Proxy Administration Guide

6.6.x

i
Advanced Secure Gateway 6.6.x Proxy Administration Guide

Contact Information
Americas:
Blue Coat Systems Inc.
384 Santa Trinita Avenue
Sunnyvale, CA 94085

Rest of the World:

Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland

http://www.bluecoat.com/contact/customer-support

http://www.bluecoat.com
For concerns or feedback about the documentation:
[email protected]

ii
© 2016 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER,
PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW
EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other
Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other
countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue
Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties
are the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS
DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS,
AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY
WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY
TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT,
RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas: Rest of the World:

Blue Coat Systems, Inc. Blue Coat Systems International SARL
384 Santa Trinita Avenue 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland

Document Revision: Advanced Secure Gateway Proxy 6.6.x—09/2016

iii
Advanced Secure Gateway 6.6.x Proxy Administration Guide

iv
Contents

Chapter 1: Introduction
Document Conventions ................................................................................................................... 22
Notes and Warnings......................................................................................................................... 23
About Procedures ............................................................................................................................. 24

Chapter 2: Accessing the Appliance

Accessing the Advanced Secure Gateway Appliance Using the Management Console ....... 26
Ways to Access the Management Console ............................................................................. 26
About the Management Console Banner................................................................................ 35
Viewing the Benefits of Deploying the Advanced Secure Gateway Appliance ............... 35
Logging Out of the Management Console ............................................................................. 40
Accessing the Advanced Secure Gateway Using the CLI .......................................................... 41
Configuring the Advanced Secure Gateway Appliance Name ................................................. 44
Changing the Login Parameters ..................................................................................................... 45
Changing the Administrator Account Credentials ............................................................... 45
Changing the Advanced Secure Gateway Realm Name...................................................... 46
Changing the Advanced Secure Gateway Timeout.............................................................. 47
Viewing the Appliance Serial Number ......................................................................................... 48
Configuring the System Time ......................................................................................................... 49
Synchronizing to the Network Time Protocol.............................................................................. 52

Chapter 3: Licensing
License Types.............................................................................................................................. 57
Licensing Terms ......................................................................................................................... 57
License Expiration...................................................................................................................... 58
Locating the System Serial Number ........................................................................................ 59
MACH5 or Secure Web Gateway Obtaining a BlueTouch Online Account .................... 59
Registering and Licensing Blue Coat Appliance and Software........................................... 60
Installing a License on a Registered System........................................................................... 60
Manually Installing the License ............................................................................................... 61
Enabling Automatic License Updates ........................................................................................... 64
Viewing the Current License Status............................................................................................... 65

Chapter 4: Controlling Access to the Advanced Secure Gateway

Moderate Security: Restricting Management Console Access Through the Console Access
Control List (ACL) .................................................................................................................... 72

1
 Chapter 5: Backing Up the Configuration
Archiving Quick Reference Table .................................................................................................. 81
Creating a Transferable Archive..................................................................................................... 91
Creating and Uploading an Archive to a Remote Server ......................................................... 101

Chapter 6: Explicit and Transparent Proxy

Manually Configure Client Browsers for Explicit Proxy ................................................... 112
Creating an Explicit Proxy Server with PAC Files .............................................................. 112

Chapter 7: Managing Proxy Services

Changing the State of a Service (Bypass/Intercept) .................................................................. 130
Proxy Service Global Options ....................................................................................................... 141
Adding Static Bypass Entries ........................................................................................................ 149
Restricted Intercept Topics............................................................................................................ 154

