weight parameter has no effect on a QoS
class configured with MX-TCP.
Upper limit. The upper limit parameter has no effect on a QoS class
configured with MX-TCP.
• Packet-order. Protects the TCP stream order by keeping track of flows that
are currently inside the packet-shaping infrastructure. Packet-order
protection allows only one packet from each flow into the HFSC traffic
shaper at a time. The backlog for each flow stores the packets from the flow
in order until the packet inside the HFSC infrastructure is dequeued for
delivery to the network interface. This packet order priority protection
works for both TCP and UDP streams. Select this queue with the Citrix QoS
classes for best performance. You must also specify the Citrix server IP
address or server port number to locate Citrix traffic, because the Steelhead
appliance does not identify Citrix traffic automatically.

Control Description
Class Parent Appears only when a QoS hierarchy is enabled. Specify the parent for a child
class. The class inherits the parent’s definitions. For example, if the parent class
has a business critical latency priority, and its child has a real-time latency
priority, the child inherits the business critical priority from its parent, and uses
a real-time priority only with respect to its siblings.
Add Adds the QoS class.
To remove a parent class, delete all rules for the corresponding child classes
first. When a parent class has rules or children, the check box for the parent
class is unavailable. When a child class is not bound to any rules in the QoS
rules table, deleting a parent deletes the children as well.
Adding a New QoS Rule

In this panel, you can manage QoS rules, as described in the following table.
Control Description
Add a New QoS Rule Displays the controls to add a QoS rule.
Insert Rule At Inserts a QoS rule for a QoS class. Select start, end, or a rule number from the
drop-down list.
Steelhead appliances evaluate rules in numerical order starting with rule 1. If
the conditions set in the rule match, then the rule is applied, and the system
moves on to the next packet. If the conditions set in the rule do not match, the
system consults the next rule. For example, if the conditions of rule 1 do not
match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no
further rules are consulted.
Class Name Select a class name from the drop-down list. If the rule matches, the specified
rule sends the packet to this class.
Source Subnet Specify the IP address for the source network. Use the following format:
XXX.XXX.XXX.XXX/XX
Port Specify the port or port label for the source subnet. The default value is All.
Tip: Rules support port labels for source and destination ports.
Destination Subnet Specify the IP address for the destination network. Use the following format:
XXX.XXX.XXX.XXX/XX
Port Specify the port or port label for the destination subnet. The default value is All.
Tip: Rules support port labels for source and destination ports.
Protocol Select All, TCP, UDP, or GRE from the drop-down list.
Traffic Type Select All, Optimized, or Pass-Through from the drop-down list. The system
applies the QoS rules to optimized and pass-through (egress only) traffic.
DSCP Optionally, select a DSCP level from the drop-down list.
VLAN Optionally, specify the VLAN tag for the rule.

Control Description
Application Protocols Select either None or Citrix ICA from the drop-down list.
Note: You must create a QoS class for Citrix traffic before selecting Citrix ICA.
The QoS class for Citrix must use the packet-order queue.
Selecting Citrix ICA expands the control to include the ICA Priority drop-down
list. Select a priority from the list. For example, select 0 - High for interactive
traffic such as screen updates and mouse movements. Select 3 - Low for Citrix
traffic without application priority. Each rule that specifies an ICA priority must
also identify Citrix traffic using IP address(es) and/or port number(s).
Add Adds a rule to the QoS rule list.
Remove QoS Rules Removes the selected rules.
Move QoS Rules Check the box next to the name and click Move QoS Rules. Click the arrow
next to the desired rule position. The rule moves to the new position.
QoS Marking
You set QoS marking for the selected networking policy in the QoS Marking page.
For details on QoS marking, see the Steelhead Management Console User’s Guide.
Tip: Optionally, to view and edit additional policy settings, select the policy from the Editing <policy type> Policy
drop-down list. To view and edit additional policy feature sets, select a feature set from the Page drop-down list.
The QoS Marking page contains the following groups of settings:

“QoS DSCP Monitor Settings,” next
“Adding a New Optimized QoS Map” on page 296
“Adding a New Pass through QoS Map” on page 297

QoS DSCP Monitor Settings

In this panel, you can set DSCP monitor settings for a networking policy.
Control Description
TOS Monitor Interval Specify how many TCP bytes the client Steelhead appliance receives on the upstream
connection before sending packets that reflect the same DSCP value. The default value is
3000.
For example, after the TCP connection has received 3000 bytes of data, the Steelhead
appliance checks the DSCP value received in the last packet for that connection and uses
that value to mark packets on the next hop. The DSCP value in packets received from the
server is used in packets sent from the server-side Steelhead appliance to the client-side
Steelhead appliance. This way, as soon as the server sends data back, the DSCP value is
sent for packets in the reverse direction.
This also applies to packets sent from a server-side Steelhead appliance to the server. If
you set the interval to 1, the connection setup packets (SYN/SYN-ACK/ACK) are not
marked, but the next packets are marked, because the server-side Steelhead appliance
sends data to the server only after it receives data from the client-side Steelhead
appliance.
TOS Monitor Repeat Specify how often the client-side Steelhead appliance rechecks the DSCP value of the
traffic. The default value is 1. Change this value when you expect the DSCP value to
change during the duration of the connection and you want to use the most recent value.
If you want to check indefinitely, set the repeat interval to -1.

Adding a New Optimized QoS Map

In this panel, you can manage optimized QoS maps, as described in the following table.
Control Description
Add a New Optimized Displays the controls to add an optimized QoS map.
QoS Map
XXX.XXX.XXX.XXX/XX
Source Port Specify the source port number, port label, or all.
A port label is a label that you assign to a set of ports so that you can reduce the number
of configuration rules in your system. For the MAPI data channel, specify port 7830 and
the corresponding DSCP level.
The method you use to configure QoS for active FTP depends on the RiOS version.
RiOS versions 5.0.7 and 5.5.2: For the FTP data channel, specify source port 20 and the
corresponding DSCP level on the Steelhead appliance closest to the FTP server (assuming
the FTP server initiates the data channel on port 20). Setting QoS for port 20 on the server-
side Steelhead appliance affects active FTP.
RiOS versions prior to 5.0.7 and 5.5.2: For the FTP data channel, configure a QoS map on
the server-side Steelhead appliance to match the destination port 20, because RiOS
versions prior to 5.0.7 and 5.5.2 do not support the creation of QoS maps based on the
source port for optimized traffic.
Destination Subnet Specify the IP address for the destination subnet. Use the following format:
XXX.XXX.XXX.XXX/XX
Destination Port Specify the destination port number, port label, or all.
For the FTP data channel, specify destination port 20 and the corresponding DSCP level.
Setting QoS for port 20 on the server-side Steelhead appliance affects passive FTP.
DSCP Optionally, select a DSCP level (0-63) or Reflect (the default setting) from the drop-down
list. Reflect specifies that the DSCP level or IP ToS value found on pass-through traffic is
unchanged when it passes through the Steelhead appliance.
Important: If your connections already have a DSCP level and you do not define one on
the client-side Steelhead appliance, the Steelhead appliance uses the existing DSCP level
for the connection between the Steelhead appliances. If you define a DSCP level on the
client-side Steelhead appliance, the Steelhead appliance overrides the existing DSCP level
and the value that you defined is applied.
Notes:
• Optimized traffic is marked in both directions, but pass-through traffic is marked only
on the egress traffic.
• In RiOS 5.5 and earlier, the DSCP field in a QoS classification rule matches the DSCP
value before DSCP marking rules are applied. In RiOS 6.0, the DSCP field in a QoS
classification rule matches the DSCP value after DSCP marking rules are applied; that
is, it matches the post-marking DSCP value.
Description Optionally, specify a description to identify the rule.
Add Adds the rule to the optimized QoS map list.
Remove QoS Maps Removes the selected map configurations.
Move QoS Maps Reorders the selected maps in the list.

Adding a New Pass through QoS Map

In this panel, you can manage pass through QoS maps, as described in the following table.
Control Description
Add a New Displays the controls to add a pass-through QoS map.

