Posts
Reduce the Active Mobile Clients in A LAN
Posted On Aug 14, 2008 at at 11:57 AM by DophiThe number of active mobile clients is controlled by the license of Steelhead Mobile Controller. But, as the design of Steelhead Mobile Controller, the clients occupy concurrent sessions and acceleration capacity when they are in the internal network. I don't know the purpose of this kind design but this definitely wastes the resource of a Steelhead Mobile Controller because the acceleration is not necessary in a LAN.
Fortunately, the Mobile Client software provides a firewall-like ability based on the embedded acceleration policy and we can use this to control the communication between mobile client and Steelhead Mobile Controller. Mobile clients communicate with a Controller via TCP port 7870. This is a key point I would like to use to control the communication.
The topology below is a regular design for a Steelhead Mobile Controller. Mobile clients create VPN tunnels with the data center and accelerate traffic. Many remote VPN devices usually issue a range of IP addresses for clients dialing in and that range is controllable and usually included in the local network. In this case, I assume the range is 192.168.10.0/25 and only allow clients who's IP addresses belong this range can communicate with Mobile Controller (It also means the local clients can't communicate with the Controller).
In order to achieve this goal, I create two acceleration policies to control communication between clients and the Controller and put them in front of the default three acceleration policies.
1.Pass Through Policy: This policy pass mobile clients' (192.168.10.0/25) TCP sessions with destination port 7870 to the Mobile Controller. This policy should be the first policy.
2. Deny Policy: This policy deny local clients' (192.168.10.128/25) TCP sessions to Mobile Controller. This policy should be the second policy.
As the result, only mobile clients can connect to Steelhead Mobile Controller.
This is just a temporary solution to reduce active mobile clients and we might get some disadvantages in particular remote access VPN designs. Riverbed should release a feature to control clients' connections when they are in a local network.