Chapter 8: Intercepting and Optimizing HTTP Traffic

About HTTP Compression ..................................................................................................... 170
Understand Compression Behavior ...................................................................................... 171
Compression Exceptions......................................................................................................... 172
Configuring Compression ...................................................................................................... 172
Notes .......................................................................................................................................... 175
About the HTTP Object Caching Policy Global Defaults ......................................................... 176
Setting the HTTP Default Object Caching Policy....................................................................... 180
Configuring the HTTP Proxy Profile ........................................................................................... 189
Prerequisite for Using CachePulse ........................................................................................ 191
Enabling CachePulse...................................................................................................................... 192
Downloading the CachePulse Database ............................................................................... 192
Allocating Bandwidth to Refresh Objects in Cache................................................................... 195
Viewing the Number of HTTP/HTTPS/FTP Objects Served.................................................. 214
Viewing the Number of HTTP/HTTPS/FTP Bytes Served ..................................................... 215
Viewing Active Client Connections............................................................................................. 216
Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics .................... 217
Viewing HTTP/FTP Client Compressed Gain Statistics ................................................... 217
Viewing HTTP/FTP Server Compressed Gain Statistics................................................... 218
Deployment Scenarios............................................................................................................. 221
How the Advanced Secure Gateway Appliance Handles an Upgrade Request................... 223
Feature Limitations......................................................................................................................... 225

Chapter 9: Managing the SSL Proxy

IPv6 Support ............................................................................................................................. 228
Working with SSL Traffic........................................................................................................ 229
Configuring the SSL Proxy in Explicit Proxy Mode .................................................................. 233

2
 Specifying an Issuer Keyring and CCL Lists for SSL Interception ................................... 234
Using Client Consent Certificates.......................................................................................... 234
Downloading an Issuer Certificate ........................................................................................ 235
Warn Users When Accessing Websites with Untrusted Certificates ...................................... 238
Presenting Untrusted Certificates to a Browser .................................................................. 238
Set the Behavior when Encountering Untrusted Certificates ............................................ 238
Viewing SSL History Statistics...................................................................................................... 245
Unintercepted SSL Data .......................................................................................................... 245
Unintercepted SSL Clients ...................................................................................................... 246
Unintercepted SSL Bytes ......................................................................................................... 246
Configuring STunnel...................................................................................................................... 248
Viewing STunnel Results............................................................................................................... 250
Application Mix........................................................................................................................ 252
Viewing Session Statistics ....................................................................................................... 252
Viewing Protocol Details ........................................................................................................ 253
Access Logging......................................................................................................................... 253
Viewing Encrypted Tap Results ............................................................................................ 256
Working with the SafeNet Java HSM .......................................................................................... 257
Before You Begin ...................................................................................................................... 257
Add an HSM ............................................................................................................................. 258
Add an HSM Keyring.............................................................................................................. 258
Add an HSM Keygroup .......................................................................................................... 259
Write HSM Policy ........................................................................................................................... 260

Chapter 10: Managing the WebEx Proxy

IPv6 Support ............................................................................................................................. 269
About Controlling the WebEx Application and File Sharing .................................................. 270
Enable HTTP Handoff.................................................................................................................... 271
Control Access to a WebEx Site with Policy ............................................................................... 272
Control File Uploads with Policy ................................................................................................. 274
Control Desktop Sharing with Policy .......................................................................................... 277
WebEx Proxy Access Logging ...................................................................................................... 281
Review WebEx Proxy Sessions ..................................................................................................... 283

Chapter 11: Managing the File Transport Protocol (FTP) Proxy

Configuring the Advanced Secure Gateway Appliance for Native FTP Proxy .................... 290
Modifying the FTP Proxy Service .......................................................................................... 290
Configuring the FTP Proxy..................................................................................................... 291
Configuring FTP Clients for Explicit Proxy ......................................................................... 292

3
 Chapter 12: Managing the Domain Name Service (DNS) Proxy

Chapter 13: Managing a SOCKS Proxy

IPv6 Support ............................................................................................................................. 299
Configuring the SOCKS Proxy ..................................................................................................... 301
Viewing SOCKS History Statistics ............................................................................................... 303
Viewing SOCKS Clients .......................................................................................................... 303
Viewing SOCKS Connections ................................................................................................ 303
Viewing SOCKS Client and Server Compression Gain Statistics .................................... 304

