SteelCentral™ Flow Gateway Software

Installation Guide for Azure

Version 10.24

January 2023
© 2023 Riverbed Technology, Inc. All rights reserved.

Riverbed®, SteelConnect™, SteelCentral™, SteelHead™, and SteelFusion™ are all trademarks or registered trademarks of
Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service
name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The
trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective
owners.

This document is furnished "AS IS" and is subject to change without notice and should not be construed as a commitment by
Riverbed. Riverbed does not provide any warranties for any information contained herein and specifically disclaims any liability
for damages, including without limitation direct, indirect, consequential, and special damages in connection with this
document. This document may not be copied, modified or distributed without the express authorization of Riverbed and may
be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification,
disclosure or transfer of this document is restricted in accordance with the Federal Acquisition Regulations as applied to civilian
agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This document qualifies
as "commercial computer software documentation” and any use by the government shall be governed solely by these terms.
All other use is prohibited. Riverbed assumes no responsibility or liability for any errors or inaccuracies that may appear herein.

Individual license agreements can be viewed at the following location: https://<appliance_name>/license.php

This manual is for informational purposes only. Addresses shown in screen captures were generated by simulation software
and are for illustrative purposes only. They are not intended to represent any real traffic or any registered IP or MAC addresses.

Riverbed Technology
680 Folsom Street
San Francisco, CA 94107 Part Number
www.riverbed.com 712-00133-19
1 - Introduction .......................................................................................................................................................4
Additional Resources ..................................................................................................................................... 5
Contacting Riverbed ...................................................................................................................................... 5

2 - Preparing for installation .................................................................................................................................6

Required Hardware and Software............................................................................................................... 7
Data sources.................................................................................................................................................... 7
Network access .............................................................................................................................................. 7
Configuration information ...........................................................................................................................8

3 - Deploying Flow Gateway Cloud on an Azure virtual machine............................................................... 11

4 - Configuring Flow Gateway ........................................................................................................................... 15

5 - Licensing Flow Gateway ................................................................................................................................ 18

Obtain license keys from the licensing portal........................................................................................ 19
Enter license keys ......................................................................................................................................... 19

6 - Configuring Cloud Flow Data Sources ....................................................................................................... 21

SteelCentral Agent ....................................................................................................................................... 21
Amazon Web Services VPC network........................................................................................................ 21

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 3

 1
Introduction

This document describes the deployment and configuration of SteelCentral™ Flow Gateway Virtual
Edition as a cloud-based virtual appliance in Microsoft Azure.

The installation process includes:

• “Preparing for installation” on page 6

• “Deploying Flow Gateway Cloud on an Azure virtual machine” on page 11
• “Configuring Flow Gateway” on page 15
• “Licensing Flow Gateway” on page 18
• “Configuring Cloud Flow Data Sources” on page 21
When the installation tasks are completed, the Flow Gateway is ready to configure operationally.
Operational configuration is described in the online help system.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 4

 Introduction

Additional Resources
The primary source of product information is the online help system. Additional information is available
from the Riverbed Support site at https://support.riverbed.com. This includes:

• Release Notes - posted on the Software page for your product. Choose your product from the
Software menu.
• Users Guides - posted on the Documentation page for your product. Choose your product from
the Documentation menu.
• Tech Notes - linked to from the Documentation page for your product. Choose your product from
the Documentation menu.
• Knowledge Base - a database of known issues and how-to documents. You can browse titles or
search for key words and strings. Choose “Search the Knowledge Base” from the Knowledge Base
menu.

Contacting Riverbed
Options for contacting Riverbed include:

• Internet - Find out about Riverbed products at https://www.riverbed.com.

• Support - If you have problems installing, using, or replacing Riverbed products, contact Riverbed
Technical Support or your channel partner who provides support. To contact Riverbed Technical
Support, please open a trouble ticket at https://support.riverbed.com or call 1-888-RVBD-TAC (1-
888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States.
• Professional Services - Riverbed has a staff of engineers who can help you with installation,
provisioning, network redesign, project management, custom designs, consolidation project
design, and custom-coded solutions. To contact Riverbed Professional Services, go to http://
www.riverbed.com/services/index.html or email [email protected].
• Documentation - Riverbed continually strives to improve the quality and usability of its
documentation. We appreciate any suggestions you may have about our online documentation or
printed materials. Send documentation comments to [email protected].

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 5

 2
Preparing for installation

When you purchase the Flow Gateway, you receive an email with a license activation token. Verify that
you have this token before you deploy the product.