Passthrough QoS Map
XXX.XXX.XXX.XXX/XX
Source Port Specify the source port number, port label, or all.
You cannot optimize a pass-through FTP data channel connection.
Destination Subnet Specify the IP address for the destination subnet. Use the following format:
XXX.XXX.XXX.XXX/XX
Destination Port Specify the destination port number, port label, or all.
You cannot optimize a pass-through FTP data channel connection.
DSCP Optionally, select a DSCP level (0-63) or Reflect (the default setting) from the drop-down
list. Reflect specifies that the DSCP level or IP ToS value found on pass-through traffic is
unchanged when it passes through the Steelhead appliance.
Important: If your connections already have a DSCP level and you do not define one in the
Management Console, the Steelhead appliance uses the existing DSCP level for the
connection between the Steelhead appliances. If you define a DSCP level in the
Management Console, the Steelhead appliance overrides the existing DSCP level and the
value that you defined is applied.
Note: Optimized traffic is marked in both directions, but pass-through traffic is marked
only on the egress traffic.
Description Optionally, specify a description to help you identify the map.
Add Adds the map to the passthrough QoS map list.
Remove QoS Maps Removes the selected map configurations.
Move QoS Maps Reorders the selected maps in the list.

Policy Parameters and Settings Security Policy Settings
Port Labels
You create port labels for the selected networking policy in the Port Labels page.
For details on the port labels, see the Steelhead Management Console User’s Guide.
Control Description
Add a New Port Label Displays the controls to add a new port label.
Name Specify the label name. The following rules apply:

• Port labels are not case sensitive and can be any string consisting of letters,
the underscore ( _ ), or the hyphen ( - ). There cannot be spaces in port
labels.
• The fields in the various rule pages of the Management Console that take a
physical port number also take a port label.
• To avoid confusion, do not use a number for a port label.
• Port labels that are used in in-path and other rules, such as QoS and peering
rules, cannot be deleted.
• Port label changes (that is, adding and removing ports inside a label) are
applied immediately by the rules that use the port labels that you have
modified.
Ports Specify a comma-separated list of ports.
Add Adds the port label.
Security Policy Settings

The following section describes the Security Policy feature set. It includes the following sections:
“General Security Settings,” next
“User Permissions” on page 299
“RADIUS” on page 300
“TACACS+” on page 302
“Management ACL” on page 303
“Web Settings” on page 304
The following procedures assume you have already created a Security Policy. For details on how to create
a new policy, see “Creating Policy Settings” on page 133.
General Security Settings

You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the
authorization policy and default user for RADIUS and TACACS+ authorization systems in the General
Settings page.

Security Policy Settings Policy Parameters and Settings
For details on general security settings, see the Steelhead Management Console User’s Guide. For details on
setting up RADIUS and TACACS+ servers, see the Steelhead Appliance Deployment Guide.
User Permissions
You can change the administrator or monitor passwords and define role-based users for the selected
security policy in the User Permissions page.
For details on user permissions, see “Managing User Permissions” on page 61.
The User Permissions page contains the following groups of settings:
“Capability-Based Accounts,” next
“Adding a New User” on page 299
Capability-Based Accounts
In this panel, you can manage capability accounts for the security policy, as described in the following table.
Control Description
admin/monitor Click the magnifying glass to change the administrator or monitor password.
Enable Account. Click to enable or clear to disable the administrator or monitor account.
Use a Password. Enables password protection.
Password. Type a password in the text box. The password must have a minimum of six
characters.
Password Confirm. Confirm the new administrator password.
Adding a New User

In this panel, you can manage role-based accounts for the security policy, as described in the following table.
Important: A role-based account cannot modify another role-based or capability-based account.
Control Description
Add a New User Click to display the controls for creating a new role-based account.
Account Name Specify a name for the role-based account.
Enable Account Click the check box to enable the new role-based account.
Use a Password Click the check box to enable password protection and type the following:
• Password. Type a password in the text box. The password must have a minimum of
six characters.
• Password Confirm. Type the new password again for confirmation.
General Settings Configures per source IP connection limit and the maximum connection pooling size.
Network Settings Configures host and network interface settings, including DNS cache settings.

Control Description
QoS Enforces QoS policies.
Optimization Service Configures alarms, performance features, and TCP optimization.
In-Path Rules Configures TCP traffic for optimization and how to optimize traffic by setting in-path
rules. This role includes WAN visibility to preserve TCP/IP address or port information.
For detailed information about WAN visibility, see the Steelhead Appliance Deployment
Guide.
High-Speed TCP Specifies high-speed TCP settings: LAN send and receive buffer size and WAN send and
receive buffer size.
CIFS Optimization Enables CIFS optimization settings (including SMB-Signing) and Overlapping Open
optimization.
HTTP Optimization Configures enhanced HTTP optimization settings: URL learning, Parse and Prefetch,
Object Prefetch Table, keep-alive, insert cookie, file extensions to prefetch, and the ability
to set up HTTP optimization for a specific server subnet.
Oracle Forms Optimizes Oracle E-business application content and forms applications.
Optimization
MAPI Optimization Optimizes MAPI, and sets Exchange and NSPI ports.
SQL Optimization Configures MS-SQL optimization.
NFS Optimization Configures NFS optimization.
Notes Optimization Configures Lotus Notes optimization.
Citrix ICA Configure Citrix ICA optimization.

Optimization
SSL Optimization Configures SSL support and the secure inner channel.
Proxy File Service Enables the PFS.
Riverbed Services Adds functionality into a virtualized environment on the client Steelhead appliance. The
Platform (RSP) functionality can include third-party packages such as a firewall security package, a
streaming video server, or a package that provides core networking services (for example,
DNS and DHCP). This role includes permission to install VMware tools and add subnet
side rules. For detailed information, see the RiOS Services Platform Installation Guide.
Security Settings Configures security settings, including RADIUS and TACACS authentication settings
and the secure vault password.
Basic Diagnostics Customizes system diagnostic logs, but does not include TCP dumps.
Diagnostics Customizes system diagnostic logs, including system and user log settings.
Reports Sets system report parameters.
Add Adds your settings to the system.
Remove Selected Users Click the check box next to the name and click Remove Selected.
RADIUS
You set up RADIUS server authentication for the selected security policy in the RADIUS page.
For details on the RADIUS feature, see the Steelhead Management Console User’s Guide

The RADIUS page contains the following groups of settings:

“Default RADIUS Settings,” next
“RADIUS Servers” on page 301
Default RADIUS Settings

In this panel, you can enable and define RADIUS authentication for the security policy, as described in the
following table.
Control Description
Set a Global Default Enables a global server key for the RADIUS server.
Key
Confirm Global Key Confirm the global server key.
Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3.
Retries Specify the number of times you want to allow the user to retry authentication. The
default value is 1.
RADIUS Servers
In this panel, you can add and manage RADIUS authentication servers, as described in the following table.
Control Description
Add a RADIUS Server Displays the controls for defining a new RADIUS server.
Authentication Port Specify the port for the server.
Override the Global Overrides the global server key for the server.
Default Key
Server Key. Specify the override server key.
Confirm Server Key. Confirm the override server key.
values are 0-5. The default value is 1.
Add Adds the RADIUS server to the list.
Note: If you add a new server to your network and you do not specify these fields at that time, the global settings are
applied automatically.

TACACS+
You set up TACACS+ server authentication for the selected security policy in the TACACS+ page.
For details on TACACS+, see the Steelhead Management Console User’s Guide.
The TACACS+ page contains the following groups of settings:
“Default TACACS+ Settings,” next
“TACACS+ Servers” on page 302
Default TACACS+ Settings

In this panel, you can enable and define TACACS+ authentication for the security policy, as described in the
following table.
Control Description
Set a Global Default Specify this option to enable a global server key for the server.
Key
Confirm Global Key Confirms the global server key.
TACACS+ Servers
In this panel, you can add and manage TACACS+ authentication servers, as described in the following
table.
Control Description
Add a TACACS+ Server Displays the controls for defining a new TACACS+ server, as described in this
table.
Authentication Port Specify the port for the server. The default value is 49.
Authentication Type Click either PAP or ASCII to select the authentication type.
Override the Global Default Key Specify this option to override the global server key for the server.
Server Key Specify the override server key.
Confirm Server Key Confirm the override server key.
Timeout (seconds) Specify the time-out period in seconds (1-60). The default is 3.
Retries Specify the number of times you want to allow the user to retry authentication.
Valid values are 0-5. The default is 1.
Add Adds the TACACS+ server to the list.

