SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide. Models xx60 Version 10.8 January 2015

SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide Models xx60 Version 10.8 January 2015

2015 Riverbed Technology, Inc. All rights reserved. Riverbed, SteelApp, SteelCentral, SteelFusion, SteelHead, SteelScript, SteelStore, Steelhead, Cloud Steelhead, Virtual Steelhead, Granite, Interceptor, Stingray, Whitewater, WWOS, RiOS, Think Fast, AirPcap, BlockStream, FlyScript, SkipWare, TrafficScript, TurboCap, WinPcap, Mazu, OPNET, and Cascade are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners. F5, the F5 logo, icontrol, irules and BIG-IP are registered trademarks or trademarks of F5 Networks, Inc. in the U.S. and certain other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. Portions of SteelCentral products contain copyrighted information of third parties. Title thereto is retained, and all rights therein are reserved, by the respective copyright owner. PostgreSQL is (1) Copyright 1996-2009 The PostgreSQL Development Group, and (2) Copyright 1994-1996 the Regents of the University of California; PHP is Copyright 1999-2009 The PHP Group; gnuplot is Copyright 1986-1993, 1998, 2004 Thomas Williams, Colin Kelley; ChartDirector is Copyright 2007 Advanced Software Engineering; Net-SNMP is (1) Copyright 1989, 1991, 1992 Carnegie Mellon University, Derivative Work 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents of The University of California, (2) Copyright 2001-2003 Network Associates Technology, Inc., (3) Copyright 2001-2003 Cambridge Broadband Ltd., (4) Copyright 2003 Sun Microsystems, Inc., (5) Copyright 2003-2008 Sparta, Inc. and (6) Copyright 2004 Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, (7) Copyright Fabasoft R&D Software; Apache is Copyright 1999-2005 by The Apache Software Foundation; Tom Sawyer Layout is Copyright 1992-2007 Tom Sawyer Software; Click is (1) Copyright 1999-2007 Massachusetts Institute of Technology, (2) Copyright 2000-2007 Riverbed Technology, Inc., (3) Copyright 2001-2007 International Computer Science Institute, and (4) Copyright 2004-2007 Regents of the University of California; OpenSSL is (1) Copyright 1998-2005 The OpenSSL Project and (2) Copyright 1995-1998 Eric Young (eay@cryptsoft.com); Netdisco is (1) Copyright 2003, 2004 Max Baker and (2) Copyright 2002, 2003 The Regents of The University of California; SNMP::Info is (1) Copyright 2003-2008 Max Baker and (2) Copyright 2002, 2003 The Regents of The University of California; mm is (1) Copyright 1999-2006 Ralf S. Engelschall and (2) Copyright 1999-2006 The OSSP Project; ares is Copyright 1998 Massachusetts Institute of Technology; libpq++ is (1) Copyright 1996-2004 The PostgreSQL Global Development Group, and (2) Copyright 1994 the Regents of the University of California; Yahoo is Copyright 2006 Yahoo! Inc.; pd4ml is Copyright 2004-2008 zefer.org; Rapid7 is Copyright 2001-2008 Rapid7 LLC; CmdTool2 is Copyright 2008 Intel Corporation; QLogic is Copyright 2003-2006 QLogic Corporation; Tarari is Copyright 2008 LSI Corporation; Crypt_CHAP is Copyright 2002-2003, Michael Bretterklieber; Auth_SASL is Copyright 2002-2003 Richard Heyes; Net_SMTP is Copyright 1997-2003 The PHP Group; XML_RPC is (1) Copyright 1999-2001 Edd Dumbill, (2) Copyright 2001-2006 The PHP Group; Crypt_HMAC is Copyright 1997-2005 The PHP Group; Net_Socket is Copyright 1997-2003 The PHP Group; PEAR::Mail is Copyright 1997-2003 The PHP Group; libradius is Copyright 1998 Juniper Networks. This software is based in part on the work of the Independent JPEG Group the work of the FreeType team. This documentation is furnished "AS IS" and is subject to change without notice and should not be construed as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as "commercial computer software documentation" and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Individual license agreements can be viewed at the following location: https://<appliance_name>/license.php This manual is for informational purposes only. Addresses shown in screen captures were generated by simulation software and are for illustrative purposes only. They are not intended to represent any real traffic or any registered IP or MAC addresses. Riverbed Technology 680 Folsom Street San Francisco, CA 94107 Phone: 415.247.8800 Fax: 415.247.8801 Web: http://www.riverbed.com Part Number 712-00116-11

Contents Chapter 1 - Introduction...1 Additional Resources...1 Safety Guidelines...2 Contacting Riverbed...2 Chapter 2 - Installing the Standard NetProfiler...3 Overview...3 Inventory and inspection...4 Preparations for installation...4 Mounting location...4 Data sources...5 Cable connections...5 Access to the network...5 Configuration information...6 Licensing strategy...8 Downloading and adding license keys...8 Automatically adding license keys...9 Manually adding license keys...9 Mounting and powering...9 Safety information...9 Rack mounting the chassis...9 Cabling to the network...10 Configuring the Standard NetProfiler...10 License activation...11 Generating the license keys...12 Manually adding the license keys...12 Additional configuration...13 Installation verification...14 Hardware specifications...15 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide iii

Contents Rack space...15 Power...15 Cooling...15 Console port pin-out...16 Chapter 3 - Installing the Enterprise NetProfiler...17 Overview...17 Inventory and inspection...18 Preparations for installation...18 Mounting location...18 Data sources...19 Cable connections...19 Access to the network...20 Configuration information...21 Licensing strategy...22 Downloading and adding license keys...22 Automatically adding license keys...23 Manually adding license keys...23 Mounting and powering...23 Safety information...23 Rack mounting the chassis...24 Cabling to the network...24 Configuring the Enterprise NetProfiler...25 License activation...25 Generating the license keys...26 Manually adding the license keys...27 Additional configuration...27 Installation verification...28 Hardware specifications...29 Rack space...29 Power...30 Cooling...30 Console port pin-out...30 Chapter 4 - Installing the NetExpress...31 Overview...31 Inventory and inspection...32 Preparations for installation...32 Mounting location...32 Data sources...33 Cable connections...33 Access to the network...34 Configuration information...35 iv SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Contents Licensing strategy...37 Downloading and adding license keys...37 Automatically adding license keys...38 Manually adding license keys...38 Mounting and powering...38 Safety information...38 Rack mounting the chassis...38 Cabling to the network...39 Configuring the NetExpress...39 License activation...40 Generating the license keys...41 Manually adding the license keys...41 Additional configuration...42 Configuring the Aux interface...42 Specifying static routes...42 Specifying ports on which the NetExpress is to receive flow data...42 Specifying traffic profile periods...43 Installation verification...43 Hardware specifications...44 Rack space...44 Power...45 Cooling...45 Console port pin-out...45 Chapter 5 - Installing the Flow Gateway...47 Overview...47 Inventory and inspection...48 Preparations for installation...48 Mounting location...48 Data sources...49 Cable connections...49 Access to the network...50 Configuration information...50 Licensing strategy...52 Downloading and adding license keys...52 Automatically adding license keys...53 Manually adding license keys...53 Mounting and powering...54 Safety information...54 Rack mounting the chassis...54 Cabling to the network...54 Configuring the Flow Gateway...55 License activation...56 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide v

Contents Generating the license keys...56 Manually adding the license keys...57 Additional configuration...58 Configuring the Aux interface...58 Specifying static routes...58 Specifying ports on which the Flow Gateway is to receive flow data...58 Specifying destinations for traffic information...59 Specifying forwarding destinations for flow data received by the Flow Gateway...60 Installation verification...61 Hardware specifications...61 Rack space...61 Power...62 Cooling...62 Console port pin-out...62 vi SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

CHAPTER 1 Introduction This guide describes installing the Riverbed SteelCentral NetProfiler, NetExpress and Flow Gateway appliances. Installation instructions for the virtual editions of these products are in separate installation guides. Installation includes mounting and cabling the product, connecting it to your network, activating the licenses, and verifying that the appliance is receiving and processing traffic data. When these tasks are completed, the SteelCentral appliance is ready to configure operationally. Operational configuration is described in the online help system of each product. The instructions in this guide refer to the rack mounting guide that is shipped in hard copy with the appliance. Refer to the rack mounting guide as necessary for mounting the rails and chassis in racks. This guide includes: Chapter 2, Installing the Standard NetProfiler Chapter 3, Installing the Enterprise NetProfiler Chapter 4, Installing the NetExpress Chapter 5, Installing the Flow Gateway Additional Resources The primary source of product information is the online help system. Additional information is available from the Riverbed Support site at https://support.riverbed.com. This includes: Release Notes - posted in the software section of the page for your product. Users Guides - posted in the documentation section of the page for your product. Tech Notes - posted in the documentation section of the page for your product where applicable. Knowledge Base - a database of known issues and how-to documents. You can browse titles or search for key words and strings. Choose Search the Knowledge Base from the Knowledge Base menu. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 1

Introduction Safety Guidelines Safety Guidelines Follow the safety precautions outlined in the Safety and Compliance Guide when installing and setting up your equipment. Important: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow safety guidelines and installation instructions carefully. Many countries require the safety information to be presented in their national languages. If this requirement applies to your country, consult the Safety and Compliance Guide. Before you install, operate, or service the Riverbed product, you must be familiar with the safety information. Refer to the Safety and Compliance Guide if you do not clearly understand the safety information provided in this guide. Contacting Riverbed Options for contacting Riverbed include: Internet - Find out about Riverbed products at http://www.riverbed.com. Support - If you have problems installing, using, or replacing Riverbed products, contact Riverbed Technical Support or your channel partner who provides support. To contact Riverbed Technical Support, please open a trouble ticket at https://support.riverbed.com or call 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States. Professional Services - Riverbed has a staff of engineers who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom-coded solutions. To contact Riverbed Professional Services, go to http://www.riverbed.com or email proserve@riverbed.com. Documentation - Riverbed continually strives to improve the quality and usability of its documentation. We appreciate any suggestions you may have about our online documentation or printed materials. Send documentation comments to techpubs@riverbed.com. 2 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

CHAPTER 2 Installing the Standard NetProfiler Overview If you are familiar with installing SteelCentral products and your network environment has the necessary ports open between SteelCentral products, then mount the appliance in the rack and skip to Licensing strategy on page 8. If you are unfamiliar with installing SteelCentral products, then start here. The installation process involves the following steps: 1. Unpack, inspect and inventory the shipment. See Inventory and inspection on page 4. 2. Ensure that the mounting location and network environment will accommodate the appliance. See Preparations for installation on page 4. 3. Collect the configuration information you will need. See Configuration information on page 6. 4. Determine how the licenses are to be activated. See Licensing strategy on page 8 5. Mount the appliance in the rack and connect rack power. See Mounting and powering on page 9. 6. Connect the cables to the console port and the primary network port. See Cabling to the network on page 10. 7. Run the setup wizard on the console port to make the appliance reachable on the network. See Configuring the Standard NetProfiler on page 10. 8. Ensure that the licenses for the appliance are activated. See License activation on page 11 9. Perform additional configuration, as necessary. See Additional configuration on page 13. 10. Verify that the appliance has been successfully installed. See Installation verification on page 14. Refer to the Hardware specifications on page 15 for dimensions, weight and power requirements. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 3