You must also verify that the required hardware and software are available, and that network ports are
open to allow the Flow Gateway to receive information from other SteelCentral products and to access
required network services.

This section contains the following topics:

• “Required Hardware and Software” on page 7

• “Data sources” on page 7
• “Network access” on page 7
• “Configuration information” on page 8

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 6

 Preparing for installation

Required Hardware and Software

The recommended minimum hardware requirements are listed in the SteelCentral Product Family
Specifications.

Data sources
Flow Gateway receives traffic information from NetFlow, IPFIX, sFlow. NetShark, and AppResponse 11,
or compatible Packeteer FDR sources. It also receives SteelFlow Net information from SteelHead
(formerly called CascadeFlow). This includes application identification, QoS configuration and flow data.
SteelFlow Net is a standards-compliant variant of NetFlow v9 that uses a custom Riverbed template to
send standard NetFlow data as well as more specialized metrics.

For Flow Gateway to receive flow data from NetFlow-enabled devices, enable the SNMP ifIndex
persistence feature of the NetFlow source to ensure consistency of interface reporting.

Additionally, Riverbed SteelCentral Agent and Amazon Web Services Virtual Private Cloud networks can
be configured to send cloud flow data to Flow Gateway.

There are two approaches to setting up data sources:

• Set up the available data sources and point them to the IP address of the Flow Gateway before you
install it.
• Install the Flow Gateway up to the point of verification, then go install or configure the data sources,
and then return to the Flow Gateway to complete the installation verification.
It is preferable to configure all the data sources that are available at the time you install the Flow
Gateway. However, Flow Gateway operation can be confirmed with just one data source.

Network access
The Flow Gateway uses the management network to communicate with other SteelCentral products
and to access network services. Some basic requirements are listed in the sections that follow, for
detailed information on which ports and protocols must be open, refer to the SteelCentral Network
Performance Management Deployment Guide.

Network ports for communication between SteelCentral products

Verify that the following ports are open to enable communication between SteelCentral products:

• TCP/22 – (ssh) Required to receive upgrade packages from a NetProfiler.

• TCP/41017 – Required to encrypt communication between the Flow Gateway and NetProfiler,
NetShark and AppResponse 11.
• UDP/123 – (ntp) Required to synchronize the time between the Flow Gateway and NTP Server.

Access to and from network access services

Verify that the following ports are open to enable access to and from the network:

• TCP/22 – (ssh) Required to enable shell access to product software components.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 7

 Preparing for installation

• TCP/443 – (https) Required to secure web-based management interface.

Configuration information
When you configure the Flow Gateway, you will be prompted to provide configuration information. The
available configuration settings are listed in the table below.

It may be useful to write the configuration values in the blank column of the checklist below so that you
can refer to them during the configuration step or afterward.

DNS name resolution for hosts (enable or disable):

Primary DNS server IP address:

Secondary DNS server IP address:

Primary port settings:

(10/100/1000 Mb/s, half- or full-duplex, or auto-
negotiate)

Switch port settings:

The settings of the switch port or hub that the Flow
Gateway primary port connects to. (Auto-negotiate is
recommended.)

Aux interface IP address

Aux interface netmask

Aux interface switch port settings

Time Zone:

Flow encryption certificate (default or new certificate):

For faster installation, use the default encryption
certificate shipped with the Flow Gateway and then
generate a new certificate later.

Data Sources - Use sFlow

Specify the port number on which the Flow Gateway
will receive the data. Applies only if the Flow Gateway
is receiving sFlow data (versions 2, 4 or 5). Do not send
more than one type of flow data to the same port.

Data Sources - Use Packeteer

Specify the port number on which the Flow Gateway
will receive the data. Applies only if the Flow Gateway
is receiving Packeteer Flow Detail Records (versions 1
or 2). Do not send more than one type of flow data to
the same port.

Data Sources - Use Netflow

Specify the port number on which the Flow Gateway
will receive the data. Applies only if the Flow Gateway
is receiving NetFlow data (versions 1, 5, 7 or 9), IPFIX,
CascadeFlow, or cFlow data. Do not send more than
one type of flow data to the same port.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 8

 Preparing for installation

SNMP information:
The Flow Gateway is set by default to use SNMP
Version 1 and to allow MIB browsing. If you are
configuring SNMP at this time, obtain the necessary V1
or V3 information.