Chapter 14: Managing Shell Proxies

Configuring the Telnet Shell Proxy Service Options................................................................. 310
Viewing Shell History Statistics.................................................................................................... 312

Chapter 15: Configuring and Managing an HTTPS Reverse Proxy

About Mutual SSL Authentication ........................................................................................ 319

Chapter 16: Using the Advanced Secure Gateway Appliance in an IPv6 Environment
Using the Advanced Secure Gateway Appliance in an ISATAP Network............................ 327
IPv6 Support on the Advanced Secure Gateway....................................................................... 330
Configuring an ADN for an IPv6 Environment......................................................................... 340
Optimizing ISATAP Traffic........................................................................................................... 341
Configuring IPv6 Global Settings................................................................................................. 342

Chapter 17: Geolocation

Prerequisite for Using Geolocation .............................................................................................. 346
Overview: Setting up, Using, and Removing Geolocation....................................................... 347
Enabling Geolocation ..................................................................................................................... 348
DNS Lookup.................................................................................................................................... 349
Downloading the Geolocation Database..................................................................................... 351
Identifying a Country by IP Address .......................................................................................... 352
Writing Geolocation Policy ........................................................................................................... 353
Client Geolocation (Reverse Proxy)....................................................................................... 353
Geolocation (Forward Proxy)................................................................................................. 353
Troubleshooting Geolocation........................................................................................................ 354
Access Log Errors ........................................................................................................................... 355
Removing Client Geolocation Settings ........................................................................................ 356

Chapter 18: Filtering Web Content

About Application Filtering ................................................................................................... 359
Web Content Filtering Process Flow ..................................................................................... 360
About Blue Coat WebFilter and the WebPulse Service ............................................................ 361
About Dynamic Categorization ............................................................................................. 362

4
 Considerations Before Configuring WebPulse Services..................................................... 367
Enabling a Content Filter Provider .............................................................................................. 373
Specifying a Blue Coat Data Source ...................................................................................... 374
Downloading the Content Filter Database ................................................................................. 375
About Database Updates ........................................................................................................ 375
Downloading a Content Filter Database .............................................................................. 376
Viewing the Status of a Database Download....................................................................... 377
Expiry Date for the Database.................................................................................................. 378
Viewing the Available Categories or Testing the Category for a URL ............................ 378
Testing the Application and Operation for a URL.............................................................. 378
Disabling Dynamic Categorization ....................................................................................... 380
Specifying a Custom Time Period to Update Blue Coat WebFilter.................................. 381
Configuring Dynamic Categorization Requests for HTTP/HTTPS (CLI only).............. 385
Verify Subscribed Bundles...................................................................................................... 387
Configure Intelligence Services.............................................................................................. 387
Download a New Version of the Database .......................................................................... 388
Monitor Content Filter Health Status.................................................................................... 388
Troubleshoot Health Monitoring Errors............................................................................... 389
Enable Application Classification.......................................................................................... 391
Review Applications and Operations ................................................................................... 392
Download a New Version of the Application Classification Database ........................... 394
Review Application Attributes .............................................................................................. 394
Monitor Application Classification and Application Attributes Health Status.............. 398
Local Database Matching Example ....................................................................................... 400
Selecting and Downloading the Local Database........................................................................ 402
Setting the YouTube Server Key ............................................................................................ 406
Distinguishing Blue Coat Categories for YouTube in the Access Log ............................. 406
Scenario: Limit a User’s Daily Access to YouTube Videos ................................................ 407
Scenario: Limit a User’s Weekly Data Usage ....................................................................... 408
View Quota Statistics............................................................................................................... 408
Reset Usage Quotas ................................................................................................................. 409
Policy Examples Using the Application Control Objects................................................... 423

Chapter 19: Web Application Protection

Enabling Application Protection .................................................................................................. 436
Testing the Application Protections............................................................................................. 437
Verifying the Database Download............................................................................................... 437

Chapter 20: Analyzing the Threat Risk of a URL

How the Threat Risk Service Works with WebPulse.......................................................... 439
Threat Risk Levels Descriptions............................................................................................. 439