Installing the Standard NetProfiler Inventory and inspection Inventory and inspection 1. Check the shipping documentation to ensure that all cartons have arrived. 2. If you have not already done so, visually inspect each carton for indications of damage. 3. If any cartons are damaged or missing, contact Riverbed Support before continuing. Phone United States and Canada: 1 888 782 3822 Phone outside U.S. and Canada: +1 415 247 7381 Email: support@riverbed.com Web: https://support.riverbed.com 4. Unpack the contents of the shipping cartons and inventory the contents against the shipping documentation. 5. If any components of the order are damaged or missing, contact Riverbed Support. Preparations for installation Before installing the chassis, ensure that the following considerations have been addressed: Mounting location Data sources Cable connections Access to the network Mounting location The Standard NetProfiler appliance requires a 2U rack space in a 4-post, 19-inch rack or cabinet. It should be mounted in a rack that is appropriately sized for the chassis using the rails provided. Additional rails can be purchased from Riverbed using part number RMK-CAP-001. The rack should be properly secured to a level solid surface to prevent tipping or excess shock while the unit is operating. (Operating shock limits are half sine, 2 g peak, 11 msec.) Appliances should never be installed in an unsecured location such as on a table or shelf. They should never be stacked on top of one another. Manufacturing data for the units indicates that premature disk drive failure can result from vibration transmitted between units that are in direct contact with one another. The appliances should be installed so that the ventilation openings on the front and rear of the units are not blocked and so air flows from the front to the rear of the unit to facilitate proper cooling. Each fan within the appliance is capable of supporting multiple speeds. If the internal ambient temperature of the appliance exceeds the value programmed into the thermal sensor data record (SDR), the BMC firmware increases the speed for all the fans within fan module. Improper cooling can result in the appliance overheating, which could cause premature failure of sensitive components, such as the CPUs. In addition, overheating can result in the fans running at a higher speed for extended periods, which increases the amount of vibration in the appliance. Excess vibration can result in premature disk drive failure. 4 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Preparations for installation Installing the Standard NetProfiler Refer to Hardware specifications on page 15 to ensure that the mounting location accommodates the dimensions, weight, power and cooling requirements of the appliance. Data sources The NetProfiler obtains traffic information from Cascade Sensor and SteelCentral Flow Gateway, NetShark, and AppResponse appliances. The NetProfiler must be receiving traffic information from at least one source in order for you to verify successful installation and configuration. There are two approaches to setting up data sources: Set up the available data sources and point them to the IP address of the NetProfiler before you install it. Install the NetProfiler up to the point of verification, then go install or configure the data sources, and then return to the SteelCentral product to complete the installation verification. It is preferable to configure all the data sources that are available at the time you install the SteelCentral product. However, product operation can be confirmed with just one data source. Cable connections Power The SteelCentral product has two power supplies. Plug these into two different circuits, if they are available. Console port The initial setup of the SteelCentral product is performed using a console port. Ensure that you have a terminal server or a system running a terminal emulation program such as HyperTerminal or Tera Term Pro. Connect this to the SteelCentral product console port using a null modem cable with a 9-pin D-subminiature connector. Any standard serial device connection will work. Primary port The NetProfiler is equipped with a 100/1000baseTX primary management port that must connect to a hub or switch on the management network. The primary port is set by default for auto-negotiation. Ensure that: A straight-through cable to a hub or switch port on the management network is available at the rack location. The management network switch port is set to establish a connection at 100 or 1000 Mb/s and full duplex. A terminal device (laptop, KVM, etc.) is available on the management network for logging in to the NetProfiler user interface. Access to the network The NetProfiler uses the management network to communicate with other SteelCentral products and to access network services. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 5

Installing the Standard NetProfiler Configuration information Communication between SteelCentral products If you lock down your network on a port-by-port basis, ensure that the following ports are open between SteelCentral products: TCP/22 (ssh) This is needed for the NetProfiler to transfer upgrade packages to other SteelCentral products that are connected to it. TCP/443 (https) Secure web-based management interfaces. TCP/8443 Exchange of encryption certificates between SteelCentral products. TCP/41017 Encrypted communication between NetProfiler, Flow Gateway, NetShark, and AppResponse appliances. UDP/123 (ntp) Synchronization of time between a Flow Gateway and NetProfiler. Access to and from network access services TCP/22 (ssh) This is needed for secure shell access to software components and for the appliance to obtain information from servers via scripts. UDP/161 (snmp) The NetProfiler uses SNMP to obtain interface information from switches. Also, management systems use this port to read the SteelCentral product MIB. TCP/443 (https) Secure web-based management interfaces. TCP/5432 (odbc) If you will be allowing other applications to access the NetProfiler internal database via ODBC, then you must allow traffic on this port. 42999 If you will be using the NetProfiler user identification feature with a Microsoft Active Directory domain controller, then you must allow traffic on port 42999. Vulnerability scanner ports If you will be using the NetProfiler vulnerability scan feature, then you must allow traffic on the port that the SteelCentral product is to use for accessing the vulnerability scanner server. Obtain vulnerability scanner server addresses and port numbers from the administrator of those systems. The default ports are as follows: Nessus: 1241 ncircle: 443 Rapid7: 3780 Qualys: Requires external https access to qualysapi.qualys.com (Note: This is separate from qualysguard.qualys.com.) Foundstone: 3800 Configuration information When you configure the NetProfiler, you will be asked to provide configuration information. Information that is required to complete the installation is listed in the table that follows with an asterisk (*). Items not marked with an asterisk are optional during installation and can be specified afterwards on the NetProfiler Configuration > General Settings page if necessary. 6 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuration information Installing the Standard NetProfiler It may be useful to write the configuration values in the blank column of the checklist below so that you can refer to them during the configuration step or afterward. NetProfiler host name:* NetProfiler IP address:* Netmask:* Default gateway:* DNS name resolution for hosts (enable or disable): Primary DNS server IP address: Secondary DNS server IP address: DNS search domain: Primary port settings: (10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate) Switch port settings: The settings of the switch port or hub that the NetProfiler primary port connects to. (Auto-negotiate is recommended.) NTP server IP addresses:* Applies only if NetProfiler is being synchronized to an external NTP server. Enter one or more addresses as a commaseparated list. Time Zone: Flow encryption certificate (default or new certificate): For faster installation, use the default encryption certificate shipped with the NetProfiler and then generate a new certificate later. SNMP information: NetProfiler is set by default to use SNMP Version 1 and to allow MIB browsing. If you are configuring SNMP at this time, obtain the necessary V1 or V3 information. Outgoing mail server name, port number, and From address. Applies only if you will be specifying a server that NetProfiler is to use for sending reports or alert notifications. Inside addresses: IP addresses or address ranges of hosts that the NetProfiler is to track individually. The default values are 10/8,172.16/ 12,192.168/16 Security Profile settings:* You can use either three traffic collection profiles (weekdays, weeknights, and weekends) or four (weekdays, weeknights, Saturdays, and Sundays). After installation, you can define others. You can also specify the times when weekdays begin and end (default times are 9:00 am to 5:00 pm). Password to use for your initial NetProfiler login:* The default password admin. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 7

Installing the Standard NetProfiler Licensing strategy New password to enter when prompted to change the initial NetProfiler password:* Applies only to systems not previously configured. Service Management Leave this set to ByLocation unless you are required to choose another group type for service locations. Licensing strategy Capacity and feature licenses must be activated on the Riverbed licensing web site. SteelCentral products that have been configured and have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance does not have Internet access, then you must add its license keys manually. The licensing web site provides the flexibility to assign different feature and capacity licenses to different appliances. You can ship appliances to remote locations without concern for which appliance is to have which license. When you have the serial numbers and know where the appliances are deployed in the network, you can make the license assignments on the Riverbed licensing web site. When all the appliances are to be licensed for the same features and capacities, the licensing web site handles this automatically. The appliances can automatically download their licenses without your needing to visit the licensing web site. Downloading and adding license keys If the NetProfiler is configured and has Internet connectivity, it can download its license keys automatically. Otherwise, someone must email the keys from the Riverbed licensing web site and then copy them from the email, or copy them directly from the Riverbed licensing web site, and someone must add them to the NetProfiler manually. Determine which strategy you are using. Will you activate the licenses on the Riverbed licensing web site yourself? Or will someone else do that? If the NetProfiler you are installing does not have Internet access, how will you ensure that it gets its assigned license keys? Will you email them to yourself from the Riverbed licensing site? Will you copy them from the Riverbed licensing site? Or will someone else provide the license keys for you to add to the NetProfiler manually? Typically, the installer: 1. Mounts, cables and configures this appliance and the other SteelCentral products that were ordered with it. 2. Records the product serial number from the chassis of each appliance. 3. Sends the serial number for each appliance, along with the appliance location on the network, to the network manager. Then the network manager: 1. Logs in to the Riverbed licensing web site. 2. Enters the product serial number of the first SteelCentral product to gain access to the licensing page. The Riverbed licensing page lists the licenses for the appliance. 8 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Mounting and powering Installing the Standard NetProfiler 3. For each serial number, activate the licenses that apply to that serial number. Using the Riverbed licensing web site is described after the configuration step. See License activation on page 11. After the licenses have been activated on the Riverbed licensing web site, the license keys can be added to the NetProfiler either automatically or manually. Automatically adding license keys SteelCentral products that have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance has been configured to be accessible on the network and if it has access to the Internet, then it automatically downloads its license keys when you click Configure Now on the initial Setup page. If you select the Enable automatic license download from Riverbed option on the Configuration > Licenses page, the appliance checks for any additional licenses once per day. Manually adding license keys If the NetProfiler does not have access to the Internet, then it is necessary to add the license keys manually. This involves copying and pasting the keys into the NetProfiler licensing page. You can have the license keys emailed to yourself from the licensing web site and copy them from the email, or you can copy them directly from the web site. Alternatively, the person who generates the keys on the web site can provide them to you. Once you have the keys, you paste them into the Configuration > Licenses page. Mounting and powering Safety information Follow the safety precautions outlined in the Riverbed Safety and Compliance Guide when installing and setting up your system. The guide contains the safety information in multiple languages. Before you install, operate, or service your system, you must be familiar with the safety information. Note: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow the safety guidelines and installation instructions carefully. CAUTION: Slide/rail mounted equipment is not to be used as a shelf or a work space. Rack mounting the chassis 1. Locate the rails in the shipping carton. 2. Locate the Rack Installation Guide in the documentation kit. 3. Mount the rails in the rack and install the chassis on the rails, as described in the instructions. CAUTION: Observe the safety cautions in the mounting instructions. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 9

Installing the Standard NetProfiler Cabling to the network 4. Connect the power cable to the chassis and to rack power. The system starts up automatically when power is connected. However, you can use the power button to power off the system if necessary. Cabling to the network 1. Connect a system running a terminal emulation program such as HyperTerminal or Tera Term Pro to the 9-pin D- subminiature Console port connector of the NetProfiler. 2. Connect the cable from the management network to the Primary connector on the NetProfiler. Primary Port Connector Console Port Connector Configuring the Standard NetProfiler 1. On the system connected to the Console port connector, set the terminal emulator for 9600 Baud, 8 data bits, 1 stop bit, no parity bit, and no flow control. 2. Use your terminal emulator to log in through the console port. The default login credentials are: User name: admin Password: admin 3. When the configuration wizard starts, enter the required information at the prompts. MGMT IP ADDRESS MGMT SUBNET MASK MGMT GATEWAY IP ADDRESS Finish Setup and Reboot? (yes/no): 4. When the wizard completes and exits, the system reboots. Wait until the system finishes rebooting before continuing with the next step. 5. On the management network, point your web browser to the IP address you specified in the configuration wizard using the console port. 10 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

License activation Installing the Standard NetProfiler https://<netprofiler_ip_address> 6. Log in to the NetProfiler user interface. The default credentials are: User name: admin Password: admin The first time you log in to the NetProfiler user interface, it displays the Setup page. 7. On the Setup page, ensure that all the required fields (marked with an asterisk) are filled in. 8. At the bottom of the Setup page, click Configure Now. When you click Configure Now, the NetProfiler automatically fetches the license keys that are assigned to it on the Riverbed licensing web site, if the NetProfiler has Internet access. If the NetProfiler does not have access to the Internet, it is necessary to activate the license manually. License activation If the licenses have been activated on the Riverbed licensing web site and the NetProfiler has downloaded its licensing keys, skip to the next step: Additional configuration on page 13. To confirm that the NetProfiler has downloaded its license keys from the Riverbed licensing web site, 1. Log in to the NetProfiler using the admin account user name and the password that you specified in the preceding step. 2. Navigate to the Configuration > Licenses page. If the License Key column lists an MSPEC license key, then NetProfiler has downloaded its licenses from the licensing web site and you can proceed with installation verification. If no MSPEC license key is listed, then NetProfiler has not downloaded its license keys. 3. Click Fetch Updates Now. If the NetProfiler has Internet access and the licenses have been activated on the Riverbed licensing web site, then the license keys will be listed within a few minutes. If the NetProfiler does not have Internet access, or if its licenses have not been activated on the Riverbed licensing site, then it will not be able to fetch its license keys. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 11