First NetProfiler data input address. NetProfiler IP Address:

The address of the NetProfiler to which the Flow
Gateway will send traffic data. This is the IP address of
the management interface (Primary port) of an Flow sources:
NetExpress or Standard NetProfiler or the address of
the first Dispatcher Module of an Enterprise
NetProfiler.
If data sent to this NetProfiler is limited to data
received from certain flow sources only, specify those
sources.

Second NetProfiler data input address. NetProfiler IP Address:

If the Flow Gateway will be sending traffic data to
more than one NetProfiler, this is the IP address of the
second NetProfiler. It is the management interface Flow sources:
(Primary port) of an NetExpress or Standard NetProfiler
or the address of the Dispatcher Module of an
Enterprise NetProfiler.
If flow forwarding to this NetProfiler is limited to data
received from certain flow sources only, specify those
sources

Data Forward - Destination 1 IP address:

IP address and port number of the first destination to
Port:
which the Flow Gateway is to forward flow data, the
type of data (e.g., NetFlow) to be forwarded, and Type:
whether or not the source address of the forwarded Source:
packets should be overwritten with the source address
from which they were received. Overwrite source address? Yes/No:

If flow forwarding to this destination is limited to data

received from certain flow sources only, specify those
sources.

Data Forward - Destination 2 IP address:

IP address and port number of the second destination
Port:
to which the Flow Gateway is to forward flow data, the
type of data (e.g., NetFlow) to be forwarded, and Type:
whether or not the source address of the forwarded Source:
packets should be overwritten with the source address
from which they were received. Overwrite source address? Yes/No:

If flow forwarding to this destination is limited to data

received from certain flow sources only, specify those
sources.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 9

 Preparing for installation

Password to use for your initial Gateway login:*

The default password is admin.

New password to enter when prompted to change the

initial Flow Gateway password:*
Applies only to systems not previously configured.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 10

 3
Deploying Flow Gateway Cloud on an
Azure virtual machine
This section explains how to deploy the Flow Gateway in the Microsoft Azure cloud environment.
Note: Only instance types from the ESv3 and Dsv3 families are supported.

To install using the Microsoft Azure portal

1. Log in to the Microsoft Azure portal and navigate to your dashboard.

2. Click Create a resource.

The New page appears. On this page you can find Marketplace items by search, type, or popularity.

3. Search for keywords: SteelCentral Flow Gateway.

4. Select an image from the available options. Click Create.

The Create virtual machine wizard displays.

5. In the Basics section of the wizard, enter this information:

Project Details
– Select a subscription model.
– Select a resource group, or click Create new if you want to place the virtual appliance you are
creating into a new resource group.
Instance Details
– Enter a display name for the virtual appliance.
– Select the region where you want to deploy the virtual appliance. Note that the supported
instance types are not available in US DoD Central, US DoD East,​and US Gov Iowa.
– Specify Availability options.
– Select the image you want to install on the virtual machine. The default is the item you selected
in Step 4.
– Select a size for the virtual machine. The size determines the maximum amount of compute
resources (CPU, RAM memory) available to the virtual machine—ESv3-series and Dsv3-series
instance types are supported.
Administrator Account
Note: Do not configure the instance to use SSH public key—Specifying SSH keys on instance deployment is not
supported and will make it impossible to use the device.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 11

 Deploying Flow Gateway Cloud on an Azure virtual machine

– Specify a username and password—Specify ‘mazu’ as the username and provide a password for
the account.

6. Click Next : Disks > to advance to the wizard’s Disks tab.

7. Under Disk Options, select a disk type for Flow Gateway appliance’s operating system—Premium SSD
compatibility is recommended, but not required.

8. Under Data Disks, create and attach a disk or (attach an existing disk) for buffered flow data.
The Flow Gateway software is preconfigured to use the main volume where the Flow Gateway is
installed.

Important: Do not modify the preconfigured operating system disk during this process.

We recommend that you add an additional virtual hard disk to store buffered flow data. If you do
not already have a storage disk, select Create and Attach a new disk.
– In the Create a new disk page, specify these settings: disk type, display name, size in
gigabytes(GB), source type.
The second drive, for buffered flow data, should be between 500GB and 2TB in size.
– Click OK. The virtual disk(s) with your settings is allocated. The Create a new disk page closes
and you are returned to the wizard’s Disk tab. The newly allocated disk is listed under Data Disks.
– Select Read/Write from the Host Caching drop-down menu corresponding to the newly
allocated disk.
If you already have a data store disk, select Attach an existing disk.
– A row is added to the Data Disks table.
– Select a disk from the Name drop-down menu.
– Select Read/Write from the Host Caching drop-down menu corresponding to the newly added
disk.