5
 Configure Threat Risk Levels ....................................................................................................... 441
Requirements for Using Threat Risk Levels......................................................................... 441
Enable Threat Risk Levels....................................................................................................... 442
Write Threat Risk Policy ......................................................................................................... 443
Use Threat Risk Features ............................................................................................................... 446
Look up Threat Risks for a Web Page ................................................................................... 446
Download a New Version of the Database .......................................................................... 446
Monitor Threat Risk Statistics ................................................................................................ 447
Monitor Threat Risk Health Status ........................................................................................ 448
Troubleshoot Threat Risk Levels ........................................................................................... 449

Chapter 21: Configuring Threat Protection

Blue Coat WebPulse................................................................................................................. 454
Adding an External ICAP Service for Content Scanning ......................................................... 456

Chapter 22: Malicious Content Scanning Services

Creating an ICAP Service .............................................................................................................. 481
Managing ICAP Health Checks ............................................................................................. 485
Monitoring ICAP Health Metrics .......................................................................................... 487
Configuring ICAP Feedback ......................................................................................................... 489
Customizing ICAP Patience Text ................................................................................................. 491
HTTP Patience Text ................................................................................................................. 491
FTP Patience Text ..................................................................................................................... 493
Using Secure ICAP ......................................................................................................................... 496
Using a Crossover Cable................................................................................................................ 498
Configuring ICAP Using a Crossover Cable........................................................................ 498
Using a Private Network ............................................................................................................... 499
Introduction to Content Analysis Request Monitoring ............................................................ 502
Using ICAP Headers in Policy...................................................................................................... 521

Chapter 23: Configuring Service Groups

Creating a Service Group .............................................................................................................. 531

Chapter 24: Managing Streaming Media

Limitation .................................................................................................................................. 539
About Microsoft Smooth Streaming...................................................................................... 539
About Adobe HDS ................................................................................................................... 539
About Apple HLS..................................................................................................................... 540
About Windows Media ........................................................................................................... 540
About Processing Streaming Media Content ............................................................................. 544
Limiting Bandwidth................................................................................................................. 546
About Streaming Media Authentication..................................................................................... 554

6
 Apple HLS Authentication ..................................................................................................... 556
Configuring the HTTP Streaming Proxy..................................................................................... 558
Configuring the Windows Media, Real Media, and QuickTime Proxies............................... 562
Limiting Bandwidth ....................................................................................................................... 565
"Viewing Streaming History Statistics" on page 571Configuring Bandwidth
Limitation—Fast Start (WM)............................................................................................ 565
Limiting Bandwidth for Smooth Streaming......................................................................... 566
Configuring the Multicast Network ............................................................................................ 567
Legacy Streaming Log Format ............................................................................................... 568
Reporter Streaming Log Format ............................................................................................ 569
Viewing Streaming History Statistics .......................................................................................... 571
Viewing Current and Total Streaming Data Statistics........................................................ 571
Configuring the Flash Streaming Proxy...................................................................................... 595
Configuring Client Browsers for Explicit Proxy.................................................................. 595
Intercepting the RTMP Service (Transparent Deployment) .............................................. 596
Intercepting the Explicit HTTP Service (Explicit Deployment) ........................................ 596
When VOD Content Gets Cached ......................................................................................... 599
Proxy Chaining......................................................................................................................... 599
CDN Interoperability Support ............................................................................................... 600

Chapter 25: Bandwidth Management

Configuring Bandwidth Allocation ............................................................................................. 613
Bandwidth Management Statistics............................................................................................... 615
Current Class Statistics............................................................................................................ 615
Total Class Statistics................................................................................................................. 615
Using Policy to Manage Bandwidth ............................................................................................ 617

Chapter 26: Configuring Access Logging

Configuring a Log for Uploading ................................................................................................ 631
Viewing Access-Log Statistics ...................................................................................................... 634
Viewing the Access Log Tail .................................................................................................. 634
Viewing the Log File Size........................................................................................................ 635
Viewing Access Logging Status ............................................................................................. 636