Management ACL
You configure management ACL for the selected security policy in the Management ACL page.
For details on management ACL, see the Steelhead Management Console User’s Guide.
The Management ACL page contains the following groups of settings:
“Management ACL Settings,” next
“Adding a New Rule” on page 303
Management ACL Settings

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule
to allow or deny access to a matching inbound IP packet. When you add a rule on a Steelhead appliance,
the destination specifies the Steelhead appliance itself, and the source specifies a remote host.
In this panel, you can choose:
Control Description
Enable Management ACL Secures access to a Steelhead appliance using a management ACL.
Adding a New Rule

In this panel, you can choose the following:
Control Description
Add a New Rule Displays the controls for adding a new rule.
Action Select one of the following rule types from the drop-down list:
• Allow. Allows a matching packet access to the Steelhead appliance. This is
the default action.
• Deny. Denies access to any matching packets.
Service Select All, HTTP, HTTPS, SOAP, SNMP, SSH, or Telnet. When specified, the
Destination Port is dimmed and unavailable.
Protocol (Appears only when Service is set to Specify Protocol.) Optionally, select All,
TCP, UDP, ICMP or a specify a protocol number (1, 6, 17). The default value is
All. When set to All or ICMP, the Service and Destination Ports are dimmed and
unavailable.
Source Network Optionally, specify the source network of the inbound packet.
Interface Optionally, select an interface name from the drop-down list. Select All to
specify all interfaces.
Description Optionally, describe the rule to facilitate administration.

Policy Parameters and Settings Branch Services Settings
Control Description
Rule Number Optionally, select a rule number from the drop-down list. By default, the rule
goes to the end of the table (just above the default rule).
Steelhead appliances evaluate rules in numerical order starting with rule 1. If the
conditions set in the rule match, then the rule is applied, and the system moves
on to the next packet. If the conditions set in the rule do not match, the system
consults the next rule. For example, if the conditions of rule 1 do not match, rule
2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules
are consulted.
Note: The default rule, Allow, which allows all remaining traffic from everywhere
that has not been selected by another rule, cannot be removed and is always listed
last.
Log Packets Tracks denied packets in the log. By default, packet logging is enabled.
Add Adds the rule to the list.
Move Selected Moves the selected rules. Click the arrow next to the desired rule position; the
rule moves to the new position.
Web Settings
You can configure remote logging servers, log rotation and filtering, and log viewing preferences for the
selected security policy in the Web Settings page
Control Description
Default Web Login ID Specify the user name that appears on the authentication page. The default value is
admin.
Web Inactivity Timeout Specify the number of idle minutes before time-out. The default value is 15. A value of 0
disables time-out.
Allow Session By default, session time-out is enabled, which stops the automatic updating of the report
Timeouts on Auto- pages when the session times out. Clear this box to disable the session time-out, remain
Refreshing Pages logged-in indefinitely, and automatically refresh the report pages.
Important: Disabling this feature poses a security risk.
Branch Services Settings

The following section describes Branch Services feature set. It includes the following sections:
“Caching DNS,” next
“RSP Slots” on page 307
“RSP Dataflow” on page 308

Branch Services Settings Policy Parameters and Settings
Caching DNS
You configure DNS caching in the Branch Services page. By default, the DNS cache is disabled.
For details on DNS caching, see the Steelhead Management Console User’s Guide.
The Branch Services page contains the following groups of settings:
“General Services,” next
“DNS Forwarding Name Servers” on page 305
“Advanced Cache” on page 306
“Advanced Name Servers” on page 307
General Services
In this panel, you can enable and define the general services.
Control Description
Enable Caching DNS Enabled. Forwards name resolution requests to a DNS name server, then stores
the address information locally in the Steelhead appliance. By default, the
requests go to the root name server, unless you specify another name server.
Disabled. Stops the Steelhead appliance from acting as the DNS name server.
DNS Cache Size (bytes) Specifies the cache size, in bytes. The default value is 1048576. The range is from
524288 to 2097152.
Primary Interface Responding to Enabled. Enables the name server to listen for name resolution requests on the
DNS Requests primary interface.
Disabled. Stops the name server from using the primary interface
Aux Interface Responding to Enabled. Enables the name server to listen for name resolution requests on the
DNS Requests auxiliary interface.
Disabled. Stops the name server from using the auxiliary interface.
Apply Applies the settings to the current configuration.
DNS Forwarding Name Servers

In this panel, you can add a new DNS forwarding name servers.
Control Description
Add a New DNS Server Name Displays the controls to add a DNS name server to which the Steelhead
appliance forwards requests to cache responses. By default, the Steelhead
appliance only forwards requests to the Internet root name servers when you
enable caching DNS without specifying any name servers to forward requests to.
You can add multiple name servers to use; the Steelhead appliance uses failover
to these if one name server is not responding.
Name Server IP Address Specify an IP address for the name server.
Position Specify the order in which the name servers are queried (when using more than
one). If the first name server, or forwarder, does not respond, the Steelhead
appliance queries each remaining forwarder in sequence until it receives an
answer or until it exhausts the list.
Add Adds the name server.

Advanced Cache
In this panel, you can edit the advanced cache.
Control Description
Caching of Forwarded Responses Enables the cache. The cache is enabled by default; however nothing is actually
cached until you select the General Setting Enable Caching DNS.
Maximum Cache Time (seconds) Specify the maximum number of seconds the name server stores the address
information. The default setting is one week (604,800 seconds). The minimum is
2 seconds and the maximum is thirty days (2,592,000 seconds). You can adjust
this setting to reflect how long the cached addresses remain up-to-date and
valid.
Note: Changes to this setting affect new address information and do not change
responses already in the cache.
Minimum Cache Time (seconds) Specify the minimum number of seconds that the name server stores the address
entries. The default value is 0. The maximum value is the current value of
Maximum Cache Time.
Typically there is no need to adjust this setting.
Note: Changes to this setting affect new responses and do not change any
responses already in the cache.
Neg DNS Maximum Cache Time Specify the maximum number of seconds that an unresolved negative address is
(seconds) cached. The valid range is from two seconds to thirty days (2,592,000 seconds).
The default value is 10,800 seconds.
A negative entry occurs when a DNS request fails and the address remains
unresolved. When a negative entry is in the cache, the appliance does not request
it again until the cache expires, the maximum cache time is reached, or the cache
is cleared.
Neg DNS Minimum Cache Time Specify the TTL for a negative entry, which is always this value or above, even if
(seconds) the server returns a smaller TTL value. For example, when this value is set to 300
seconds and the client queries aksdfjh.com, the DNS service returns a negative
answer with a TTL of 100 seconds, but the DNS cache stores the entry as having
a TTL of 300 seconds. The default value is 0, which specifies that the Steelhead
appliance still caches negative responses; it does not place a lower bound on
what the TTL value for the entry can be.
Freeze Cache Freezes the cache contents. When the cache is frozen, entries do not
automatically expire from the cache. They are still returned in response to DNS
queries. This is useful to keep local services available when the WAN is
disconnected. By default, this setting is disabled.
Note: When the cache is frozen and full, entries can still be pushed out of the
cache by newer entries.
Minimum TTL of a Frozen Entry Specify the minimum TTL in seconds that a response from a frozen cache has
(seconds) when sent to a branch office client. The default value is 10. For example, suppose
this value is set to 60 seconds. At the time the cache is frozen, the cache entry for
riverbed.com has a TTL of 300 seconds. For subsequent client requests for
riverbed.com, the service responds with a TTL of 300 seconds minus however
much time has lapsed since the cache freeze. After 240 seconds have elapsed, the
service responds to all subsequent requests with a TTL of 60 seconds regardless
of how much time elapses, until the cache is unfrozen.