Installing the Standard NetProfiler License activation If you have been given the license keys, enter them manually as described below. If you are responsible for generating the license keys, 1. Go to the Riverbed licensing web site and generate the keys. (See Generating the license keys, next.) 2. Copy the license keys or else email them to a machine that has access to the NetProfiler. 3. Manually add the license keys to the NetProfiler Configuration > Licenses page. Generating the license keys To generate a license key on the Riverbed licensing site: 1. Ensure that you have product serial number for each appliance. This is located on the rear of the chassis. The number identified as SN is the product serial number. 2. Point your browser to the Riverbed licensing portal: https://licensing.riverbed.com 3. Enter the product serial number. This displays a table listing the serial numbers of all the SteelCentral products purchased on the same purchase order as the appliance whose serial numbers you entered. 4. If you purchased only one appliance, then the licenses you purchased are already assigned to that appliance. If you purchased more than one appliance, use the drop-down list boxes in the Software column for each serial number to assign the correct licenses to each appliance. Select or multi-select the licenses you want to activate for each appliance. 5. Follow the instructions of the licensing wizard to continue the process and generate the license keys. 6. If the NetProfiler has Internet access, it automatically downloads the licenses that have been assigned to its serial number. If the NetProfiler does not have access to Internet and cannot fetch license keys from the Riverbed licensing site, then it is necessary to enter the license keys manually on the NetProfiler Configuration > Licenses page. To get the keys for entering manually, continue with the next step on the licensing web site. 7. Either choose the option to email the license keys to yourself, or else copy the activated license keys from the table. 8. Place the keys in a file that is accessible to the machine you are using for configuring the NetProfiler. Manually adding the license keys 1. On the NetProfiler, navigate to the Configuration > Licenses page and click Add License(s). 12 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Additional configuration Installing the Standard NetProfiler 2. Paste or type the license keys into the Licenses page. When entering more than one license key, use a commaseparated list. 3. Confirm that the licenses are listed on the Configuration > Licenses page and that the status of each is green. When the license keys have been added, the NetProfiler is fully functional and ready for additional configuration or for installation verification. Additional configuration Additional configuration tasks, such as specifying configurations that are not available on the Setup page, can be performed by logging in to the NetProfiler after the licenses have been activated. For example, you may want to set up security profile periods as early as possible. The initial Setup page offers the choice of collecting separate traffic profiles for: Weekdays, weeknights, and weekends, or Weekdays, weekends, Saturdays, and Sundays. If you want to add more profiles or use a different profile scheme, 1. Log in to the NetProfiler. 2. Go to the Behavior Analysis > Policies page Security tab and click Security Profiles. This opens the Security Profiles page. 3. Click Reconfigure Weekly Scheme to open the profile scheme composer. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 13

Installing the Standard NetProfiler Installation verification 4. Specify the days and times of the traffic collection profiles you want to use. When you specify a new security profile scheme, NetProfiler discards any current baseline information and begins collecting new data. For descriptions of making other configuration changes, refer to the NetProfiler on line help system. Installation verification Installation verification requires the NetProfiler to be receiving traffic data from at least one source. To determine if the NetProfiler is receiving data, log in and navigate to the System > Devices/Interfaces page. Check the status of the Cascade Sensor, Flow Gateway, ans NetShark appliances or other data source devices on the Devices tab. When a data source comes on line, the NetProfiler begins collecting data. If no data sources are listed on the System > Devices/Interfaces page Devices tab, then NetProfiler installation and configuration cannot be verified. Set up at least one data source device (preferably all data source devices) and then perform the installation verification as follows. 1. Go to the Dashboard page and verify that the graphs display data. 2. Go to the System > Information page and assure that all status indications are displaying OK. 3. Go to the System > Devices/Interfaces page and assure that each data source that is expected to be available is listed and that no status indicators are red. 4. Go to the Reports > Traffic page. Near the bottom of the Report Criteria section, click Run now. Verify that a traffic report is displayed. (It will take a short time for the report to display.) This completes the installation process. The NetProfiler can now be turned over to those who are responsible for setting up user accounts and operational parameters. Refer to the on line help system for further configuration procedures. 14 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Hardware specifications Installing the Standard NetProfiler Hardware specifications Rack space The NetProfiler requires a 2U rack space and is best mounted in a 4-post, 19-inch rack or cabinet. It can also be mounted in a 2-post, 19-inch rack, but this requires a deep shelf. Product model: CAP-02260 (Regulatory compliance code 2UACA) Dimensions without bezels or mounting flanges: Height: 87.1 mm, 3.4 in. Width 436.1 mm, 17.2 in. Depth: 644.4 mm, 25.4 in. Dimensions with all protrusions: Height: 88.9 mm, 3 1/2 in. Width: 487.4 mm, 19 3/16 in. Depth: 685.8 mm, 27 in. Weight: 27.2 kg, 60 lbs. Power The NetProfiler requires: 100V-127V, 50/60 Hz, 5.5A, or 200V-240V, 50/60 Hz, 2.8A Cooling The NetProfiler requires up to approximately1433 BTU/hour of cooling, depending on the model. Ambient air should be: Operating Air temperature: 10 to 40 C (50 to 95 F) Humidity: 20% to 80% non-condensing Storage Air temperature: 40 to 65 C ( 40 to 149 F) Humidity: 5% to 95% non-condensing The maximum rate of temperature change should not to exceed 10 C per hour. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 15

Installing the Standard NetProfiler Hardware specifications Console port pin-out The console port uses a DB-9 subminiature connector with standard wiring as follows. Pin Function 1 Data Carrier Detect 2 Receive Data 3 Transmit Data 4 Data Terminal Ready 5 Signal Ground 6 Data Set Ready 7 Request to Send 8 Clear to Send 16 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

CHAPTER 3 Installing the Enterprise NetProfiler Overview If you are familiar with installing SteelCentral products and your network environment has the necessary ports open between SteelCentral products, then mount the appliance in the rack and skip to Licensing strategy on page 22. If you are unfamiliar with installing SteelCentral products, then start here. The installation process involves the following steps: 1. Unpack, inspect and inventory the shipment. See Inventory and inspection on page 18. 2. Ensure that the mounting location and network environment will accommodate the appliance. See Preparations for installation on page 18. 3. Collect the configuration information you will need. See Configuration information on page 21. 4. Determine how the licenses are to be activated. See Licensing strategy on page 22 5. Mount the modules (each chassis is a module) in the rack and connect rack power. See Mounting and powering on page 23. 6. Connect the cables to the console port and the primary network port of each module. See Cabling to the network on page 24. 7. With all modules powered on for at least two minutes, run the setup wizard on the console port of each module to make it reachable on the network. The modules must be set up in the following order: Database module User Interface module Analysis module Expansion modules and Dispatcher module (if present) See Configuring the Enterprise NetProfiler on page 25. 8. Ensure that the licenses for the appliance are activated. See License activation on page 25 9. Perform additional configuration, as necessary. See Additional configuration on page 27. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 17

Installing the Enterprise NetProfiler Inventory and inspection 10. Verify that the appliance has been successfully installed. See Installation verification on page 28. Refer to the Hardware specifications on page 29 for dimensions, weight and power requirements. Inventory and inspection 1. Check the shipping documentation to ensure that all cartons have arrived. 2. If you have not already done so, visually inspect each carton for indications of damage. 3. If any cartons are damaged or missing, contact Riverbed Support before continuing. Phone United States and Canada: 1 888 782 3822 Phone outside U.S. and Canada: +1 415 247 7381 Email: support@riverbed.com Web: https://support.riverbed.com 4. Unpack the contents of the shipping cartons and inventory the contents against the shipping documentation. 5. If any components of the order are damaged or missing, contact Riverbed Support. Preparations for installation Before installing the chassis, ensure that the following considerations have been addressed: Mounting location Data sources Cable connections Access to the network Mounting location Enterprise NetProfiler appliance modules require 1U and 2U rack spaces in a 4-post, 19-inch rack or cabinet. The User Interface (UI) module, Database (DB) module and Dispatcher (DP) module each require one rack unit (1U). The Analysis and Expansion modules each require two rack units (2U). They should be mounted in a rack that is appropriately sized for the chassis using the rails provided. Additional rails can be purchased from Riverbed using part number RMK-CAP-001. The rack should be properly secured to a level solid surface to prevent tipping or excess shock while the unit is operating. (Operating shock limits are half sine, 2 g peak, 11 msec.) Appliances should never be installed in an unsecured location such as on a table or shelf. They should never be stacked on top of one another. Manufacturing data for the units indicates that premature disk drive failure can result from vibration transmitted between units that are in direct contact with one another. The appliances should be installed so that the ventilation openings on the front and rear of the units are not blocked and so air flows from the front to the rear of the unit to facilitate proper cooling. 18 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Preparations for installation Installing the Enterprise NetProfiler Each fan within the appliance is capable of supporting multiple speeds. If the internal ambient temperature of the appliance exceeds the value programmed into the thermal sensor data record (SDR), the BMC firmware increases the speed for all the fans within fan module. Improper cooling can result in the appliance overheating, which could cause premature failure of sensitive components, such as the CPUs. In addition, overheating can result in the fans running at a higher speed for extended periods, which increases the amount of vibration in the appliance. Excess vibration can result in premature disk drive failure. Refer to Hardware specifications on page 29 to ensure that the mounting location accommodates the dimensions, weight, power and cooling requirements of the appliance. Data sources The NetProfiler obtains traffic information from Riverbed Sensor, Flow Gateway, NetShark or AppResponse appliances. The NetProfiler must be receiving traffic information from at least one source in order for you to verify successful installation and configuration. There are two approaches to setting up data sources: Set up the available data sources and point them to the IP address of the NetProfiler Analysis Module before you install the Enterprise NetProfiler. Install the NetProfiler up to the point of verification, then go install or configure the data sources, and then return to the SteelCentral product to complete the installation verification. It is preferable to configure all the data sources that are available at the time you install the SteelCentral product. However, product operation can be confirmed with just one data source. Cable connections Power Each Enterprise NetProfiler module has two power supplies. Plug these into two different circuits, if they are available. Console port The initial setup of each module (chassis) is performed using a console port. Ensure that you have a terminal server or a system running a terminal emulation program such as HyperTerminal or Tera Term Pro. Connect this to the console port of each module using a null modem cable with a 9-pin D-subminiature connector. A cable with a USB connector on the other end is shipped with each module. You can use these with a laptop computer if you are not connecting the console port to a cable in the rack. Any standard serial device connection will work. Primary ports Modules in the Enterprise NetProfiler communicate with one another by means of a customer-supplied switch. Each module is equipped with a 100/1000baseTX primary management port that must connect to a hub or switch on the management network. The primary port is set by default for auto-negotiation. Ensure that: The management network has a switch port for each Enterprise NetProfiler module. Straight-through cables are available at the rack locations for connecting the NetProfiler modules to the switch. (One cable per chassis.) The management network switch port is set to establish a connection at 1000 Mb/s and full duplex. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 19