Chapter 27: Configuring the Access Log Upload Client

Importing an External Certificate................................................................................................. 641
Deleting an External Certificate ............................................................................................. 642
Creating an External Certificate List ..................................................................................... 642
Digitally Signing Access Logs....................................................................................................... 643
Introduction to Digitally Signing Access Logs .................................................................... 643
Configuring the Upload Client to Digitally Sign Access Logs .......................................... 643

7
 Chapter 28: Creating and Editing an Access Log Facility
Creating a Log Facility ................................................................................................................... 654
Editing an Existing Log Facility.................................................................................................... 656
Associating a Log Facility with a Protocol.................................................................................. 658
Configuring Global Settings.......................................................................................................... 660

Chapter 29: Creating Custom Access Log Formats

Creating a Custom or ELFF Log Format ..................................................................................... 667
Creating Custom Log Formats Based on Reserved Log Formats ..................................... 668

Chapter 30: Access Log Formats

Action Field Values ........................................................................................................................ 676

Chapter 31: Statistics

Viewing the Traffic Mix Report .................................................................................................... 734
Viewing Bandwidth Details for Proxies or Services ........................................................... 735
Viewing Traffic Distribution .................................................................................................. 737
Viewing Per-Proxy or Per-Service Statistics......................................................................... 738
About Bypassed Bytes ............................................................................................................. 738
About the Default Service Statistics ...................................................................................... 739
Viewing NetFlow Statistics ........................................................................................................... 740
Viewing Traffic History ................................................................................................................. 741
Supported Proxies and Services ................................................................................................... 743
Viewing the Application Mix Report........................................................................................... 745
Viewing Bandwidth Details for Web Applications............................................................. 746
Viewing the Application History Report .................................................................................... 749
Viewing System Statistics .............................................................................................................. 751
Resources Statistics .................................................................................................................. 751
Contents Statistics .................................................................................................................... 754
Event Logging Statistics .......................................................................................................... 757
Failover Statistics...................................................................................................................... 758
Active Sessions—Viewing Per-Connection Statistics................................................................ 759
Example Scenarios Using Active Sessions for Troubleshooting ....................................... 759
Analyzing Proxied Sessions.................................................................................................... 760
Analyzing Bypassed Connections Statistics......................................................................... 772
Viewing Errored Sessions and Connections ........................................................................ 774

Chapter 32: WCCP Configuration

Configuring WCCP on the Advanced Secure Gateway Appliance ........................................ 787
Creating the WCCP Configuration on the Advanced Secure Gateway Appliance ....... 787
Modifying the WCCP Configuration .................................................................................... 792
Disabling WCCP ...................................................................................................................... 793

8
 Viewing WCCP Statistics and Service Group Status................................................................. 794

Chapter 33: TCP/IP Configuration

PMTU Discovery............................................................................................................................. 800

Chapter 34: Routing on the Advanced Secure Gateway Appliance

Distributing Traffic Through Multiple Default Gateways ....................................................... 807
Advanced Secure Gateway Appliance Specifics ................................................................. 807
Switching to a Secondary Default Gateway......................................................................... 807
Routing in Transparent Deployments ......................................................................................... 810
Outbound Routing................................................................................................................... 810
Inbound Routing ...................................................................................................................... 810
About Trust Destination MAC............................................................................................... 810
About Static Routes.................................................................................................................. 811
Routing Domains ..................................................................................................................... 813
Using Return-to-Sender (RTS)................................................................................................ 813

Chapter 35: Configuring Failover

Configuring Failover Groups........................................................................................................ 821
Viewing Failover Statistics ............................................................................................................ 823

Chapter 36: Configuring DNS

Adding DNS Servers to the Primary or Alternate Group ........................................................ 829
Resolving Hostnames Using Name Imputing Suffixes............................................................. 833
Adding and Editing DNS Name Imputing Suffixes ........................................................... 833
Changing the Order of DNS Name Imputing Suffixes ...................................................... 834