Branch Services Settings Policy Parameters and Settings
Advanced Name Servers

In this panel, you can edit advanced name servers.
Control Description
For Unresponsive Name Servers Detects when one of the name servers is not responding and send requests to a
responsive name server instead
Forwarder Down After Specify how many seconds can pass without a response from a name server until
(seconds) the appliance considers it unresponsive. The default value is 120. When the
name server receives a request but does not respond within this time and does
not respond after the specified number of failed requests, the appliance
determines that it is down. It then queries each remaining forwarder in sequence
until it receives an answer or it exhausts the list. When the list is exhausted and
the request is still unresolved, you can specify that the Steelhead appliance try
the root name server.
Forwarder Down After Specify how many requests a name server can ignore before the appliance
(requests) considers it unresponsive. The default value is 30. When the name server does
not respond to this many requests and does not respond within the specified
amount of time, the appliance determines that it is down. It then queries each
remaining forwarder in sequence until it receives an answer or it exhausts the
list. When the list is exhausted and the request is still unresolved, you can
specify that the Steelhead appliance try the root name server.
Retry Forwarder After (seconds) Specify the time limit, in seconds, that the appliance forwards the name
resolution requests to name servers that are responding instead of name servers
that are down. The appliance also sends a single query to name servers that are
down using this time period. If they respond, the appliance considers them back
up again. The default value is 300. The single query occurs at intervals of this
value – if the value is set to 300, a request is allowed to go to a forwarder
considered down about every 300 seconds until it responds to one.
Fallback to Root Name Servers Forwards the request to a root name server when all other name servers have not
responded to a request. This is the default setting; either this option must be
enabled or a server must be present. When the fallback to root name servers
option is disabled, the Steelhead appliance only forwards a request to the
forwarding name servers listed above. If it exhausts these name servers and does
not get a response, it does not forward the request to a root name server and
returns a server failure.
Note: If the name servers used by the Steelhead appliance are internal name
servers; that is, they can resolve hostnames that external name servers like the
Internet DNS root servers cannot, you must disable this option. Otherwise, if the
name servers all fail, the root name servers might inform the Steelhead appliance
that a host visible only to internal name servers does not exist, might cache that
response, and return it to clients until it expires. This prolongs the period of time
until service comes back up after name servers are down.
Apply Applies the changes.
RSP Slots
You configure RSP slots in the RSP Slots page.
For details on RSP Slots, see the Steelhead Management Console User’s Guide.
Note: The slot names and installed packages should match the configuration of the Steelheads that are affected by this
policy

RSP Dataflow
You configure RSP dataflow in the RSP Dataflow page.
For details on RSP dataflow, see the Steelhead Management Console User’s Guide
In this panel, you can edit RSP dataflow settings.
Control Description
Add a VNI Displays the controls to add a VNI.
Interface Select an in-path interface from the drop-down list.
Data Flow Position Select one of the following from the drop-down list.
• start. Locates the VNI next to the LAN. A packet coming from theSteelhead
appliance LAN interface goes to this VNI first.
• end. Locates the VNI next to the WAN. A packet coming from the Steelhead
appliance WAN interface goes to this VNI first.
• order number. Specifies the VNI order number. A lower number locates the
VNI closer to the LAN. A higher number locates the VNI closer to the WAN
Add Adds the VNI to the data flow.
Remove Selected VNIs Click the check box next to the name and click Remove Selected VNIs.
Move Selected VNIs Moves the selected VNIs. Click the arrow next to the desired VNI position; the
VNI moves to the new position.

APPENDIX B Riverbed System Ports
This appendix provides a reference to ports used by the system. It includes the following sections:
“Default Ports,” next
“Commonly Excluded Ports” on page 310
“Interactive Ports Forwarded by the Steelhead Appliance” on page 310
“Secure Ports Forwarded by the Steelhead Appliance” on page 311
Default Ports
The following table summarizes Steelhead appliance default ports with the port label: RBT-Proto.
Default Ports Description
7744 Data store synchronization port.
7800 In-path port for appliance to appliance connections.
7801 Network Address Translation (NAT) port.
7810 Out-of-path server port.

7820 Failover port for redundant appliances.
7850 Connection forwarding (neighbor) port.
7860 Interceptor appliance.
7870 Steelhead Mobile.
Note: Because optimization between Steelhead appliances typically takes place over a secure WAN, it is not necessary
to configure company firewalls to support Steelhead specific ports. If there are one or more firewalls between two
Steelhead appliances, ports 7800 and 7810, must be passed through firewall devices located between the pair of
Steelhead appliances. Also, SYN and SYN/ACK packets with the TCP option 76 must be passed through firewalls for
auto-discovery to function properly. For the CMC, port 22 must be passed through for the firewall to function properly.

Riverbed System Ports Commonly Excluded Ports
Commonly Excluded Ports

This section summarizes the ports that are commonly excluded from optimization in the Steelhead
appliance.
If you have multiple ports that you want to exclude, create a port label and list the ports.
Application Ports
PolyComm (video conferencing) 1503, 1720-1727, 3230-3253, 5060
Cisco IPTel 2000
Interactive Ports Forwarded by the Steelhead Appliance

A default in-path rule with the port label Interactive is automatically created in your system. This in-path
rule automatically passes through traffic on interactive ports (for example, Telnet, TCP ECHO, remote
logging, and shell).
Tip: If you do not want to automatically forward these ports, simply delete the Interactive rule in the Management
Console.
The following table lists the interactive ports that are automatically forwarded by the Steelhead appliance.
Port Description
7 TCP ECHO
23 Telnet
37 UDP/Time
107 Remote Telnet Service
179 Border Gateway Protocol
513 Remote Login
514 Shell
1494 Citrix
1718-1720 h323gatedisc
2000-2003 Cisco SCCp
2427 Media Gateway Control Protocol Gateway
2598 Citrix
2727 Media Gateway Control Protocol Call Agent
3389 MS WBT Server, TS/Remote Desktop
5060 SIP

Secure Ports Forwarded by the Steelhead Appliance Riverbed System Ports
Port Description
5631 PC Anywhere
5900-5903 VNC
6000 X11
Secure Ports Forwarded by the Steelhead Appliance

A default in-path rule with the port label Secure is automatically created in your system. This in-path rule
automatically passes through traffic on commonly secure ports (for example, ssh, https, and smtps).
Tip: If you do not want to automatically forward these ports, simply delete the Secure rule in the Management Console.
The following table lists the common secure ports that are automatically forwarded by the Steelhead
appliance.
Type Port Description
ssh 22/tcp SSH Remote Login Protocol
tacacs 49/tcp TACACS+
https 443/tcp http protocol over TLS/SSL
smtps 465/tcp # SMTP over SSL (TLS)
nntps 563/tcp nntp protocol over TLS/SSL (was snntp)
imap4-ssl 585/tcp IMAP4+SSL (use 993 instead)
sshell 614/tcp SSLshell
ldaps 636/tcp ldap protocol over TLS/SSL (was sldap)
ftps-data 989/tcp ftp protocol, data, over TLS/SSL
ftps 990/tcp ftp protocol, control, over TLS/SSL
telnets 992/tcp telnet protocol over TLS/SSL
imaps 993/tcp imap4 protocol over TLS/SSL
pop3s 995/tcp pop3 protocol over TLS/SSL (was spop3)
l2tp 1701/tcp l2tp
pptp 1723/tcp pptp
tftps 3713/tcp TFTP over TLS

Riverbed System Ports Secure Ports Forwarded by the Steelhead Appliance
The following table contains the uncommon ports automatically forwarded by the Steelhead appliance.
nsiiops 261/tcp IIOP Name Service over TLS/SSL
ddm-ssl 448/tcp DDM-Remote DB Access Using Secure Sockets
corba-iiop-ssl 684/tcp CORBA IIOP SSL
ieee-mms-ssl 695/tcp IEEE-MMS-SSL
ircs 994/tcp irc protocol over TLS/SSL
njenet-ssl 2252/tcp NJENET using SSL
ssm-cssps 2478/tcp SecurSight Authentication Server (SSL)
ssm-els 2479/tcp SecurSight Event Logging Server (SSL)
giop-ssl 2482/tcp Oracle GIOP SSL
ttc-ssl 2484/tcp Oracle TTC SSL
groove 2492 GROOVE
syncserverssl 2679/tcp Sync Server SSL
dicom-tls 2762/tcp DICOM TLS
realsecure 2998/tcp Real Secure
orbix-loc-ssl 3077/tcp Orbix 2000 Locator SSL
orbix-cfg-ssl 3078/tcp Orbix 2000 Locator SSL
cops-tls 3183/tcp COPS/TLS
csvr-sslproxy 3191/tcp ConServR SSL Proxy
xnm-ssl 3220/tcp XML NM over SSL
msft-gc-ssl 3269/tcp Microsoft Global Catalog with LDAP/SSL
networklenss 3410/tcp NetworkLens SSL Event
xtrms 3424/tcp xTrade over TLS/SSL
jt400-ssl 3471/tcp jt400-ssl
seclayer-tls 3496/tcp securitylayer over tls
vt-ssl 3509/tcp Virtual Token SSL Port
jboss-iiop-ssl 3529/tcp JBoss IIOP/SSL
ibm-diradm-ssl 3539/tcp IBM Directory Server SSL
can-nds-ssl 3660/tcp Candle Directory Services using SSL
can-ferret-ssl 3661/tcp Candle Directory Services using SSL
linktest-s 3747/tcp LXPRO.COM LinkTest SSL
asap-tcp-tls 3864/tcp asap/tls tcp port

topflow-ssl 3885/tcp TopFlow SSL
sdo-tls 3896/tcp Simple Distributed Objects over TLS

Secure Ports Forwarded by the Steelhead Appliance Riverbed System Ports
sdo-ssh 3897/tcp Simple Distributed Objects over SSH
iss-mgmt-ssl 3995/tcp ISS Management Svcs SSL
suucp 4031/tcp UUCP over SSL
wsm-server-ssl 5007/tcp wsm server ssl
sip-tls 5061/tcp SIP-TLS
imqtunnels 7674/tcp iMQ SSL tunnel
davsrcs 9802/tcp WebDAV Source TLS/SSL
intrepid-ssl 11751/tcp Intrepid SSL
rets-ssl 12109/tcp RETS over SSL

Riverbed System Ports Secure Ports Forwarded by the Steelhead Appliance

APPENDIX C CMC Management Information Base
(MIB)
This appendix describes the appliance Management Information Base (MIB).