Installing the Enterprise NetProfiler Preparations for installation A terminal device (laptop, KVM, etc.) is available on the management network for logging in to the NetProfiler user interface. Access to the network The Enterprise NetProfiler uses the management network: For communication between its modules. To access network services. To provide access to its user interface. Communication between SteelCentral products If you lock down your network on a port-by-port basis, ensure that the following ports are open between SteelCentral products: TCP/22 (ssh) This is needed for the NetProfiler to transfer upgrade packages to other SteelCentral devices that are connected to it. TCP/8080 Packet Analyzer communicates with the web interface of the NetShark over this port. TCP/8443 Exchange of encryption certificates between SteelCentral products. TCP/41017 Encrypted communication between NetProfiler and Flow Gateway, NetShark and AppResponse appliances. UDP/123 (ntp) Synchronization of time between a Flow Gateway and NetProfiler. Access to and from network access services TCP/22 (ssh) This is needed for secure shell access to SteelCentral software components and for the appliance to obtain information from servers via scripts. UDP/161 (snmp) The NetProfiler uses SNMP to obtain interface information from switches. Also, management systems use this port to read the SteelCentral product MIB. TCP/443 (https) Secure web-based management interfaces. TCP/5432 (odbc) If you will be allowing other applications to access the NetProfiler internal database via ODBC, then you must allow traffic on this port. 42999 If you will be using the NetProfiler user identification feature with a Microsoft Active Directory domain controller, then you must allow traffic on port 42999. Vulnerability scanner ports If you will be using the NetProfiler vulnerability scan feature, then you must allow traffic on the port that the SteelCentral product is to use for accessing the vulnerability scanner server. Obtain vulnerability scanner server addresses and port numbers from the administrator of those systems. The default ports are as follows: Nessus: 1241 ncircle: 443 Rapid7: 3780 Qualys: Requires external https access to qualysapi.qualys.com (Note: This is separate from qualysguard.qualys.com.) Foundstone: 3800 20 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuration information Installing the Enterprise NetProfiler Configuration information When you configure the NetProfiler, you will be asked to provide configuration information. Information that is required to complete the installation is listed in the table that follows with an asterisk (*). Items not marked with an asterisk are optional during installation and can be specified afterwards on the NetProfiler Configuration > General Settings page if necessary. It may be useful to write the configuration values in the blank column of the checklist below so that you can refer to them during the configuration step or afterward. NetProfiler host name:* NetProfiler IP address:* Netmask:* Default gateway:* DNS name resolution for hosts (enable or disable): Primary DNS server IP address: Secondary DNS server IP address: DNS search domain: NTP server IP addresses:* Applies only if NetProfiler is being synchronized to an external NTP server. Enter one or more addresses as a commaseparated list. Time Zone: Flow encryption certificate (default or new certificate): For faster installation, use the default encryption certificate shipped with the NetProfiler and then generate a new certificate later. NetProfiler UI Module IP address: * This setting was previously called the Management address. NetProfiler DB Module IP address: * (The Database module.) NetProfiler AN Module IP address:* (The first Analysis module.) NetProfiler EX Module IP address (if present):* (The first Expansion module.) SNMP information: NetProfiler is set by default to use SNMP Version 1 and to allow MIB browsing. If you are configuring SNMP at this time, obtain the necessary V1 or V3 information. Outgoing mail server name, port number, and From address. Applies only if you will be specifying a server that NetProfiler is to use for sending reports or alert notifications. Inside addresses: IP addresses or address ranges of hosts that the NetProfiler is to track individually. The default values are 10/8,172.16/ 12,192.168/16 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 21

Installing the Enterprise NetProfiler Licensing strategy Security Profile settings:* You can use either three traffic collection profiles (weekdays, weeknights, and weekends) or four (weekdays, weeknights, Saturdays, and Sundays). After installation, you can define others. You can also specify the times when weekdays begin and end (default times are 9:00 am to 5:00 pm). Password to use for your initial NetProfiler login:* The default password admin. New password to enter when prompted to change the initial NetProfiler password:* Applies only to systems not previously configured. Service Management Leave this set to ByLocation unless you are required to choose another group type for service locations. Licensing strategy Capacity and feature licenses must be activated on the Riverbed licensing web site. SteelCentral products that have been configured and have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance does not have Internet access, then you must add its license keys manually. The licensing web site provides the flexibility to assign different feature and capacity licenses to different appliances. You can ship appliances to remote locations without concern for which appliance is to have which license. When you have the serial numbers and know where the appliances are deployed in the network, you can make the license assignments on the Riverbed licensing web site. When all the appliances are to be licensed for the same features and capacities, the licensing web site handles this automatically. The appliances can automatically download their licenses without your needing to visit the licensing web site. Downloading and adding license keys If the NetProfiler is configured and has Internet connectivity, it can download its license keys automatically. Otherwise, someone must email the keys from the Riverbed licensing web site and then copy them from the email, or copy them directly from the Riverbed licensing web site, and someone must add them to the NetProfiler manually. Determine which strategy you are using. Will you activate the licenses on the Riverbed licensing web site yourself? Or will someone else do that? If the NetProfiler you are installing does not have Internet access, how will you ensure that it gets its assigned license keys? Will you email them to yourself from the Riverbed licensing site? Will you copy them from the Riverbed licensing site? Or will someone else provide the license keys for you to add to the NetProfiler manually? Typically, the installer: 1. Mounts, cables and configures this appliance and the other SteelCentral products that were ordered with it. 2. Records the product serial number from the chassis of each appliance. The number identified as SN is the product serial number. 22 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Mounting and powering Installing the Enterprise NetProfiler 3. Sends the serial number for each appliance, along with the appliance location on the network, to the network manager. Then the network manager: 1. Logs in to the Riverbed licensing web site. 2. Enters the product serial number of the first SteelCentral product to gain access to the licensing page. The Riverbed licensing page lists the serial numbers of all SteelCentral products that were included in the same purchase order. 3. For each serial number, activate the licenses that apply to that serial number. Using the Riverbed licensing web site is described after the configuration step. See License activation on page 25. After the licenses have been activated on the Riverbed licensing web site, the license keys can be added to the NetProfiler either automatically or manually. Automatically adding license keys SteelCentral products that have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance has been configured to be accessible on the network and if it has access to the Internet, then it automatically downloads its license keys when you click Configure Now on the initial Setup page. If you select the Enable automatic license download from Riverbed option on the Configuration > Licenses page, the appliance checks for any additional licenses once per day. Manually adding license keys If the NetProfiler does not have access to the Internet, then it is necessary to add the license keys manually. This involves copying and pasting the keys into the NetProfiler licensing page. You can have the license keys emailed to yourself from the licensing web site and copy them from the email, or you can copy them directly from the web site. Alternatively, the person who generates the keys on the web site can provide them to you. Once you have the keys, you paste them into the Configuration > Licenses page. Mounting and powering Safety information Follow the safety precautions outlined in the Riverbed Safety and Compliance Guide when installing and setting up your system. The guide contains the safety information in multiple languages. Before you install, operate, or service your system, you must be familiar with the safety information. Note: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow the safety guidelines and installation instructions carefully. CAUTION: Slide/rail mounted equipment is not to be used as a shelf or a work space. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 23

Installing the Enterprise NetProfiler Cabling to the network Rack mounting the chassis For each module of the Enterprise NetProfiler: 1. Locate the rails in the shipping carton. 2. Locate the Rack Installation Guide in the documentation kit. 3. Mount the rails in the rack and install the chassis on the rails, as described in the instructions. CAUTION: Observe the safety cautions in the mounting instructions. 4. Connect the power cable to the chassis and to rack power. The system starts up automatically when power is connected. However, you can use the power button to power off the system if necessary. Cabling to the network 1. Connect a system running a terminal emulation program such as HyperTerminal or Tera Term Pro to the 9-pin D- subminiature Console port connector of the NetProfiler DB module. 2. Connect the cable from the management network to the Primary connector on the NetProfiler. Each module of the Enterprise NetProfiler is assigned its network address using its console port. If there are to be permanent connections to the console ports, make those connections now. If you will temporarily connect to each console port in succession, begin with the DB module. The UI module must be set up next, the AN module after that, and any EX or DP modules last. 24 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuring the Enterprise NetProfiler Installing the Enterprise NetProfiler Configuring the Enterprise NetProfiler 1. On the system connected to the Console port connector of the DB module, set the terminal emulator for 9600 Baud, 8 data bits, 1 stop bit, no parity bit, and no flow control. 2. Use your terminal emulator to log in through the console port. The default login credentials are: User name: admin Password: admin 3. When the configuration wizard starts, enter the required information at the prompts. 4. When the wizard completes and exits, the system reboots. Wait until the system finishes rebooting before continuing with the next step. 5. Perform Steps 2 through 4 with the UI module and then with the AN module. If your Enterprise NetProfiler has additional modules (Expansion modules and a Dispatcher module), assign the network addresses to those modules after completing Steps 2 through 4 on the DB, UI and AN modules. 6. On the management network, point your web browser to the IP address of the UI module, which you specified in the configuration wizard using the console port. https://<netprofiler_ip_address> 7. Log in to the NetProfiler user interface. The default credentials are: User name: admin Password: admin The first time you log in to the NetProfiler user interface, it displays the Setup page. 8. On the Setup page, ensure that all the required fields (marked with an asterisk) are filled in. 9. At the bottom of the Setup page, click Configure Now. When you click Configure Now, the NetProfiler automatically fetches the license keys that are assigned to it on the Riverbed licensing web site, if the NetProfiler has Internet access. If the NetProfiler does not have access to the Internet, it is necessary to activate the license manually. License activation If the licenses have been activated on the Riverbed licensing web site and the NetProfiler has downloaded its licensing keys, skip to the next step: Additional configuration on page 27. To confirm that the NetProfiler has downloaded its license keys from the Riverbed licensing web site, 1. Log in to the NetProfiler using the admin account user name and the password that you specified in the preceding step. 2. Navigate to the Configuration > Licenses page. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 25

Installing the Enterprise NetProfiler License activation If the License Key column lists an MSPEC license key, then NetProfiler has downloaded its licenses from the licensing web site and you can proceed with installation verification. If no MSPEC license key is listed, then NetProfiler has not downloaded its license keys. 3. Click Fetch Updates Now. If the NetProfiler has Internet access and the licenses have been activated on the Riverbed licensing web site, then the license keys will be listed within a few minutes. If the NetProfiler does not have Internet access, or if its licenses have not been activated on the Riverbed licensing site, then it will not be able to fetch its license keys. If you have been given the license keys, enter them manually as described below. If you are responsible for generating the license keys, 1. Go to the Riverbed licensing web site and generate the keys. (See Generating the license keys, next.) 2. Copy the license keys or else email them to a machine that has access to the NetProfiler. 3. Manually add the license keys to the NetProfiler Configuration > Licenses page. Generating the license keys To generate a license key on the Riverbed licensing site: 1. Ensure that you have product serial number for each appliance. This is located on the rear of the chassis. The number identified as SN is the product serial number. 2. Point your browser to the Riverbed licensing portal: https://licensing.riverbed.com 26 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Additional configuration Installing the Enterprise NetProfiler 3. Enter the product serial number. This displays a table listing the serial numbers of all the SteelCentral products purchased on the same purchase order as the appliance whose serial numbers you entered. 4. Use the drop-down list boxes in the Software column for each serial number to assign the correct licenses to each appliance. Select or multi-select the licenses you want to activate for each Enterprise NetProfiler module or other SteelCentral product. 5. Follow the instructions of the licensing wizard to continue the process and generate the license keys. 6. If the NetProfiler has Internet access, it automatically downloads the licenses that have been assigned to its serial number. If the NetProfiler does not have access to Internet and cannot fetch license keys from the Riverbed licensing site, then it is necessary to enter the license keys manually on the NetProfiler Configuration > Licenses page. To get the keys for entering manually, continue with the next step on the licensing web site. 7. Either choose the option to email the license keys to yourself, or else copy the keys from the Activated License Key column of the table. 8. Place the keys in a file that is accessible to the machine you are using for configuring the NetProfiler. Manually adding the license keys 1. On the NetProfiler, navigate to the Configuration > Licenses page and click Add License(s). 2. Paste or type the license keys into the Licenses page. When entering more than one license key, use a commaseparated list. 3. Confirm that the licenses are listed on the Configuration > Licenses page and that the status of each is green. When the license keys have been added, the NetProfiler is fully functional and ready for additional configuration or for installation verification. Additional configuration Additional configuration tasks, such as specifying configurations that are not available on the Setup page, can be performed by logging in to the NetProfiler after the licenses have been activated. For example, you may want to set up security profile periods as early as possible. The initial Setup page offers the choice of collecting separate traffic profiles for: Weekdays, weeknights, and weekends, or Weekdays, weekends, Saturdays, and Sundays. If you want to add more profiles or use a different profile scheme, 1. Log in to the NetProfiler. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 27