Chapter 37: Virtual IP Addresses

Creating a VIP ................................................................................................................................. 836
Deleting a VIP ................................................................................................................................. 837

Chapter 38: Configuring Private Networks

Configuring Private Subnets......................................................................................................... 841
Configuring Private Domains....................................................................................................... 842

Chapter 39: Managing Routing Information Protocols (RIP)

Installing RIP Configuration Files................................................................................................ 845

Chapter 40: SOCKS Gateway Configuration

Adding a SOCKS Gateway............................................................................................................ 855
Creating SOCKS Gateway Groups............................................................................................... 857
Configuring Global SOCKS Defaults........................................................................................... 860
Configuring the SOCKS Gateway Default Sequence ................................................................ 862
Creating a SOCKS Gateway Installable List ............................................................................... 869

9
 Chapter 41: TCP Connection Forwarding
Configuring TCP Connection Forwarding ................................................................................. 876
Copying Peers to Another Advanced Secure Gateway in the Cluster............................. 877
Removing a Peer....................................................................................................................... 877

Chapter 42: Configuring the Upstream Network Environment

Creating Forwarding Hosts and Groups .................................................................................... 890
Creating Forwarding Hosts .................................................................................................... 890
Creating Forwarding Groups ................................................................................................. 892
Configuring Global Forwarding Defaults................................................................................... 895
Configuring the Forwarding Default Sequence ......................................................................... 897
Creating a Forwarding Installable List........................................................................................ 906

Chapter 43: Using Policy to Manage Forwarding

Chapter 44: About Security

Controlling User Access with Identity-based Access Controls ............................................... 916

Chapter 45: Controlling Access to the Internet and Intranet

Viewing Logged-In Users.............................................................................................................. 919
About Authentication Modes ....................................................................................................... 927
Setting the Default Authenticate Mode Property................................................................ 929
About Origin-Style Redirection ............................................................................................. 929
Selecting an Appropriate Surrogate Credential .................................................................. 930
Configuring Transparent Proxy Authentication ................................................................. 930
Manually Entering Top-Level Domains (TLDs).................................................................. 930
Permitting Users to Log in with Authentication or Authorization Failures ................... 931
Using Guest Authentication ................................................................................................... 932
Using Default Groups.............................................................................................................. 934

Chapter 46: Local Realm Authentication and Authorization

Creating a Local Realm .................................................................................................................. 954
Changing Local Realm Properties................................................................................................ 955

Chapter 47: CA eTrust SiteMinder Authentication

Creating a SiteMinder Realm ....................................................................................................... 971
Configuring SiteMinder Agents............................................................................................. 971
Configuring SiteMinder Servers................................................................................................... 973
Defining SiteMinder Server General Properties ........................................................................ 975
Configuring Authorization Settings for SiteMinder ........................................................... 976
Configuring General Settings for SiteMinder ...................................................................... 978

10
Chapter 48: Certificate Realm Authentication
Configuring Certificate Realms .................................................................................................... 985
Creating a Certificate Realm................................................................................................... 985
Configuring Certificate Realm Properties ............................................................................ 985
Defining General Certificate Realm Properties ................................................................... 988
Specifying an Authorization Realm............................................................................................. 990

Chapter 49: Oracle COREid Authentication

Creating a COREid Realm............................................................................................................. 999
Configuring Agents for COREid Authentication .................................................................... 1000
Configuring the COREid Access Server.................................................................................... 1002
Configuring the General COREid Settings ............................................................................... 1004