9. Under the Advanced section, accept the default values.

10. Click Next : Networking > to advance to the wizard’s Networking tab.

11. Select the network and subnet where you want to deploy the Flow Gateway from the Virtual network
and Subnet drop-down menus. You should configure settings according to your infrastructure setup.
For example, the subnet that you assign should be one from which the Flow Gateway will be able to
communicate with the NetProfiler and any appliances from which it receives flow data.
If you have not already configured a virtual network and a subnet, click Create new to display the
Create new network page. Enter an address space for the new virtual network, create subnets, and
then click OK. See the Microsoft Azure help for assistance.

12. Optionally select a public IP address from the Public IP drop-down menu. A public IP enables you to
communicate with the virtual appliance from outside the virtual network.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 12

 Deploying Flow Gateway Cloud on an Azure virtual machine

If you want to use a public IP but none exist, click Create new to display the Create public IP address
page. Enter a display name for the new IP address, specify SKU and assignment, and then click OK.
See the Microsoft Azure help for assistance.

13. NIC network security group is Advanced. NIC network security group settings are preconfigured.

14. Select a network security group from the Configure network security group drop-down menu.
If no security groups exist, click Create new to display the Create network security group page,
specify Inbound rules and Outbound rules, and then click OK. See the Microsoft Azure help for
assistance.

15. Accelerated networking is Off. Accelerated networking is not supported.

16. Under Load Balancing, select No.

17. Click Next : Management > to advance to the wizard's Management tab.

18. Optionally configure the settings under Monitoring, Identity, and Auto-Shutdown to your liking.

19. Click Next : Advanced > to advance to the wizard's Advanced tab.

20. Click Next : Tags > to advance to the wizard's Tags tab.

21. Optionally add tags.

22. Click Next : Review + create > to advance to the wizard's Review + create tab.

23. Review your selections and then click Create.

When you see the message, “Your deployment is complete”, click Go to resource to display the
VM’s overview page, which includes the Public IP Address and Private IP Address.
In a browser, navigate to the IP using HTTPS. The default credentials are username “admin”, password
“admin”. You will see the Setup page of the Flow Gateway appliance.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 13

 Deploying Flow Gateway Cloud on an Azure virtual machine

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 14

 4
Configuring Flow Gateway

After you deploy the Flow Gateway Virtual Edition on your VM, you can configure the Flow Gateway
environment. This chapter describes how you enable network access to the product and complete
additional configuration before you activate the product licenses.

The appliance configures itself during the firstboot process which can take more than an hour
depending on system size. During this time, basic status messages are provided via the web user
interface and command line interface. Once firstboot completes, the appliance reboots and finishes
configuration so it is ready to use. You will know it is complete when the login screen appears in the web
user interface.

The web user interface will be available for login when the Flow Gateway is ready. The first time you log
in to the Flow Gateway web user interface, the software displays a setup page. Parts of this page are
prepopulated with the IP address, subnet mask, and default gateway. Complete the initial configuration
as described below.

Follow these steps:

1. On the management network, use a web browser to navigate to the IP address of the new VM.
https://<Flow_Gateway_IP_address>

2. Log in to the Flow Gateway web user interface. Use the default user name and password “admin”
The first time you log in to the Flow Gateway user interface, it displays the Setup page.

3. On the Setup page, fill in the additional information, as necessary:

– Name Resolution - specify to use DNS resolution for hosts reported by the Flow Gateway and,
the addresses and search domains for the DNS servers.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 15

Configuring Flow Gateway

– AUX Interface - If you intend to use the AUX interface, enter the IP address, netmask and
connection settings.

– Static Routes - If there are multiple subnets on the Aux interface network, or if you need to use a
gateway router other than the default gateway, you can define static routes.
– Time Configuration - Specify the time zone.
– Data Sources - You can configure the Flow Gateway to receive traffic flow information from
devices using NetFlow (versions 1, 5, 7 and 9), SteelFlow Net, CascadeFlow, IPFIX, sFlow
(versions 2, 4 and 5), and Packeteer (versions 1 and 2). You can specify one or more ports in a
comma-separated list for each type of flow data, up to a combined total of 50 ports.
You can also exclude data sources. Flow Gateway ignores data sent to it from addresses listed in
the Excluded Sources box. For example, it drops NetFlow data sent to it from a router whose
address is listed in the Excluded Sources box.
When you configure Flow Gateway to use the Aux and Management interfaces on separate
networks, select the Allow on interface option to control which interface is to receive traffic
flow data.