Installing the Enterprise NetProfiler Installation verification 2. Go to the Behavior Analysis > Policies page Security tab and click Security Profiles. This opens the Security Profiles page. 3. Click Reconfigure Weekly Scheme to open the profile scheme composer. 4. Specify the days and times of the traffic collection profiles you want to use. When you specify a new security profile scheme, NetProfiler discards any current baseline information and begins collecting new data. For descriptions of making other configuration changes, refer to the NetProfiler on line help system. Installation verification Installation verification requires the NetProfiler to be receiving traffic data from at least one source. To determine if the NetProfiler is receiving data, log in and navigate to the System > Devices/Interfaces page. Check the status of the Cascade Sensor, Flow Gateway and NetShark appliances or other data source devices on the Devices tab. When a data source comes on line, the NetProfiler begins collecting data. If no data sources are listed on the System > Devices/Interfaces page Devices tab, then NetProfiler installation and configuration cannot be verified. Set up at least one data source device (preferably all data source devices) and then perform the installation verification as follows. 1. Go to the Dashboard page and verify that the graphs display data. 2. Go to the System > Information page and assure that all status indications are displaying OK. 3. Go to the System > Devices/Interfaces page and assure that each data source that is expected to be available is listed and that no status indicators are red. 4. Go to the Reports > Traffic page. Near the bottom of the Report Criteria section, click Run now. Verify that a traffic report is displayed. (It will take a short time for the report to display.) This completes the installation process. The NetProfiler can now be turned over to those who are responsible for setting up user accounts and operational parameters. Refer to the on line help system for further configuration procedures. 28 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Hardware specifications Installing the Enterprise NetProfiler Hardware specifications Rack space The User Interface (UI) module, Database (DB) module and Dispatcher (DP) module each require one rack unit (1U). The Analysis (AN) and Expansion (EX) modules each require two rack units (2U). 1U Chassis (Regulatory compliance code 1UACA) Product models: CAP-04260-UI User Interface module CAP-04260-DB Database module CAP-04260-DP Dispatcher module Dimensions without bezels or mounting flanges: Height: 43.4 mm, 1.7 in. Width 436.1 mm, 17.2 in. Depth: 644.4 mm, 25.4 in. Dimensions with all protrusions: Height: 44.5 mm, 1 3/4 in. Width: 479.4 mm, 18 7/8 in. Depth: 685.8 mm, 27 in. Weight: 16.3 kg, 36 lbs. 2U Chassis (Regulatory compliance code 2UACA) Product models: CAP-04260-AN Analysis module CAP-04260-EX Expansion module Dimensions without bezels or mounting flanges: Height: 87.1 mm, 3.4 in. Width 436.1 mm, 17.2 in. Depth: 644.4 mm, 25.4 in. Dimensions with all protrusions: Height: 88.9 mm, 3 1/2 in. Width: 487.4 mm, 19 3/16 in. Depth: 685.8 mm, 27 in. Weight: 27.2 kg, 60 lbs. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 29

Installing the Enterprise NetProfiler Hardware specifications Power The User Interface (UI) module, Database (DB) module and Dispatcher (DP) module each require: 100V-127V, 50/60 Hz, 4.1A, or 200V-240V, 50/60 Hz, 2.1A The Analysis (AN) module and Expansion (EX) module each require: 100V-127V, 50/60 Hz, 5.5A, or 200V-240V, 50/60 Hz, 2.8A Cooling The User Interface (UI) module, Database (DB) module and Dispatcher (DP) module each require approximately819 Btu/hr of cooling. The Analysis (AN) module and Expansion (EX) module each require approximately1433 Btu/hr of cooling. Ambient air should be: Operating Air temperature: 10 to 40 C (50 to 95 F) Humidity: 20% to 80% non-condensing Storage Air temperature: 40 to 65 C ( 40 to 149 F) Humidity: 5% to 95% non-condensing Console port pin-out The console port uses a DB-9 subminiature connector with standard wiring as follows. Pin Function 1 Data Carrier Detect 2 Receive Data 3 Transmit Data 4 Data Terminal Ready 5 Signal Ground 6 Data Set Ready 7 Request to Send 8 Clear to Send 30 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

CHAPTER 4 Installing the NetExpress Overview If you are familiar with installing SteelCentral products and your network environment has the necessary ports open between SteelCentral products, then mount the appliance in the rack and skip to Licensing strategy on page 37. If you are unfamiliar with installing SteelCentral products, then start here. The installation process involves the following steps: 1. Unpack, inspect and inventory the shipment. See Inventory and inspection on page 32. 2. Ensure that the mounting location and network environment will accommodate the appliance. See Preparations for installation on page 32. 3. Collect the configuration information you will need. See Configuration information on page 35. 4. Determine how the licenses are to be activated. See Licensing strategy on page 37 5. Mount the appliance in the rack and connect rack power. See Mounting and powering on page 38. 6. Connect the cables to the console port and the primary network port. See Cabling to the network on page 39. 7. Run the setup wizard on the console port to make the appliance reachable on the network. See Configuring the NetExpress on page 39. 8. Ensure that the licenses for the appliance are activated. See License activation on page 40 9. Perform additional configuration, as necessary. See Additional configuration on page 42. 10. Verify that the appliance has been successfully installed. See Installation verification on page 43. Refer to the Hardware specifications on page 44 for dimensions, weight and power requirements. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 31

Installing the NetExpress Inventory and inspection Inventory and inspection 1. Check the shipping documentation to ensure that all cartons have arrived. 2. If you have not already done so, visually inspect each carton for indications of damage. 3. If any cartons are damaged or missing, contact Riverbed Support before continuing. Phone United States and Canada: 1 888 782 3822 Phone outside U.S. and Canada: +1 415 247 7381 Email: support@riverbed.com Web: https://support.riverbed.com 4. Unpack the contents of the shipping cartons and inventory the contents against the shipping documentation. 5. If any components of the order are damaged or missing, contact Riverbed Support. Preparations for installation Before installing the chassis, ensure that the following considerations have been addressed: Mounting location Data sources Cable connections Access to the network Mounting location The NetExpress appliance requires a 1U rack space in a 4-post, 19-inch rack or cabinet. It should be mounted in a rack that is appropriately sized for the chassis using the rails provided. Additional rails can be purchased from Riverbed using part number RMK-CAP-001. The rack should be properly secured to a level solid surface to prevent tipping or excess shock while the unit is operating. (Operating shock limits are half sine, 2 g peak, 11 msec.) Appliances should never be installed in an unsecured location such as on a table or shelf. They should never be stacked on top of one another. Manufacturing data for the units indicates that premature disk drive failure can result from vibration transmitted between units that are in direct contact with one another. The appliances should be installed so that the ventilation openings on the front and rear of the units are not blocked and so air flows from the front to the rear of the unit to facilitate proper cooling. Each fan within the appliance is capable of supporting multiple speeds. If the internal ambient temperature of the appliance exceeds the value programmed into the thermal sensor data record (SDR), the BMC firmware increases the speed for all the fans within fan module. Improper cooling can result in the appliance overheating, which could cause premature failure of sensitive components, such as the CPUs. In addition, overheating can result in the fans running at a higher speed for extended periods, which increases the amount of vibration in the appliance. Excess vibration can result in premature disk drive failure. 32 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Preparations for installation Installing the NetExpress Refer to Hardware specifications on page 44 to ensure that the mounting location accommodates the dimensions, weight, power and cooling requirements of the appliance. Data sources The NetExpress obtains traffic information from taps or mirror ports on the monitored network. It can also obtain flow data from NetFlow, IPFIX, Packeteer FDR or sflow sources, or by CascadeFlow from a CascadeFlow compatible SteelHead. Additionally, it can obtain traffic information from Riverbed Sensor, Flow Gateway, NetShark or AppResponse appliances. If the NetExpress is to receive flow data from NetFlow-enabled devices, enable the SNMP ifindex persistence feature of the NetFlow source to ensure consistency of interface reporting. There are two approaches to setting up data sources: Set up the available data sources and point them to the IP address of the NetExpress before you install it. Install the NetExpress up to the point of verification, then go install or configure the data sources, and then return to the SteelCentral product to complete the installation verification. It is preferable to configure all the data sources that are available at the time you install the SteelCentral product. However, product operation can be confirmed with just one data source. Cable connections Power The SteelCentral product has two power supplies. Plug these into two different circuits, if they are available. Console port The initial setup of the SteelCentral product is performed using a console port. Ensure that you have a terminal server or a system running a terminal emulation program such as HyperTerminal or Tera Term Pro. Connect this to the SteelCentral product console port using a null modem cable with a 9-pin D-subminiature connector. Any standard serial device connection will work. Primary port The NetExpress is equipped with a 100/1000baseTX primary management port that must connect to a hub or switch on the management network. The primary port is set by default for auto-negotiation. Ensure that: A straight-through cable to a hub or switch port on the management network is available at the rack location. The management network switch port is set to establish a connection at 100 or 1000 Mb/s and full duplex. A terminal device (laptop, KVM, etc.) is available on the management network for logging in to the NetExpress user interface. Auxiliary Port Optionally, the Aux port can be configured. This is useful if you what to keep network data and network control traffic on separate networks. Ensure that: A straight-through cable to a hub or switch port on the network is available at the rack location. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 33

Installing the NetExpress Preparations for installation The network switch port is set to establish a connection at 100 or 1000 Mb/s and full duplex. Traffic monitoring ports All NetExpress appliances have four electrical ports with 10/100/1000baseTX (RJ45) connectors. These connect via straight-through cables to taps or mirror ports on the monitored network. Some models also have two 10 Gb/s optical ports that support both LR and SR SFP modules with LC connectors. These connect via single mode (LR) or multimode (SR) optical fiber cables to taps or mirror ports on the monitored network. Ensure that the necessary taps or mirror ports are set up and that the correct electrical or optical cables are available in the rack where the NetExpress is to be installed. Access to the network The NetExpress uses the management network to communicate with other SteelCentral products and to access network services. Communication between SteelCentral products If you lock down your network on a port-by-port basis, ensure that the following ports are open between SteelCentral products: TCP/22 (ssh) This is needed for the NetExpress to transfer upgrade packages to other SteelCentral devices that are connected to it. TCP/8080 Packet Analyzer communicates with the web interface of the NetShark over this port. TCP/8443 Exchange of encryption certificates between SteelCentral products. TCP/41017 Encrypted communication between NetExpress and Flow Gateway, NetShark, and AppResponse appliances. UDP/123 (ntp) Synchronization of time between a Flow Gateway and NetExpress. Access to and from network access services TCP/22 (ssh) This is needed for secure shell access to SteelCentral software components and for the appliance to obtain information from servers via scripts. UDP/161 (snmp) The NetExpress uses SNMP to obtain interface information from switches. Also, management systems use this port to read the SteelCentral product MIB. TCP/443 (https) Secure web-based management interfaces. TCP/5432 (odbc) If you will be allowing other applications to access the NetExpress internal database via ODBC, then you must allow traffic on this port. 42999 If you will be using the NetExpress user identification feature with a Microsoft Active Directory domain controller, then you must allow traffic on port 42999. Vulnerability scanner ports If you will be using the NetExpress vulnerability scan feature, then you must allow traffic on the port that the SteelCentral product is to use for accessing the vulnerability scanner server. Obtain vulnerability scanner server addresses and port numbers from the administrator of those systems. The default ports are as follows: Nessus: 1241 ncircle: 443 34 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuration information Installing the NetExpress Rapid7: 3780 Qualys: Requires external https access to qualysapi.qualys.com (Note: This is separate from qualysguard.qualys.com.) Foundstone: 3800 Configuration information When you configure the NetExpress, you will be asked to provide configuration information. Information that is required to complete the installation is listed in the table that follows with an asterisk (*). Items not marked with an asterisk are optional during installation and can be specified afterwards on the NetExpress Configuration > General Settings page if necessary. It may be useful to write the configuration values in the blank column of the checklist below so that you can refer to them during the configuration step or afterward. NetExpress host name:* NetExpress IP address:* Netmask:* Default gateway:* DNS name resolution for hosts (enable or disable): Primary DNS server IP address: Secondary DNS server IP address: DNS search domain: Primary port settings: (10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate) Switch port settings: The settings of the switch port or hub that the NetExpress primary port connects to. (Auto-negotiate is recommended.) Aux interface IP address Aux interface netmask Aux interface switch port settings Monitored network port settings - mon0_0 10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate Monitored network port settings - mon0_1 10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate Monitored network port settings - mon0_2 10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate Monitored network port settings - mon0_3 10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate Packet Deduplication Enable packet deduplication if your network configuration might cause the SteelCentral product to see duplicated packets. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 35