Chapter 50: SAML Authentication

About SAML.................................................................................................................................. 1008
Federation and Metadata ...................................................................................................... 1008
Assertions ................................................................................................................................ 1008
Profiles and Bindings............................................................................................................. 1009
Requirements for SAML Authentication .................................................................................. 1010
Checklist: Preparing the IDP ................................................................................................ 1010
An Overview of the Authentication Process ............................................................................ 1011
Set up SAML Authentication ...................................................................................................... 1013
Export the IDP Metadata File...................................................................................................... 1014
Prepare the Appliance.................................................................................................................. 1016
Configure the CCL ................................................................................................................. 1016
Create an HTTPS Reverse Proxy Service............................................................................ 1016
Configure SAML Attributes ................................................................................................. 1017
Configure General Settings for SAML ................................................................................ 1018
Create the SAML Realm .............................................................................................................. 1020
Configure SAML Authorization................................................................................................. 1022
Policy Conditions ................................................................................................................... 1022
Configure the IDP......................................................................................................................... 1024
Configure AD FS .................................................................................................................... 1024
Configure SiteMinder ............................................................................................................ 1027
Configure Oracle .................................................................................................................... 1030
Configure Shibboleth............................................................................................................. 1034
Prevent Dropped Connections When Policy is Set to Deny................................................... 1036
Backing Up Configuration: Considerations for SAML ........................................................... 1037
Save Keyrings Before Backing up the Configuration ....................................................... 1037
Import Saved Keyrings After Restoring the Configuration............................................. 1037
Re-Import the Appliance Certificate to the Trust List (AD FS) ....................................... 1037

11
 Chapter 51: Integrating the Appliance with Your Windows Domain
Integrate the Advanced Secure Gateway Appliance into the Windows Domain............... 1040
Join the Advanced Secure Gateway Appliance to the Windows Domain..................... 1041
Edit a Windows Domain....................................................................................................... 1042
Configure SNMP Traps for the Windows Domain ................................................................. 1044

Chapter 52: Integrating Advanced Secure Gateway Authentication with Active Directory Using IWA
About IWA Challenge Protocols.......................................................................................... 1046
About IWA Failover .............................................................................................................. 1046
Preparing for a Kerberos Deployment ...................................................................................... 1048
Enabling Kerberos in an IWA Direct Deployment............................................................ 1048
Enabling Kerberos in a BCAAA Deployment.................................................................... 1049
Configuring IWA on the Advanced Secure Gateway Appliance.......................................... 1050
Creating an IWA Realm ........................................................................................................ 1050
Configuring IWA Servers ..................................................................................................... 1052
Defining IWA Realm General Properties ........................................................................... 1057
Creating the IWA Authentication and Authorization Policies.............................................. 1059
Creating an IWA Authentication Policy ............................................................................. 1060
Creating a Guest Authentication Policy ............................................................................. 1062
Creating an IWA Authorization Policy .............................................................................. 1063
Configuring Client Systems for Single Sign-On....................................................................... 1065
Configure Internet Explorer for Single Sign-On................................................................ 1065
Configure Firefox for Single Sign-On.................................................................................. 1066
Using IWA Direct in an Explicit Kerberos Load Balancing/Failover Scenario................... 1066

Chapter 53: Kerberos Constrained Delegation

Chapter 54: LDAP Realm Authentication and Authorization

Creating an LDAP Realm on the Advanced Secure Gateway Appliance ............................ 1078
About LDAP Realms ............................................................................................................. 1079
Creating an LDAP Realm...................................................................................................... 1079
Configuring LDAP Properties on the Advanced Secure Gateway Appliance .................... 1080
Configuring LDAP Servers................................................................................................... 1080
Defining LDAP Base Distinguished Names....................................................................... 1082
Defining LDAP Search & Group Properties ...................................................................... 1084
Customizing LDAP Objectclass Attribute Values ............................................................ 1088
Defining LDAP General Realm Properties......................................................................... 1089

Chapter 55: Novell Single Sign-on Authentication and Authorization

Creating a Novell SSO Realm .................................................................................................... 1100
Novell SSO Agents ....................................................................................................................... 1101
Adding LDAP Servers to Search and Monitor for Novell SSO ............................................. 1103