– SNMP MIB Configuration - Flow Gateway is set by default to use SNMP Version 1 and to allow MIB
browsing. If you are configuring SNMP at this time, obtain the necessary V1, V2C, or V3 information.

16 | SteelCentral™ Flow Gateway Software Installation Guide for Azure

 Configuring Flow Gateway

4. Click Configure Now.

5. In the Change password page, change the password for the admin user.
This process updates the password used for the “admin” user in the WebUI, as well as the mazu/
root/admin/dhcp system user accounts. The system account passwords can each be changed later
using the Administration > Appliance Security > Security Compliance page.
This step also disables shell access to the device. You can enable shell access by selecting the Login
enabled checkbox on the Administration > Appliance Security > Security Compliance page.
Your browser session closes while the configuration changes are made. You can then log back in to
activate your licenses.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 17

 5
Licensing Flow Gateway

When you purchase the Flow Gateway, your purchase confirmation email includes a license request
token. You use this token to generate a license request key, that you use to obtain license keys from the
Riverbed licensing portal.

When you enter the license activation code on the Riverbed licensing portal, the portal generates a
license key for each license you have purchased. Copy these keys and enter them on the Flow Gateway
licensing page to activate the licenses features.

This section contains the following topics:

• “Obtain license keys from the licensing portal” on page 19

• “Enter license keys” on page 19

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 18

 Licensing Flow Gateway

Obtain license keys from the licensing portal

You must obtain the license keys from the licensing portal to activate the Flow Gateway licenses.

Follow these steps:

1. Log in to the Flow Gateway web user interface.

2. Navigate to the Administration > Licenses page.

3. Paste or enter your license request token in the License request token field and click Submit.
The Flow Gateway generates a license activation code and displays it in a popup window.

4. Download the licenses from the license server.

Enter license keys

Enter your license keys in the Flow Gateway to activate the licenses you have purchased.

Follow these steps:

1. Log in to the Flow Gateway web user interface.

2. Navigate to the Administration > Licenses page and click Add license(s) in the Licenses section.
The licenses window opens.

3. Enter the license keys as a comma-separated list and click OK.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 19

Licensing Flow Gateway

The Flow Gateway activates the licenses and displays them in a list. If your web user interface
session is terminated when the new licenses are activated, log back in and navigate to the
Administration > Licenses page.

4. Review the list of licenses if necessary.

After you install the licenses,

• Verify the installation by checking to see if the Flow Gateway is monitoring traffic
• Go to the Administration > NetProfiler Export page and configure the Flow Gateway to send traffic
to the NetProfiler. For details, see the NetProfiler Export topic in the online help.

20 | SteelCentral™ Flow Gateway Software Installation Guide for Azure

 6
Configuring Cloud Flow Data Sources

Flow Gateway can receive flow data from software running in the cloud and send the flow data to
NetProfiler for analysis and reporting. The sources of cloud flow data include:

• SteelCentral AppResponse Cloud

• SteelCentral Agent, which is managed by SteelCentral SaaS.
• Amazon Web Services Virtual Private Cloud (AWS VPC) networks, through the Riverbed plug-in for
the AWS CloudWatch service.
For instructions on configuring AppResponse Cloud to send flow data to Flow Gateway, search for
“Configuring Flow Export” in the SteelCentral AppResponse 11 User’s Guide. You can find the latest
version of the guide on the Documentation tab here:

https://support.riverbed.com/content/support/software/steelcentral-npm/appresponse-ar11.html

SteelCentral Agent
Flow Gateway can receive flow data from SteelCentral Agent to provide visibility into the cloud. This
requires deploying the agent and using the SteelCentral AppInternals product to configure it. Refer to
“Deploying the Agent as an NPM Data Source” in the AppInternals user documentation for instructions
on how to deploy and configure the agent.

https://doc.steelcentral.net/help/wwhelp/wwhimpl/js/html/
wwhelp.htm?context=config_reference&topic=agentnpmdatasource

Amazon Web Services VPC network

To configure an AWS VPC to send flow data to Flow Gateway, you must deploy an AWS Lambda script
that is provided by Riverbed. Refer to the Riverbed AWS Lambda script deployment instructions on the
NetProfiler page of the Riverbed Support site.

SteelCentral™ Flow Gateway Software Installation Guide for Azure | 21