Installing the NetExpress Configuration information NTP server IP addresses:* Applies only if NetExpress is being synchronized to an external NTP server. Enter one or more addresses as a commaseparated list. Time Zone: Flow encryption certificate (default or new certificate): For faster installation, use the default encryption certificate shipped with the NetExpress and then generate a new certificate later. NetFlow port: Applies only if NetExpress is receiving NetFlow data (versions 1, 5, 7 or 9), IPFIX data, or CascadeFlow data. Do not send more than one type of flow data to the same port. sflow port: Applies only if NetExpress is receiving sflow data (versions 2, 4 or 5). Do not send more than one type of flow data to the same port. Packeteer port: Applies only if NetExpress is receiving Packeteer Flow Detail Records (versions 1 or 2). Do not send more than one type of flow data to the same port. SNMP information: NetExpress is set by default to use SNMP Version 1 and to allow MIB browsing. If you are configuring SNMP at this time, obtain the necessary V1 or V3 information. Outgoing mail server name, port number, and From address. Applies only if you will be specifying a server that NetExpress is to use for sending reports or alert notifications. Inside addresses: IP addresses or address ranges of hosts that the NetExpress is to track individually. The default values are 10/8,172.16/ 12,192.168/16 Security Profile settings:* You can use either three traffic collection profiles (weekdays, weeknights, and weekends) or four (weekdays, weeknights, Saturdays, and Sundays). After installation, you can define others. You can also specify the times when weekdays begin and end (default times are 9:00 am to 5:00 pm). Password to use for your initial NetExpress login:* The default password admin. New password to enter when prompted to change the initial NetExpress password:* Applies only to systems not previously configured. Service Management Leave this set to ByLocation unless you are required to choose another group type for service locations. 36 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Licensing strategy Installing the NetExpress Licensing strategy Capacity and feature licenses must be activated on the Riverbed licensing web site. SteelCentral products that have been configured and have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance does not have Internet access, then you must add its license keys manually. The licensing web site provides the flexibility to assign different feature and capacity licenses to different appliances. You can ship appliances to remote locations without concern for which appliance is to have which license. When you have the serial numbers and know where the appliances are deployed in the network, you can make the license assignments on the Riverbed licensing web site. When all the appliances are to be licensed for the same features and capacities, the licensing web site handles this automatically. The appliances can automatically download their licenses without your needing to visit the licensing web site. Downloading and adding license keys If the NetExpress is configured and has Internet connectivity, it can download its license keys automatically. Otherwise, someone must email the keys from the Riverbed licensing web site and then copy them from the email, or copy them directly from the Riverbed licensing web site, and someone must add them to the NetExpress manually. Determine which strategy you are using. Will you activate the licenses on the Riverbed licensing web site yourself? Or will someone else do that? If the NetExpress you are installing does not have Internet access, how will you ensure that it gets its assigned license keys? Will you email them to yourself from the Riverbed licensing site? Will you copy them from the Riverbed licensing site? Or will someone else provide the license keys for you to add to the NetExpress manually? Typically, the installer: 1. Mounts, cables and configures this appliance and the other SteelCentral products that were ordered with it. 2. Records the product serial number from the chassis of each appliance. The number identified as SN is the product serial number. 3. Sends the serial number for each appliance, along with the appliance location on the network, to the network manager. Then the network manager: 1. Logs in to the Riverbed licensing web site. 2. Enters the product serial number of the first SteelCentral product to gain access to the licensing page. The Riverbed licensing page lists the serial numbers of all SteelCentral products that were included in the same purchase order. 3. For each serial number, activate the licenses that apply to that serial number. Using the Riverbed licensing web site is described after the configuration step. See License activation on page 40. After the licenses have been activated on the Riverbed licensing web site, the license keys can be added to the NetExpress either automatically or manually. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 37

Installing the NetExpress Mounting and powering Automatically adding license keys SteelCentral products that have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance has been configured to be accessible on the network and if it has access to the Internet, then it automatically downloads its license keys when you click Configure Now on the initial Setup page. If you select the Enable automatic license download from Riverbed option on the Configuration > Licenses page, the appliance checks for any additional licenses once per day. Manually adding license keys If the NetExpress does not have access to the Internet, then it is necessary to add the license keys manually. This involves copying and pasting the keys into the NetExpress licensing page. You can have the license keys emailed to yourself from the licensing web site and copy them from the email, or you can copy them directly from the web site. Alternatively, the person who generates the keys on the web site can provide them to you. Once you have the keys, you paste them into the Configuration > Licenses page. Mounting and powering Safety information Follow the safety precautions outlined in the Riverbed Safety and Compliance Guide when installing and setting up your system. The guide contains the safety information in multiple languages. Before you install, operate, or service your system, you must be familiar with the safety information. Note: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow the safety guidelines and installation instructions carefully. CAUTION: Slide/rail mounted equipment is not to be used as a shelf or a work space. Rack mounting the chassis 1. Locate the rails in the shipping carton. 2. Locate the Rack Installation Guide in the documentation kit. 3. Mount the rails in the rack and install the chassis on the rails, as described in the instructions. CAUTION: Observe the safety cautions in the mounting instructions. 4. Connect the power cable to the chassis and to rack power. The system starts up automatically when power is connected. However, you can use the power button to power off the system if necessary. 38 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Cabling to the network Installing the NetExpress Cabling to the network 1. Connect a system running a terminal emulation program such as HyperTerminal or Tera Term Pro to the 9-pin D- subminiature Console port connector of the NetExpress. 2. Connect the cable from the management network to the Primary connector on the NetExpress. 3. Connect the electrical Ethernet cables from the taps or mirror ports to the monitoring port connectors mon0_0 through mon0_3. 4. If the NetExpress has 10 Gbs fiber ports, connect the optical cables from the taps or mirror ports to the monitoring port connectors mon1_0 and mon1_2. 5. If your appliance has additional monitoring ports, refer to the sticker on the top cover of the chassis for the connector positions. Make additional cable connections as necessary. Configuring the NetExpress 1. On the system connected to the Console port connector, set the terminal emulator for 9600 Baud, 8 data bits, 1 stop bit, no parity bit, and no flow control. 2. Use your terminal emulator to log in through the console port. The default login credentials are: User name: admin Password: admin 3. When the configuration wizard starts, enter the required information at the prompts. MGMT IP ADDRESS MGMT SUBNET MASK MGMT GATEWAY IP ADDRESS Finish Setup and Reboot? (yes/no): 4. When the wizard completes and exits, the system reboots. Wait until the system finishes rebooting before continuing with the next step. 5. On the management network, point your web browser to the IP address you specified in the configuration wizard using the console port. https://<netexpress_ip_address> SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 39

Installing the NetExpress License activation 6. Log in to the NetExpress user interface. The default credentials are: User name: admin Password: admin The first time you log in to the NetExpress user interface, it displays the Setup page.on the Setup page, ensure that all the required fields (marked with an asterisk) are filled in. 7. At the bottom of the Setup page, click Configure Now. When you click Configure Now, the NetExpress automatically fetches the license keys that are assigned to it on the Riverbed licensing web site, if the NetExpress has Internet access. If the NetExpress does not have access to the Internet, it is necessary to activate the license manually. License activation If the licenses have been activated on the Riverbed licensing web site and the NetExpress has downloaded its licensing keys, skip to the next step: Additional configuration on page 42. To confirm that the NetExpress has downloaded its license keys from the Riverbed licensing web site, 1. Log in to the NetExpress using the admin account user name and the password that you specified in the preceding step. 2. Navigate to the Configuration > Licenses page. If the License Key column lists an MSPEC license key, then NetExpress has downloaded its licenses from the licensing web site and you can proceed with installation verification. If no MSPEC license key is listed, then NetExpress has not downloaded its license keys. 3. Click Fetch Updates Now. If the NetExpress has Internet access and the licenses have been activated on the Riverbed licensing web site, then the license keys will be listed within a few minutes. If the NetExpress does not have Internet access, or if its licenses have not been activated on the Riverbed licensing site, then it will not be able to fetch its license keys. If you have been given the license keys, enter them manually as described below. If you are responsible for generating the license keys, 40 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

License activation Installing the NetExpress 1. Go to the Riverbed licensing web site and generate the keys. (See Generating the license keys, next.) 2. Copy the license keys or else email them to a machine that has access to the NetExpress. 3. Manually add the license keys to the NetExpress Configuration > Licenses page. Generating the license keys To generate a license key on the Riverbed licensing site: 1. Ensure that you have product serial number for each appliance. This is located on the rear of the chassis. The number identified as SN is the product serial number. 2. Point your browser to the Riverbed licensing portal: https://licensing.riverbed.com 3. Enter the product serial number. This displays a table listing the serial numbers of all the SteelCentral products purchased on the same purchase order as the appliance whose serial numbers you entered. 4. If you purchased only one appliance, then the licenses you purchased are already assigned to that appliance. If you purchased more than one appliance, use the drop-down list boxes in the Software column for each serial number to assign the correct licenses to each appliance. Select or multi-select the licenses you want to activate for each appliance. 5. Follow the instructions of the licensing wizard to continue the process and generate the license keys. 6. If the NetExpress has Internet access, it automatically downloads the licenses that have been assigned to its serial number. If the NetExpress does not have access to Internet and cannot fetch license keys from the Riverbed licensing site, then it is necessary to enter the license keys manually on the NetExpress Configuration > Licenses page. To get the keys for entering manually, continue with the next step on the licensing web site. 7. Either choose the option to email the license keys to yourself, or else copy the activated license keys from the table. 8. Place the keys in a file that is accessible to the machine you are using for configuring the NetExpress. Manually adding the license keys 1. On the NetExpress, navigate to the Configuration > Licenses page and click Add License(s). 2. Paste or type the license keys into the Licenses page. When entering more than one license key, use a commaseparated list. 3. Confirm that the licenses are listed on the Configuration > Licenses page and that the status of each is green. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 41

Installing the NetExpress Additional configuration When the license keys have been added, the NetExpress is fully functional and ready for additional configuration or for installation verification. Additional configuration The NetExpress appliance can be configured to receive flow data from flow data collectors. It can be configured to receive flow data on the Management interface, the Aux interface, or both. If necessary, you can specify static routes. Additionally, it can use data profile periods other than the default settings on the initial Setup page. Configuring the Aux interface To enable the Aux interface, 1. Go to the Configuration > General Settings page and scroll to the Aux Interface Configuration section. 2. Enter the IP address, netmask and connection settings for the Aux interface. 3. Select the Configure AUX Interface option. Specifying static routes If there are multiple subnets on the Aux interface network, or if you need to use a gateway router other than the default gateway, it may be necessary to define static routes. Use the Static Routes section of the Configuration > General Settings page to specify static routes as necessary. Specifying ports on which the NetExpress is to receive flow data In addition to monitoring traffic on taps and mirror ports, the NetExpress appliance can also receive flow data from flow data collectors. For it to do this, you must specify the types of flow data and the ports on which they are to be received. 42 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Installation verification Installing the NetExpress 1. Go to the Configuration > General Settings page and scroll to the Data Sources section. 2. Select the data type and enter the port number or numbers on which the NetExpress is to receive it. The NetExpress does not require flow data to use particular ports. However, you must identify the port that the sending device is configured to send to. Each port can receive only one type of flow data. 3. If you are using the Aux interface, select which interface(s) are to receive flow data. 4. Click Configure Now at the bottom of the page to apply the settings. The number of sources that you can configure to send flow data to the NetExpress depends on the amount of data each is sending. The total from all sources combined must not exceed the capacity of the NetExpress. Refer to your license agreement for the flow capacity of your NetExpress appliance. Specifying traffic profile periods The initial Setup page offers the choice of collecting separate traffic profiles for: Weekdays, weeknights, and weekends, or Weekdays, weekends, Saturdays, and Sundays. If you want to add more profiles or use a different profile scheme, 1. Log in to the NetExpress. 2. Go to the Behavior Analysis > Policies page Security tab and click Security Profiles. This opens the Security Profiles page. 3. Click Reconfigure Weekly Scheme to open the profile scheme composer. 4. Specify the days and times of the traffic collection profiles you want to use. When you specify a new security profile scheme, NetExpress discards any current baseline information and begins collecting new data. For descriptions of making other configuration changes, refer to the NetExpress on line help system. Installation verification Installation verification requires the NetExpress to be receiving traffic data from at least one source. To determine if the NetExpress is receiving data, log in and navigate to the System > Devices/Interfaces page. Check the status of the Cascade Sensor, Flow Gateway, or NetShark appliances or other data source devices on the Devices tab. When a data source comes on line, the NetExpress begins collecting data. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 43