The MIB monitors device status, peers, and provides network statistics for seamless integration into
network management systems such as Hewlett Packard OpenView Network Node Manager, PRTG, and
other SNMP browser tools.
For details on configuring and using these network monitoring tools, consult the vendor documentation.
This Appendix provides the following references:
“Accessing MIB Files,” next
“SNMP Traps” on page 316
Accessing MIB Files

The following guidelines describe how to download and access the MIB:
You can download the MIB file from the CMC Support page.
You can load the MIB file into any MIB browser utility.
Some utilities might expect a file type other than a text file. If this occurs, change the file type to the one
expected.
Some utilities assume that the root is mib-2 by default. If the utility sees a new node, such as
enterprises, it might look under mib-2.enterprises. If this occurs, use
.iso.org.dod.internet.private.enterprises.rbt as the root.
Some command-line browsers might not load all MIB files by default. If this occurs, find the
appropriate command option to load the RBT-mib.txt file. For example, for NET-SNMP browsers:
snmwalk -m all

CMC Management Information Base (MIB) SNMP Traps
SNMP Traps
Alarms fire for their event only. If a service alarm is fired indicating that the service has halted, no alarm is
fired when the service returns to normal operation.
The following table summarizes the SNMP traps sent out from the system to configured trap receivers.
Trap Text Description
procCrash A procCrash trap A process has crashed and subsequently been

(enterprises.rbt.products.cmc. signifies that a process restarted by the system. The trap contains the name
17163.1.2.4.1) managed by PM has of the process that crashed. A system snapshot
crashed and left a core associated with this crash has been created on the
file. The variable sent appliance and is accessible via the CLI or the
with the notification Management Console. Riverbed Technical Support
indicates which process might need this information to determine the cause of
crashed. the crash. No other action is required on the
appliance as the crashed process is automatically
restarted.
procExit A procExit trap signifies A process has unexpectedly exited and been restarted
(enterprises.rbt.products.cmc. that a process managed by the system. The trap contains the name of the
17163.1.2.4.2) by PM has exited process. The process might have exited on its own or
unexpectedly, but not left due to other process failures on the appliance. Please
a core file. The variable review the release notes for known issues related to
sent with the notification this process exit. If none exist, please contact
indicates which process Riverbed Technical Support (support@riverbed.com)
exited. to determine the cause of this event. No other action
is required on the appliance as the crashed process is
automatically restarted.
cpuUtil The average CPU Average CPU utilization has exceeded an acceptable
(enterprises.rbt.products.cmc. utilization in the past threshold. If CPU utilization spikes are frequent, it
17163.1.2.4.3) minute has gone above can be because the system is undersized. Sustained
the acceptable threshold. CPU load can be symptomatic of more serious issues.
Consult the CPU Utilization report to gauge how
long the system has been loaded and also monitor the
amount of traffic currently going through the
appliance. A one-time spike in CPU is normal but
extended high CPU utilization should be reported to
Riverbed Technical Support
(support@riverbed.com). No other action is
necessary as the alarm clears on its own.
pagingActivity The system has been The system is running low on memory and has begun
(enterprises.rbt.products.cmc. paging excessively swapping memory pages to disk. This event can be
17163.1.2.4.4) (thrashing). triggered during a software upgrade while the
optimization service is still running but there can be
other causes which should be monitored or
diagnosed. Should this event be triggered at any
other time, please generate a debug sysdump and
send it to Riverbed Technical Support
(support@riverbed.com). No other action is required
as the alarm clears on its own.
confModeEnter A user has entered A user on the system has entered a configuration
(enterprises.rbt.products.cmc. configuration mode. mode from either the CLI or Management Console. A
17163.1.2.4.5) log in to the Management Console by user admin
sends this trap as well. This is for notification
purposes only; no other action is necessary.

SNMP Traps CMC Management Information Base (MIB)
confModeExit A user has exited A user on the system has exited configuration mode
(enterprises.rbt.products.cmc. configuration mode. from either the CLI or Management Console. A log
17163.1.2.4.6) out of the Management Console by user admin sends
this trap as well. This is for notification purposes
only; no other action is necessary.
powerSupplyError A power supply on the A power supply on the appliance has failed (not
(enterprises.rbt.products.cmc. appliance has failed (not supported on all models).
17163.1.2.4.7) supported on all models).
fanError A fan has failed on this A fan has failed on this appliance (not supported on
(enterprises.rbt.products.cmc. appliance (not supported all models).
17163.1.2.4.8) on all models).
memoryError A memory error has been A memory error has been detected on the appliance
(enterprises.rbt.products.cmc. detected on the appliance (not supported on all models).
17163.1.2.4.1.9) (not supported on all
models).
ipmi An IPMI event has been An IPMI event has been detected on the appliance.
(enterprises.rbt.products.cmc. detected on the Please check the details in the alarm report on the
17163.1.2.4.10) appliance. Please check Web UI (not supported on all models).
the details in the alarm
report on the Web UI (not
supported on all models).
configChange A change has been made A change has been made to the system’s
(enterprises.rbt.products.cmc. to the system’s configuration.
17163.1.2.4.11) configuration.
temperatureWarning The system temperature The system temperature has exceeded the threshold.
(enterprises.rbt.products.cmc. has exceeded the
17163.1.2.4.1.12) threshold.
temperatureCritical The system temperature The system temperature has reached a critical stage.
(enterprises.rbt.products.cmc. has reached a critical
17163.1.2.4.1.13) stage.
extBackupFailed The external backup or The external backup or restore has failed.
(enterprises.rbt.products.cmc. restore has failed.
17163.1.2.4.1.14)
appHealthNotif A appHealthNotif trap A appHealthNotif trap signifies that an appliance

(enterprises.rbt.products.cmc. signifies that an managed by the CMC has changed health state. The
17163.1.2.4.1.15) appliance managed by variables sent with the notification indicates the serial
the CMC has changed number of the appliance, the display address, and the
health state. The health state that it is in.
variables sent with the
notification indicates the
serial number of the
appliance, the display
address, and the health
state that it is in.

appConnNotif A appConnNotif trap A appConnNotif trap signifies that an appliance

(enterprises.rbt.products.cmc. signifies that an managed by the CMC has changed connection state.
17163.1.2.4.1.16) appliance managed by The variables sent with the notification indicates the
the CMC has changed serial number of the appliance, the display address,
connection state. The and the new connection status it is in.
serial number of the
appliance, the display
address, and the new
connection status it is in.
appBackupSuccess A appBackupSuccess A appBackupSuccess trap signifies that an appliance

(enterprises.rbt.products.cmc. trap signifies that an managed by the CMC has successfully completed a
17163.1.2.4.1.17) appliance managed by backup. The variables sent with the notification
the CMC has successfully indicates the appliance serial number, the display
completed a backup. The address, and the time of the backup.
appliance serial number,
the display address, and
the time of the backup.
appBackupFailure A appBackupFailure trap A appBackupFailure trap signifies that an appliance

(enterprises.rbt.products.cmc. signifies that an managed by the CMC has failed a backup. The
17163.1.2.4.1.18) appliance managed by variables sent with the notification indicates the
the CMC has failed a appliance serial number, the display address, and the
backup. The variables time of the backup.
sent with the notification
indicates the appliance
serial number, the display
address, and the time of
the backup.
underprovisionedVM VM has too little storage VM has too little storage or CPU.
(enterprises.rbt.products.cmc. or CPU.
17163.1.2.4.1.19)
autoconnectFailed SH could not autoconnect Steelhead could not autoconnect due to license
(enterprises.rbt.products.cmc. due to license depletion. depletion.
17163.1.2.4.1.20)
licenseFailureRegimeChange Licensing status has Licensing status has changed.