Installing the NetExpress Hardware specifications If no data sources are listed on the System > Devices/Interfaces page Devices tab, then NetExpress installation and configuration cannot be verified. Set up at least one data source device (preferably all data source devices) and then perform the installation verification as follows. 1. Go to the Dashboard page and verify that the graphs display data. 2. Go to the System > Information page and assure that all status indications are displaying OK. 3. Go to the System > Devices/Interfaces page and assure that each data source that is expected to be available is listed and that no status indicators are red. 4. Go to the Reports > Traffic page. Near the bottom of the Report Criteria section, click Run now. Verify that a traffic report is displayed. (It will take a short time for the report to display.) This completes the installation process. The NetExpress can now be turned over to those who are responsible for setting up user accounts and operational parameters. Refer to the on line help system for further configuration procedures. Hardware specifications Rack space The NetExpress requires a 1U rack space and is best mounted in a 4-post, 19-inch rack or cabinet. It can also be mounted in a 2-post, 19-inch rack, but this requires a deep shelf. Regulatory compliance code: 1UACA Dimensions without bezels or mounting flanges: Height: 87.1 mm, 3.4 in. Width 436.1 mm, 17.2 in. Depth: 644.4 mm, 25.4 in. Dimensions with all protrusions: Height: 88.9 mm, 3 1/2 in. Width: 487.4 mm, 19 3/16 in. 44 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Hardware specifications Installing the NetExpress Depth: 685.8 mm, 27 in. Weight: 27.2 kg, 60 lbs. Power The NetExpress requires: 100V-127V, 50/60 Hz, 4.1A, or 200V-240V, 50/60 Hz, 2.1A Cooling The NetExpress requires up to approximately1024 Btu/hour of cooling, depending on the model. Ambient air should be: Operating Air temperature: 10 to 40 C (50 to 95 F) Humidity: 20% to 80% non-condensing Storage Air temperature: 40 to 65 C ( 40 to 149 F) Humidity: 5% to 95% non-condensing Console port pin-out The console port uses a DB-9 subminiature connector with standard wiring as follows. Pin Function 1 Data Carrier Detect 2 Receive Data 3 Transmit Data 4 Data Terminal Ready 5 Signal Ground 6 Data Set Ready 7 Request to Send 8 Clear to Send SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 45

Installing the NetExpress Hardware specifications 46 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

CHAPTER 5 Installing the Flow Gateway Overview If you are familiar with installing SteelCentral products and your network environment has the necessary ports open between SteelCentral products, then mount the appliance in the rack and skip to Licensing strategy on page 52. If you are unfamiliar with installing SteelCentral products, then start here. The installation process involves the following steps: 1. Unpack, inspect and inventory the shipment. See Inventory and inspection on page 48. 2. Ensure that the mounting location and network environment will accommodate the appliance. See Preparations for installation on page 48. 3. Collect the configuration information you will need. See Configuration information on page 50. 4. Determine how the licenses are to be activated. See Licensing strategy on page 52 5. Mount the appliance in the rack and connect rack power. See Mounting and powering on page 54. 6. Connect the cables to the console port and the primary network port. See Cabling to the network on page 54. 7. Run the setup wizard on the console port to make the appliance reachable on the network. See Configuring the Flow Gateway on page 55. 8. Ensure that the licenses for the appliance are activated. See License activation on page 56 9. Perform additional configuration, as necessary. See Additional configuration on page 58. 10. Verify that the appliance has been successfully installed. See Installation verification on page 61. Refer to the Hardware specifications on page 61 for dimensions, weight and power requirements. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 47

Installing the Flow Gateway Inventory and inspection Inventory and inspection 1. Check the shipping documentation to ensure that all cartons have arrived. 2. If you have not already done so, visually inspect each carton for indications of damage. 3. If any cartons are damaged or missing, contact Riverbed Support before continuing. Phone United States and Canada: 1 888 782 3822 Phone outside U.S. and Canada: +1 415 247 7381 Email: support@riverbed.com Web: https://support.riverbed.com 4. Unpack the contents of the shipping cartons and inventory the contents against the shipping documentation. 5. If any components of the order are damaged or missing, contact Riverbed Support. Preparations for installation Before installing the chassis, ensure that the following considerations have been addressed: Mounting location Data sources Cable connections Access to the network Mounting location Flow Gateway appliance requires a 1U rack space in a 4-post, 19-inch rack or cabinet. It should be mounted in a rack that is appropriately sized for the chassis using the rails provided. Additional rails can be purchased from Riverbed using part number RMK-CAP-001. The rack should be properly secured to a level solid surface to prevent tipping or excess shock while the unit is operating. (Operating shock limits are half sine, 2 g peak, 11 ms) Appliances should never be installed in an unsecured location such as on a table or shelf. They should never be stacked on top of one another. Manufacturing data for the units indicates that premature disk drive failure can result from vibration transmitted between units that are in direct contact with one another. The appliances should be installed so that the ventilation openings on the front and rear of the units are not blocked and so air flows from the front to the rear of the unit to facilitate proper cooling. Each fan within the appliance is capable of supporting multiple speeds. If the internal ambient temperature of the appliance exceeds the value programmed into the thermal sensor data record (SDR), the BMC firmware increases the speed for all the fans within fan module. Improper cooling can result in the appliance overheating, which could cause premature failure of sensitive components, such as the CPUs. In addition, overheating can result in the fans running at a higher speed for extended periods, which increases the amount of vibration in the appliance. Excess vibration can result in premature disk drive failure. 48 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Preparations for installation Installing the Flow Gateway Refer to Hardware specifications on page 61 to ensure that the mounting location accommodates the dimensions, weight, power and cooling requirements of the appliance. Data sources The Flow Gateway obtains traffic information from NetFlow, IPFIX, Packeteer FDR or sflow sources, or by CascadeFlow from a CascadeFlow compatible SteelHead. Enable the SNMP ifindex persistence feature of the NetFlow source devices to ensure consistency of interface reporting. There are two approaches to setting up data sources: Set up the available data sources and point them to the IP address of the Flow Gateway before you install it. Install the Flow Gateway up to the point of verification, then go install or configure the data sources, and then return to the SteelCentral product to complete the installation verification. It is preferable to configure all the data sources that are available at the time you install the SteelCentral product. However, product operation can be confirmed with just one data source. Cable connections Power The SteelCentral product has two power supplies. Plug these into two different circuits, if they are available. Console port The initial setup of the SteelCentral product is performed using a console port. Ensure that you have a terminal server or a system running a terminal emulation program such as HyperTerminal or Tera Term Pro. Connect this to the SteelCentral product console port using a null modem cable with a 9-pin D-subminiature connector. Any standard serial device connection will work. Primary port The Flow Gateway is equipped with a 100/1000baseTX primary management port that must connect to a hub or switch on the management network. The primary port is set by default for auto-negotiation. Ensure that: A straight-through cable to a hub or switch port on the management network is available at the rack location. The management network switch port is set to establish a connection at 100 or 1000 Mb/s and full duplex. A terminal device (laptop, KVM, etc.) is available on the management network for logging in to the Flow Gateway user interface. Auxiliary Port Optionally, the Aux port can be configured. This is useful if you what to keep network data and network control traffic on separate networks. Ensure that: A straight-through cable to a hub or switch port on the network is available at the rack location. The network switch port is set to establish a connection at 100 or 1000 Mb/s and full duplex. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 49

Installing the Flow Gateway Configuration information Access to the network The Flow Gateway uses the management network to communicate with other SteelCentral products and to access network services. Communication between SteelCentral products If you lock down your network on a port-by-port basis, ensure that the following ports are open between SteelCentral products: TCP/22 (ssh) This is needed for the Flow Gateway to receive upgrade packages from a NetProfiler. TCP/8443 Exchange of encryption certificates between the Flow Gateway and a NetProfiler. TCP/41017 Encrypted communication between the Flow Gateway and a NetProfiler. UDP/123 (ntp) Synchronization of time between the Flow Gateway and a NetProfiler. Access to and from network access services TCP/22 (ssh) This is needed for secure shell access to SteelCentral software components. TCP/443 (https) Secure web-based management interface. Configuration information When you configure the Flow Gateway, you will be asked to provide configuration information. Information that is required to complete the installation is listed in the table that follows with an asterisk (*). Items not marked with an asterisk are optional during installation and can be specified afterwards on the Flow Gateway Configuration > General Settings page if necessary. It may be useful to write the configuration values in the blank column of the checklist below so that you can refer to them during the configuration step or afterward. Flow Gateway host name:* Flow Gateway IP address:* Netmask:* Default gateway:* DNS name resolution for hosts (enable or disable): Primary DNS server IP address: Secondary DNS server IP address: DNS search domain: Primary port settings: (10/100/1000 Mb/s, half- or full-duplex, or auto-negotiate) Switch port settings: The settings of the switch port or hub that the Flow Gateway primary port connects to. (Auto-negotiate is recommended.) Aux interface IP address Aux interface netmask 50 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuration information Installing the Flow Gateway Aux interface switch port settings Time Zone: Flow encryption certificate (default or new certificate): For faster installation, use the default encryption certificate shipped with the Flow Gateway and then generate a new certificate later. SNMP information: Flow Gateway is set by default to use SNMP Version 1 and to allow MIB browsing. If you are configuring SNMP at this time, obtain the necessary V1 or V3 information. Data Sources - Use NetFlow Specify the port number on which the Flow Gateway will receive the data. Applies only if the Flow Gateway is receiving NetFlow data (versions 1, 5, 7 or 9), IPFIX, CascadeFlow, or cflow data. Do not send more than one type of flow data to the same port. Data Sources - Use sflow Specify the port number on which the Flow Gateway will receive the data. Applies only if the Flow Gateway is receiving sflow data (versions 2, 4 or 5). Do not send more than one type of flow data to the same port. Data Sources - Use Packeteer Specify the port number on which the Flow Gateway will receive the data. Applies only if the Flow Gateway is receiving Packeteer Flow Detail Records (versions 1 or 2). Do not send more than one type of flow data to the same port. SNMP information: NetProfiler is set by default to use SNMP Version 1 and to allow MIB browsing. If you are configuring SNMP at this time, obtain the necessary V1 or V3 information. First NetProfiler data input address. The address of the NetProfiler to which the Flow Gateway will send traffic data. This is the IP address of the management interface (Primary port) of an NetExpress or Standard NetProfiler or the address of the first Analysis Module of an Enterprise NetProfiler. If data sent to this NetProfiler is to be limited to only data received from certain flow sources, then specify those sources. Second NetProfiler data input address. If the Flow Gateway will be sending traffic data to more than one NetProfiler, this is the IP address of the second NetProfiler. It is the management interface (Primary port) of an NetExpress or Standard NetProfiler or the address of the Analysis Module of an Enterprise NetProfiler. If flow forwarding to this NetProfiler is to be limited to only data received from certain flow sources, then specify those sources NetProfiler IP Address: Flow sources: NetProfiler IP Address: Flow sources: SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 51

Installing the Flow Gateway Licensing strategy Data Forward - Destination 1 IP address and port number of the first destination to which the Flow Gateway is to forward flow data, the type of data (e.g., NetFlow) to be forwarded, and whether or not the source address of the forwarded packets should be overwritten with the source address from which they were received. If flow forwarding to this destination is to be limited to data received from only certain flow sources, then specify those sources. Data Forward - Destination 2 IP address and port number of the second destination to which the Flow Gateway is to forward flow data, the type of data (e.g., NetFlow) to be forwarded, and whether or not the source address of the forwarded packets should be overwritten with the source address from which they were received. If flow forwarding to this destination is to be limited to data received from only certain flow sources, then specify those sources. IP address: Port: Type: Source: Overwrite source address? Yes/No: IP address: Port: Type: Source: Overwrite source address? Yes/No: Password to use for your initial Flow Gateway login:* The default password admin. New password to enter when prompted to change the initial Flow Gateway password:* Applies only to systems not previously configured. Licensing strategy Capacity and feature licenses must be activated on the Riverbed licensing web site. SteelCentral products that have been configured and have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance does not have Internet access, then you must add its license keys manually. The licensing web site provides the flexibility to assign different feature and capacity licenses to different appliances. You can ship appliances to remote locations without concern for which appliance is to have which license. When you have the serial numbers and know where the appliances are deployed in the network, you can make the license assignments on the Riverbed licensing web site. When all the appliances are to be licensed for the same features and capacities, the licensing web site handles this automatically. The appliances can automatically download their licenses without your needing to visit the licensing web site. Downloading and adding license keys If the Flow Gateway is configured and has Internet connectivity, it can download its license keys automatically. Otherwise, someone must email the keys from the Riverbed licensing web site and then copy them from the email, or copy them directly from the Riverbed licensing web site, and someone must add them to the Flow Gateway manually. Determine which strategy you are using. Will you activate the licenses on the Riverbed licensing web site yourself? Or will someone else do that? 52 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Licensing strategy Installing the Flow Gateway If the Flow Gateway you are installing does not have Internet access, how will you ensure that it gets its assigned license keys? Will you email them to yourself from the Riverbed licensing site? Will you copy them from the Riverbed licensing site? Or will someone else provide the license keys for you to add to the Flow Gateway manually? Typically, the installer: 1. Mounts, cables and configures this appliance and the other SteelCentral products that were ordered with it. 2. Records the product serial number from the chassis of each appliance. The number identified as SN is the product serial number. 3. Sends the serial number for each appliance, along with the appliance location on the network, to the network manager. Then the network manager: 1. Logs in to the Riverbed licensing web site. 2. Enters the product serial number of the first SteelCentral product to gain access to the licensing page. The Riverbed licensing page lists the serial numbers of all SteelCentral products that were included in the same purchase order. 3. For each serial number, activate the licenses that apply to that serial number. Using the Riverbed licensing web site is described after the configuration step. See License activation on page 56. After the licenses have been activated on the Riverbed licensing web site, the license keys can be added to the Flow Gateway either automatically or manually. Automatically adding license keys SteelCentral products that have access to Internet automatically download the license keys that have been assigned to their serial numbers on the licensing web site. If the appliance has been configured to be accessible on the network and if it has access to the Internet, then it automatically downloads its license keys when you click Configure Now on the initial Setup page. If you select the Enable automatic license download from Riverbed option on the Configuration > Licenses page, the appliance checks for any additional licenses once per day. Manually adding license keys If the Flow Gateway does not have access to the Internet, then it is necessary to add the license keys manually. This involves copying and pasting the keys into the Flow Gateway licensing page. You can have the license keys emailed to yourself from the licensing web site and copy them from the email, or you can copy them directly from the web site. Alternatively, the person who generates the keys on the web site can provide them to you. Once you have the keys, you paste them into the Configuration > Licenses page. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 53

Installing the Flow Gateway Mounting and powering Mounting and powering Safety information Follow the safety precautions outlined in the Riverbed Safety and Compliance Guide when installing and setting up your system. The guide contains the safety information in multiple languages. Before you install, operate, or service your system, you must be familiar with the safety information. Note: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Please read and follow the safety guidelines and installation instructions carefully. CAUTION: Slide/rail mounted equipment is not to be used as a shelf or a work space. Rack mounting the chassis 1. Locate the rails in the shipping carton. 2. Locate the Rack Installation Guide in the documentation kit. 3. Mount the rails in the rack and install the chassis on the rails, as described in the instructions. CAUTION: Observe the safety cautions in the mounting instructions. 4. Connect the power cable to the chassis and to rack power. The system starts up automatically when power is connected. However, you can use the power button to power off the system if necessary. Cabling to the network 1. Connect a system running a terminal emulation program such as HyperTerminal or Tera Term Pro to the 9-pin D- subminiature Console port connector of the Flow Gateway. 2. Connect the cable from the management network to the Primary connector on the Flow Gateway. 54 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Configuring the Flow Gateway Installing the Flow Gateway Configuring the Flow Gateway 1. On the system connected to the Console port connector, set the terminal emulator for 9600 Baud, 8 data bits, 1 stop bit, no parity bit, and no flow control. 2. Use your terminal emulator to log in through the console port. The default login credentials are: User name: admin Password: admin 3. When the configuration wizard starts, enter the required information at the prompts. MGMT IP ADDRESS MGMT SUBNET MASK MGMT GATEWAY IP ADDRESS NETPROFILER IP ADDRESS Finish Setup and Reboot? (yes/no): 4. When the wizard completes and exits, the system reboots. Wait until the system finishes rebooting before continuing with the next step. 5. On the management network, point your web browser to the IP address you specified in the configuration wizard using the console port. https://<flow_gateway_ip_address> 6. Log in to the Flow Gateway user interface. The default credentials are: User name: admin Password: admin The first time you log in to the Flow Gateway user interface, it displays the Setup page. 7. On the Setup page, ensure that all the required fields (marked with an asterisk) are filled in. 8. At the bottom of the Setup page, click Configure Now. When you click Configure Now, the Flow Gateway automatically fetches the license keys that are assigned to it on the Riverbed licensing web site, if the Flow Gateway has Internet access. If the Flow Gateway does not have access to the Internet, it is necessary to activate the license manually. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 55

Installing the Flow Gateway License activation License activation If the licenses have been activated on the Riverbed licensing web site and the Flow Gateway has downloaded its licensing keys, skip to the next step: Additional configuration on page 58. To confirm that the Flow Gateway has downloaded its license keys from the Riverbed licensing web site, 1. Log in to the Flow Gateway using the admin account user name and the password that you specified in the preceding step. 2. Navigate to the Configuration > Licenses page. If the License Key column lists an MSPEC license key, then Flow Gateway has downloaded its licenses from the licensing web site and you can proceed with installation verification. If no MSPEC license key is listed, then Flow Gateway has not downloaded its license keys. 3. Click Fetch Updates Now. If the Flow Gateway has Internet access and the licenses have been activated on the Riverbed licensing web site, then the license keys will be listed within a few minutes. If the Flow Gateway does not have Internet access, or if its licenses have not been activated on the Riverbed licensing site, then it will not be able to fetch its license keys. If you have been given the license keys, enter them manually as described below. If you are responsible for generating the license keys, 1. Go to the Riverbed licensing web site and generate the keys. (See Generating the license keys, next.) 2. Copy the license keys or else email them to a machine that has access to the Flow Gateway. 3. Manually add the license keys to the Flow Gateway Configuration > Licenses page. Generating the license keys To generate a license key on the Riverbed licensing site: 1. Ensure that you have product serial number for each appliance. This is located on the rear of the chassis. The number identified as SN is the product serial number. 2. Point your browser to the Riverbed licensing portal: https://licensing.riverbed.com 3. Enter the product serial number. This displays a table listing the serial numbers of all the SteelCentral products purchased on the same purchase order as the appliance whose serial numbers you entered. 56 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

License activation Installing the Flow Gateway 4. If you purchased only one appliance, then the licenses you purchased are already assigned to that appliance. If you purchased more than one appliance, use the drop-down list boxes in the Software column for each serial number to assign the correct licenses to each appliance. Select or multi-select the licenses you want to activate for each appliance. 5. Follow the instructions of the licensing wizard to continue the process and generate the license keys. 6. If the Flow Gateway has Internet access, it automatically downloads the licenses that have been assigned to its serial number. If the Flow Gateway does not have access to Internet and cannot fetch license keys from the Riverbed licensing site, then it is necessary to enter the license keys manually on the Flow Gateway Configuration > Licenses page. To get the keys for entering manually, continue with the next step on the licensing web site. 7. Either choose the option to email the license keys to yourself, or else copy the activated license keys from the table. 8. Place the keys in a file that is accessible to the machine you are using for configuring the Flow Gateway. Manually adding the license keys 1. On the Flow Gateway, navigate to the Configuration > Licenses page and click Add License(s). 2. Paste or type the license keys into the Licenses page. When entering more than one license key, use a commaseparated list. 3. Confirm that the licenses are listed on the Configuration > Licenses page and that the status of each is green. When the license keys have been added, the Flow Gateway is fully functional and ready for additional configuration or for installation verification. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 57

Installing the Flow Gateway Additional configuration Additional configuration The Flow Gateway appliance must be configured to receive flow data from flow data collectors and to send its processed traffic information to a NetProfiler or NetExpress appliance. It can be configured to receive flow data on the Management interface, the Aux interface, or both. If necessary, you can specify static routes. The Flow Gateway appliance can also be configured to forward flow data to two other destinations in the format in which it is received. For descriptions of making other configuration changes, refer to the Flow Gateway on line help system. Configuring the Aux interface To enable the Aux interface, 1. Go to the Configuration > General Settings page and scroll to the Aux Interface Configuration section. 2. Enter the IP address, netmask and connection settings for the Aux interface. 3. Select the Configure AUX Interface option. Specifying static routes If there are multiple subnets on the Aux interface network, or if you need to use a gateway router other than the default gateway, it may be necessary to define static routes. Use the Static Routes section of the Configuration > General Settings page to specify static routes as necessary. Specifying ports on which the Flow Gateway is to receive flow data 1. Go to the Configuration > General Settings page and scroll to the Data Sources section. 58 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Additional configuration Installing the Flow Gateway 2. Select the data type and enter the port number or numbers on which the Flow Gateway is to receive it. Flow Gateway does not require flow data to use particular ports. However, you must identify the port that the sending device is configured to send to. Each port can receive only one type of flow data. 3. If you have configured the Aux interface, select which interfaces are to receive flow data. 4. Click Configure Now at the bottom of the page to apply the settings. The number of sources that you can configure to send flow data to the Flow Gateway depends on the amount of data each is sending. The total from all sources combined must not exceed the capacity of the Flow Gateway. Refer to your license agreement for the flow capacity of your Flow Gateway appliance. Specifying destinations for traffic information To specify NetProfiler or NetExpress appliances that are to receive traffic flow data from the Flow Gateway: 1. Go to the Configuration > NetProfiler Export page. 2. Click Add New Entry to open a blank entry for specifying a destination NetProfiler or NetExpress appliance. 3. In the NetProfiler IP Address box, enter the IP address of the management interface for an NetExpress or Standard NetProfiler. For an Enterprise NetProfiler, enter the IP address of the Dispatcher Module, if one is present. If there is no Dispatcher Module, then enter the IP address of the Analysis Module. 4. In the Flow Sources box, either: Leave the box blank to forward all flow data to the specified NetProfiler, or Enter a comma-separated list of the IP addresses of flow source devices whose traffic is to be sent to the NetProfiler. You can enter IP addresses by clicking Browse and searching for the flow source device by name, address, or subnet. To send data to a second NetProfiler, perform Steps 2 through 4 for that NetProfiler. 5. Click Configure Now at the bottom of the page to apply the settings. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 59

Installing the Flow Gateway Additional configuration Specifying forwarding destinations for flow data received by the Flow Gateway The Flow Gateway can forward flow data to two destinations. Flow data is forwarded in the format in which it is received. You can make the forwarded flow data appear to be coming from the Flow Gateway. Use the Overwrite Source option to use the Flow Gateway address as the source address in the forwarded data packets. This may be necessary to prevent packets from appearing to be spoofed. To specify forwarding destinations, 1. Go to the Configuration > Flow Forwarding page. 2. Click Add New Entry to open a blank entry for specifying a destination. 3. Enter the destination IP address, port number, and data type for each destination. (For IPFIX data, select NetFlow.) 4. If you need to have the data identified as coming from the Flow Gateway, select Overwrite Source to use the Flow Gateway address as the source address in the forwarded data packets. 5. In the Flow Sources box, either: Leave the box blank to forward all flow data to the specified device, or Enter a comma-separated list of the IP addresses of flow source devices whose traffic is to be sent to the specified destination device. You can enter IP addresses by clicking Browse and searching for the flow source device by name, address, or subnet. 6. Click Configure Now at the bottom of the page to apply the settings. The Flow Gateway begins forwarding flow data to the destination devices within 5 minutes after you click Configure Now. 60 SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide

Installation verification Installing the Flow Gateway Installation verification Verify that the Flow Gateway has been successfully installed and configured by logging in and checking the Overview page. The Overview page identifies all traffic information sources that are currently sending data to the Flow Gateway. Also, it identifies destinations to which the Flow Gateway forwards traffic information. If flow sources are currently configured to send data to the Flow Gateway, they should be displayed on the Overview page. If NetProfilers are receiving data from the Flow Gateway, they should also be displayed on the Overview page. Hardware specifications Rack space The Flow Gateway requires a 1U rack space and is best mounted in a 4-post, 19-inch rack or cabinet. It can also be mounted in a 2-post, 19-inch rack, but this requires a deep shelf. Product model: CAG-00360 (Regulatory compliance code 1UACA) Dimensions without bezels or mounting flanges: Height: 87.1 mm, 3.4 in. Width 436.1 mm, 17.2 in. Depth: 644.4 mm, 25.4 in. Dimensions with all protrusions: Height: 88.9 mm, 3 1/2 in. SteelCentral NetProfiler, NetExpress and Flow Gateway Appliance Installation Guide 61