(enterprises.rbt.products.cmc. changed.
17163.1.2.4.1.21)
certsExpiring Some SSL certificates The service has detected some SSL certificates used
(enterprises.rbt.products.cmc. may be expiring. for Network Administration Access to the Steelhead
17163.1.2.4.1.22) appliance that are close to their expiration dates. The
alarm clears when the x.509 certificates are updated.
fsMntBytes System disk full. System disk is full.

(enterprises.rbt.products.cmc.
17163.1.2.4.1.23)
linkState Network interface link Network interface link errors.

(enterprises.rbt.products.cmc. errors.
17163.1.2.4.1.24)

SNMP Traps CMC Management Information Base (MIB)
raidError An error has been A drive has failed in a RAID array. Consult the CLI or
(enterprises.rbt.products.cmc. generated by the RAID Management Console to determine the location of the
17163.1.2.4.1.25) array. failed drive. Contact Riverbed Support for assistance
with installing a new drive, a RAID rebuild, or drive
reseating. The appliance continues to optimize
during this event. After the error is corrected, the
alarm clears automatically.
Note: Applicable to models 3010, 3510, 3020, 3520,
5010, 5520, 6020, and 6120 only.
cpuUtilClear The average CPU The average CPU utilization has fallen back within
(enterprises.rbt.products.cmc. utilization has fallen back the acceptable threshold.
17163.1.2.4.1003) within the acceptable
threshold.
pagingActivityClear The system has stopped The system has stopped paging excessively
(enterprises.rbt.products.cmc. paging excessively (thrashing).
17163.1.2.4.1004) (thrashing).
powerSupplyErrorClear All power supplies are All power supplies are now functioning normally
(enterprises.rbt.products.cmc. now functioning (not supported on all models).
17163.1.2.4.1007) normally (not supported
on all models).
fanErrorClear All system fans are not All system fans are not functioning normally (not
(enterprises.rbt.products.cmc. functioning normally supported on all models).
17163.1.2.4.1008) (not supported on all
models).
memoryErrorClear A memory error has been A memory error has been rectified on the appliance
(enterprises.rbt.products.cmc. rectified on the appliance (not supported on all models).
models).
ipmiClear An IPMI event has been An IPMI event has been rectified on the appliance
(enterprises.rbt.products.cmc. rectified on the appliance (not supported on all models).
models).
temperatureNormal The system temperature The system temperature is back within the threshold.
(enterprises.rbt.products.cmc. is back within the
17163.1.2.4.1.1012) threshold.
temperatureNonCritical The system temperature The system temperature is no longer in a critical

(enterprises.rbt.products.cmc. is no longer in a critical stage.
17163.1.2.4.l.1013) stage.
extBackupFailedClear The external backup or The external backup or restore failure has been
(enterprises.rbt.products.cmc. restore failure has been addressed.
17163.1.2.4.1.1014) addressed.
underprovisionedVMClear VM storage and memory VM storage and memory are now adequate.
(enterprises.rbt.products.cmc. are now adequate.
17163.1.2.4.1.1019)
certsExpiringClear SSL certificates no longer SSL certificates no longer expiring.
(enterprises.rbt.products.cmc. expiring.
17163.1.2.4.1.1022)
fsMntBytesClear System disk no longer System disk no longer full.

(enterprises.rbt.products.cmc. full.
17163.1.2.4.1.1023)

linkStateClear Interface has regained Interface has regained link.

(enterprises.rbt.products.cmc. link.
17163.1.2.4.1.1024)
raidErrorClear RAID ok now. The RAID is working.

(enterprises.rbt.products.cmc.
17163.1.2.4.1.1025)

Acronyms and Abbreviations
AAA. Authentication, Authorization, and Accounting.
ACL. Access Control List.
ACK. Acknowledgment Code
ACS. (Cisco) Access Control Server.
AD. Active Directory.
ADS. Active Directory Services.
AES. Advanced Encryption Standard.
APT. Advanced Packaging Tool
AR. Asymmetric Routing.
ARP. Address Resolution Protocol.
BDP. Bandwidth-Delay Product.
BW. Bandwidth.
CA. Certificate Authority.
CAD. Computer Aided Design.
CDP. Cisco Discovery Protocol.
CHD. Computed Historical Data.
CIFS. Common Internet File System.
CLI. Command-Line Interface.
CMC. Central Management Console.
CPU. Central Processing Unit.

CRM. Customer Relationship Management.
CSR. Certificate Signing Request.
CSV. Comma-Separated Value.
DC. Domain Controller.
DES. Data Encryption Standard.
DID. Deployment ID.
DMZ. Demilitarized zone.
DER. Distinguished Encoding Rules.
DES. Data Encryption Standard
DHCP. Dynamic Host Configuration Protocol.
DNS. Domain Name Service.
DR. Data Replication
DSA. Digital Signature Algorithm.
DSCP. Differentiated Services Code Point.
ECC. Error-Correcting Code.
ERP. Enterprise Resource Planning.
ESD. Electrostatic Discharge.
FDDI. Fiber Distributed Data Interface.
FIFO. First in First Out.
FIPS. Federal Information Processing Standards
FSID. File System ID.
FTP. File Transfer Protocol.
GB. Gigabytes.
GMT. Greenwich Mean Time.
GRE. Generic Routing Encapsulation.
GUI. Graphical User Interface.
HFSC. Hierarchical Fair Service Curve.

HSRP. Hot Standby Routing Protocol.
HSTCP. High-Speed Transmission Control Protocol.
HTTP. HyperText Transport Protocol.
HTTPS. HyperText Transport Protocol Secure.
ICA. Independent Computing Architecture.
ICMP. Internet Control Message Protocol.
ID. Identification number.
IETF. Internet Engineering Task Force.
IGP. Interior Gateway Protocol.
IOS. (Cisco) Internetwork Operating System.
IKE. Internet Key Exchange.
IP. Internet Protocol.
IPMI. Intelligent Platform Management Interface.
IPSec. Internet Protocol Security protocol.
ISL. InterSwitch Link. Also known as Cisco InterSwitch Link Protocol.
L2. Layer-2.
L4. Layer-4.
LAN. Local Area Network.
LED. Light-Emitting Diode.
LRU. Least Recently Used
LZ. Lempel-Ziv.
MAC. Media Access Control.
MAPI. Messaging Application Protocol Interface.
MDI, MDI-X. Medium Dependent Interface-Crossover.
MEISI. Microsoft Exchange Information Store Interface.
MIB. Management Information Base.
MOTD. Message of the Day.

MS GPO. Microsoft Group Policy Object.
MS SMS. Microsoft Systems Management Server.
MS-SQL. Microsoft Structured Query Language.
MSFC. Multilayer Switch Feature Card.
MSI Package. Microsoft Installer Package.
MTU. Maximum Transmission Unit.
MX-TCP. Max-Speed TCP.
NAS. Network Attached Storage.
NAT. Network Address Translate.
NFS. Network File System.
NIS. Network Information Services.
NSPI. Name Service Provider Interface.
NTLM. Windows NT LAN Manager
NTP. Network Time Protocol.
OSI. Open System Interconnection.
OSPF. Open Shortest Path First.
PAP. Password Authentication Protocol.
PBR. Policy-Based Routing.
PCI. Peripheral Component Interconnect.
PEM. Privacy Enhanced Mail.
PFS. Proxy File Service.
PKCS12. Public Key Cryptography Standard #12.
PRTG. Paessler Router Traffic Grapher.
PSU. Power Supply Unit.
QoS. Quality of Service.
RADIUS. Remote Authentication Dial-In User Service.
RAID. Redundant Array of Independent Disks.

RCU. Riverbed Copy Utility.
ROFS. Read-Only File System.
RPC. Remote Procedure Call
RSA. Rivest-Shamir-Adleman encryption method by RSA Security.
RSP. RiOS Services Platform
SA. Security Association.
SDR. Scalable Data Referencing.
SEL. System Event Log.
SFQ. Stochastic Fairness Queuing.
SMB. Server Message Block.
SMI. Structure of Management Information.
SMTP. Simple Mail Transfer Protocol.
SNMP. Simple Network Management Protocol.
SQL. Structured Query Language.
SSH. Secure Shell.
SSL. Secure Sockets Layer.
SYN. Synchronize.
SYN/ACK. Synchronize/Acknowledgement.
TA. Transaction Acceleration.
TACACS+. Terminal Access Controller Access Control System.
TCP. Transmission Control Protocol.
TCP/IP. Transmission Control Protocol/Internet Protocol.
TP. Transaction Prediction.
TTL. Time to Live.
ToS. Type of Service.
U. Unit.
UDP. User Diagram Protocol.

UNC. Universal Naming Convention.
URL. Uniform Resource Locator.
UTC. Universal Time Code.
VGA. Video Graphics Array.
VLAN. Virtual Local Area Network.
VoIP. Voice over IP.
VWE. Virtual Window Expansion.
WAN. Wide Area Network.
WCCP. Web Cache Communication Protocol.

Index
A adding to a group 95
Accounts backups 139
adding a new user 63 configurations, editing 96
capability-based 61 connecting 23
privileges 61 connections, viewing details 200
role-based 61 deleting from console 114
Adaptive Compression setting for data store 240 editing 97, 98, 99, 100, 102, 105, 106, 108, 110, 111,
Add a New TCP Dump 216 112
Administrator editing view of 117
setting password 61, 299 fetching configuration from 17, 113
Alarm Status moving 114
Memory Error 206 navigating 28
Alarm status overview of 15
admission control 206 registering 21
fan error 206 sending CLI commands to 129
link state 206 setting password 126
memory paging 206 shutting down 125
system disk full 207 starting/stopping/restarting 123
temperature 207 upgrading software from console 120
Alarms viewing 117
Alarms page 40 Appliances page
secure vault 41 appliance details 97, 98, 99, 100, 102, 105, 106, 108,
thresholds, setting 40 110, 111, 112
Alarms page 40 appliance information 95, 113
Announcements editing 114, 116
Announcements page 39 groups 94
setting on Home page 39 Push action 118
Announcements page 39 Reboot action 124
Appliance Send CLI commands 129
SSL settings, modifying 105 Set Password action 126, 127, 128
Appliance Operations Shutdown action 125
overview 118 Start/Stop service action 123
push configuration 118 Upgrade action 120
reboot 124 view filtering 117
Send CLI commands 129 Applock optimization 242
Set Password 126, 127, 128 Assignment scheme 283
Shutdown 86, 125 Asymmetric routing
Start/Stop service 123 auto-detection 284
Upgrade 120 Authentication
Appliances RADIUS authentication method 57

Index
setting general security 57 Configurations page 88

TACACS+ authentication method 57 Connection
Authentication methods forwarding, neighbor table settings 286
local 57 history, viewing 160
Authentication tuning with HTTP 247 resetting per in-path rule 230
Auto-detection Connection forwarding 285
of asymmetric routing, about 284 in networking policies 285, 286
Auto-discover rules, overview of 226 Connection History reports 160
Auto-discover, in-path rule 226 Console
Automatic peering 233 fetching appliance configuration 113
network parameters setting 39
B reconnecting to an appliance 113
backing up
security 59
configuration 76
Console Security page 59
statistics 76
Correct addressing 231
Backups
CPU utilization
configuration 139
alarm status 206
reverting to 85
report 198
Balance data store CPU cores 240
CSV file, exporting statistics to 217
Bandwidth Optimization report 153
D
C Data Reduction report 155
Capability-based accounts 61
Data store
user permissions 299
adaptive compression 240
Cascading menus
compression level 239
displaying and using 28
core balancing 240
summary of 29
data reduction 228, 237
Certificates, expiring
data replication settings 237
reports 204
disk layout settings 238
CIFS
Margin Segment Elimination 237
disabling write optimization 240
turning off encryption 236
dynamic throttling 241
Deny in-path rules, overview of 226
optimization 240
Deny privileges 61
SMB signing, disabling 241
Discard in-path rules, overview of 226
CIFS optimizations 242
Disk drive failure
CIFS prepopulation
email notification 52, 273
in optimization policies 243
Documentation, contacting 14
CIFS protocol
DSCP
Overlapping Open Optimization (Advanced)
enforcing 294
setting 242
Cipher setting, for data store encryption 236 E
Class name in QoS 290 Email notification
Class parent in H-QoS 293 in system settings policies 273
CLI commands setting 50
overview of 23 Email page 51
sending to appliances and groups 129 Encapsulation scheme 282
CMC compatibility 12 Encrypted MAPI traffic 250
Compression level for data store 239 Encryption
Configuration data store 236
backups, managing 139 Enhanced automatic peering 233
fetching 17, 113 Enterprise MIB
pushing to appliances 118 accessing 315
saving 30 Ethernet network compatibility 11
configuration Event notification
backing up 76 setting 50
328 Index
Index
Excel 242 setting optimization policies for FTP channels 228

Extended peering 233 In-path rules
External Backups page 76 auto-discover 226
fixed-target 226
F in optimization policies 224, 226
Failure notification
pass-through 226
setting 50
type 226
Fan error alarm status 206
VLAN identification number 227
Fetching configurations 17, 113
Interactive ports
FIFO queue in QoS 292
list of 310
Filtering
appliances view 117 K
groups view 117 Keep-alive
Fixed-target rules 226 for HTTP optimization 246
Flexible licensing 84 Kickoff
Force NTLM 247 reset existing connections that match an in-path
FTP channels, setting optimization policies for 228 rule 230
Full Transparency 231
L
G Licenses
General Security Settings page 57 managing 84
Gratuitous 401 247 Licenses page 84
Groups Link share weight 291
adding appliances to 95 Link state alarm status 206
creating new 94 Local logging
deleting from RiOS 114 setting 53
editing view of 117 Logging in
moving 114 Login page 24
Guaranteed bandwidth, in QoS 290 Logging page 53
Login page 24
H Logout 30
Hash assignment 283
Logs
High availability 283
adding a new log server 275
Home page 25
logging configuration 274, 276
announcement, setting 39
Lotus Notes
MOTD, setting 39
protocols in optimization policies 254
Host settings
Lotus Notes acceleration 64, 66
Date and Time Settings (Networking Policy) 278
DNS settings (Networking Policy) 277 M
Host Settings (Networking Policy) 278 Managing
Host Settings page 32, 33 configuration backups 139
Proxies (Networking Policy) 278 policies 130
Host Settings page 32, 33 MAPI
HTTP protocols in optimization policies 249
Statistics report 166, 170 Mask assignment 283
HTTP Mode, for Oracle Forms 248 Memory Error alarm status 206
HTTP protocol Memory Paging
HTML Tags to Pre-fetch settings (Optimization alarm status 206
Policy) 245 reports 199
Server Subnet Setting (Optimization Policy) 246 Message of the day (MOTD), setting 39
settings (Optimization Policy) 244 MIB file
accessing 315
I SNMP traps sent 316
Inheritance
Microsoft Office 242
of policy feature sets 131
Microsoft Project, optimizing 251
In-path

Index
Monitor Oracle Forms, optimization policies 247

setting password 61, 299 Overview
Monitored ports of asymmetric routing auto-detection 284
setting 42 port labels 298
Monitored Ports page 42
MOTD (Message of the Day), setting 39 P
Packet-order queue 292
MS-SQL
Pages 24, 61
ports 252
Alarms page 40
MTU value, setting 37, 38, 101, 102, 105
Announcements page 39
Multi-core balancing in data store 240
Appliances page 97, 98, 99, 100, 102, 105, 106, 108,
MX-TCP
110, 111, 112
queue in QoS 292
Configurations page 88
My Account page 87
Console Security page 59
N Email page 51
Navigation 28 External Backups 76
Network Interfaces page 36 General Security Settings page 57
Network parameters, setting 39 Home page 25
Networking Policy settings Host Settings page 32, 33
described 132 Licenses page 84
feature sets 132 Logging page 53
QoS Classes 290 Monitored Ports page 42
NFS My Account page 87
protocols in optimization policies 252 Network Interfaces page 36
NFS protocol RADIUS page 68
Override NFS Protocol (Optimization Policy) 253, Reboot/Shutdown 86
254 Reboot/Shutdown page 86
setting (Optimization Policy) 252 Scheduled Jobs 82
NSPI port, setting 249 Secure Vault page 72
SNMP page 44, 45, 48
O Software Upgrade page 85
Object Prefetches
TACACS+ page 70
configuring for HTTP optimization 244
Web Settings page 75
Online documentation 13
Welcome page 26
Online help 30
Password
Online notes 13
setting for admin 61, 299
Optimization
setting for monitor 61, 299
CIFS 242
setting on appliances and groups 126
disabling CIFS SMB signing for 241
Peering
Encrypted MAPI traffic 250
extended 233
print jobs 242
Peering rules
Optimization Policies Settings
overlapping optimization settings 242
CIFS Prepopulation 243
settings 240
described 132
Peers per Steelhead appliance 233
feature sets 132
Performance
in-path rules 224, 226
optimization policies 238
Lotus Notes 254
Performance, optimization policies 238
MAPI 249
PFS
NFS 252
permission to configure 300
Oracle Forms 247
Policies
Performance 238
assigning 136
Oracle Forms
assigning to a group 136
disabling 248
creating new 133
optimization policies 247
editing 134
Oracle Forms traffic, in-path rule 227
330 Index
Index
inheritance 131 MXTCP 292

networking policy 132 packet-order 292
optimization policy 132 SFQ 292
overview 130
security policy 132 R
RADIUS
system settings policy 132
authentication method, RADIUS page 68
types 131
authentication method, setting 57, 68, 298
Port Transparency 231
default settings 301
Ports
server settings 301
commonly excluded 310
RBT-Proto
default listening 309
common ports used by the system 309
interactive ports forwarded 310
Read privileges 61
labels, overview of 298
Reboot/Shutdown 86
monitored ports 42
Release notes 13
ports setting 248
Reports
secure automatically forwarded 311
Appliance Details 200
secure, automatically forwarded 311
Bandwidth Optimization 153
Preoptimization policy
Connection History 160
preoptimization policy 248
CPU Utilization 198
SSL 227
Data Reduction 155
Primary gateway IP address 37, 101
Expiring Certificates 204
Print optimization 242
Export Performance Statistics 217
Printing pages and reports 30
HTTP Statistics 166, 170
Privileges
Memory Paging 199
deny 61
printing 30
read 61
QoS Statistics 192, 194
write 61
SSL Servers 172
Process dumps, displaying and downloading 214
Throughput 150
Professional services, contacting 14
Traffic Summary 158
Proxies
Reset
host settings in networking policies 278
existing client connections matching an in-path
Q rule 230
QoS Reuse Auth 247
class name 290 Reverting
FIFO queue 292 to a backup version 85
latency priority 290 Role based accounts
MX-TCP queue 292 user permissions 299
service ports for multiple mappings 235 Role-based accounts 61
SFQ queue 292 Role-based user permissions 61
Statistics report 192, 194 User Permissions page 61
QoS classes Routing
General QoS Settings (Networking Policy) 289 asymmetric, auto-detection of 284
in networking policies 290 enabling simplified 284
QoS rules 293 RSP
setting rules for 294 permission to configure 300
QoS marking
optimized (Networking Policy settings) 296 S
Scheduled Jobs page 82
passthrough (Networking Policy settings) 297
SDR Adaptive setting for data store 237
QoS DSCP monitor settings (Networking Policy
SDR-M 237
settings) 295
Secure vault
QoS policies, port transparency 231
alarm 41, 267
Queue
unlocking and changing the password 72
FIFO 292
Secure Vault page 72

Index
Security U
setting for console 59 Upgrading
Security policies license 84
described 132 software on appliances 120
feature sets 132 Upper bandwidth 291
Security signatures, disabling 241 User permissions
Server Message Block (SMB) optimization 241 capability-based accounts 299
Service ports role based accounts 299
setting service ports 235 role-based 299
Service ports settings 235, 236 User Permissions page 61
SFQ queue in QoS 292 Users
Shutting down 86 adding new 63
SMB signing permissions 61
disabling 241 User Permissions page 62
Snapshots, displaying and downloading 214
V
SNMP Vista SMB support 241
SNMP page 44, 45, 48 VLAN
trap receiver, adding 270 identification number 227
trap receivers, setting 43, 45, 47 preserving tags 231
traps, summary of sent 316
SNMP compatibility 11 W
Software Upgrade page 85 WAN
Speed and duplex visibility modes 231
avoiding a mismatch 37, 101 WCCP
SSL groups (Networking Policy settings) 280
modifying for appliance 105 multiple Steelhead interfaces 280
peer ciphers 259 service groups 279
SSL Servers report 172 service groups (Networking Policy settings) 279
statistics Web settings
backing up 76 Web Settings page 75
Strip Auth Header 247 Web Settings page 75
Strip compression 246 Welcome page 26
System Windows Vista SMB support 241
logging out 30 Write privileges 61
System disk full alarm status 207
System Settings Policy settings
described 132
email notification 273
feature sets 132
T
TACACS+
authentication method, setting 57, 70, 298
default settings 302
server settings 302
TACACS+ page 70
TCP Dump 216
TCP dumps, displaying 214
Temperature alarm status 207
Throughput report 150
Traffic Summary report 158
Transparent addressing 231
Traps, summary of SNMP traps sent 316
332 Index

Central Management Console Users Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Central Management Console Users Guide

Uploaded by

Copyright:

Available Formats

Steelhead Central Management Console

Chapter 1 - Overview of the CMC ............................................................................................................15

Steelhead Central Management Console User’s Guide iii

CMC Command-Line Interface .................................................................................................................23

Chapter 2 - Configuring the CMC............................................................................................................31

Chapter 3 - Managing Appliance Groups ...............................................................................................91

iv Steelhead Central Management Console User’s Guide

Creating a New Appliance Group .....................................................................................................94

Chapter 4 - Displaying and Customizing Reports ...............................................................................149

Steelhead Central Management Console User’s Guide v

Viewing CPU Utilization Reports ....................................................................................................198

Appendix A - Policy Parameters and Settings .....................................................................................221

vi Steelhead Central Management Console User’s Guide

Monitored Ports ..................................................................................................................................269

Appendix B - Riverbed System Ports ...................................................................................................309

Appendix C - CMC Management Information Base (MIB) ...................................................................315

Acronyms and Abbreviations................................................................................................................321

Steelhead Central Management Console User’s Guide vii

viii Steelhead Central Management Console User’s Guide

About This Guide

Steelhead Central Management Console User’s Guide 9

[] Optional keywords or variables appear in brackets. For example:

{} Required keywords or variables appear in braces. For example:

10 Steelhead Central Management Console User’s Guide

Hardware and Software Dependencies

CMC Hardware Requirements Software and Operating System Requirements

Ethernet Network Compatibility

SNMP-Based Management Compatibility

Steelhead Central Management Console User’s Guide 11

12 Steelhead Central Management Console User’s Guide

Online File Purpose

Riverbed Knowledge Base

Riverbed Technical Support

Steelhead Central Management Console User’s Guide 13

14 Steelhead Central Management Console User’s Guide

Overview of the CMC

Steelhead Central Management Console User’s Guide 15

Centralized Configuration with Groups and Policies

Inheriting or Overriding Policy Settings from a Parent Group

16 Steelhead Central Management Console User’s Guide

Upgrading from Previous Versions of the CMC

Steelhead Central Management Console User’s Guide 17

General Appliance Configuration

1. Configuration - Non-appliance-specific configurations are saved as policies. Appliance-specific

18 Steelhead Central Management Console User’s Guide

Upgrading the CMC Software Version

To upgrade the software

2. Log in to the current CMC.

3. Click Configure to expand the Configure menu.

6. Click Install Upgrade.

7. After the new image installs, reboot the CMC:

Steelhead Central Management Console User’s Guide 19

Registering the Steelhead Appliances

Organizing Steelhead Appliances into Groups

Creating New Policies from Steelhead Configurations

To create new policies from existing Steelhead configurations

1. Choose Manage > Appliances to display the Appliances page.

3. Scroll down to the Utilities panel.

6. Repeat the preceding steps for each appliance.

20 Steelhead Central Management Console User’s Guide

Modifying Policies to Appliances and Appliance Groups

Assigning Policies to Appliances and Appliance Groups

Pushing Policy Configuration to Remote Appliances