12
 Querying the LDAP Novell SSO Search Realm ....................................................................... 1105
Configuring Authorization ......................................................................................................... 1106
Defining Novell SSO Realm General Properties...................................................................... 1107

Chapter 56: Policy Substitution Realm

Creating a Policy Substitution Realm ........................................................................................ 1115
Configuring User Information.................................................................................................... 1116
Creating a List of Users to Ignore............................................................................................... 1118
Configuring Authorization ......................................................................................................... 1119
Defining Policy Substitution Realm General Properties......................................................... 1120
Creating the Policy Substitution Policy..................................................................................... 1123

Chapter 57: RADIUS Realm Authentication and Authorization

Creating a RADIUS Realm .......................................................................................................... 1127
Defining RADIUS Realm Properties.......................................................................................... 1128
Defining RADIUS Realm General Properties........................................................................... 1130

Chapter 58: Configuring the Advanced Secure Gateway as a Session Monitor

Chapter 59: Sequence Realm Authentication

Creating a Sequence Realm ......................................................................................................... 1147
Adding Realms to a Sequence Realm ........................................................................................ 1148
Defining Sequence Realm General Properties ......................................................................... 1150

Chapter 60: Managing X.509 Certificates

Certificate Chains ................................................................................................................... 1155
Creating a Keyring ....................................................................................................................... 1163
Deleting an Existing Keyring and Certificate .................................................................... 1166
Providing Client Certificates in Policy ...................................................................................... 1167
Add Certificates to the Advanced Secure Gateway Appliance ............................................. 1168
Create a Keydata File............................................................................................................. 1168
Import Certificates onto the Advanced Secure Gateway Appliance.............................. 1169
Group Related Client Keyrings into a Keylist .......................................................................... 1171
Specify the Client Certificates to be Used in Policy................................................................. 1173
Specify the Client Certificates to be Used in Policy in the VPM ..................................... 1173
Specify the Client Certificates to be Used in Policy in CPL ............................................. 1174
Managing SSL Certificates .......................................................................................................... 1179
Creating Self-Signed SSL Certificates.................................................................................. 1179
Importing a Server Certificate .............................................................................................. 1180
Using Certificate Revocation Lists ............................................................................................ 1182
Managing CA Certificate Lists.................................................................................................... 1191
Creating a CA Certificate List: ............................................................................................. 1191
Updating a CA Certificate List............................................................................................. 1193

13
 Configuring Download of CCL Updates from Blue Coat................................................ 1193
Managing Cached Intermediate Certificates ............................................................................ 1196
Turn off Intermediate Certificate Caching ......................................................................... 1196
View Cached Intermediate Certificates .............................................................................. 1196
Clear Cached Intermediate Certificates .............................................................................. 1198
Creating and Configuring an OCSP Responder ...................................................................... 1204

Chapter 61: Managing SSL Traffic

Editing an SSL Client ................................................................................................................... 1215
Associating a Keyring, Protocol, and CCL with the SSL Client ...................................... 1215
Changing the Cipher Suite of the SSL Client ..................................................................... 1216

Chapter 62: Windows Single Sign-on Authentication

Creating a Windows SSO Realm ............................................................................................... 1227
Configuring Windows SSO Agents ........................................................................................... 1228
Configuring Windows SSO Authorization............................................................................... 1230
Defining Windows SSO Realm General Properties................................................................. 1232

Chapter 63: Using XML Realms

Creating an XML Realm .............................................................................................................. 1239
Configuring XML Servers ........................................................................................................... 1240
Configuring XML Options .......................................................................................................... 1242
Configuring XML Realm Authorization ................................................................................... 1243
Configuring XML General Realm Properties ........................................................................... 1245

Chapter 64: Forms-Based Authentication and Validation

Creating and Editing a Form ...................................................................................................... 1255
Setting Storage Options ............................................................................................................... 1256
About CAPTCHA Validation ..................................................................................................... 1260
Before Implementing CAPTCHA Validation .................................................................... 1260
Configure CAPTCHA Validation .............................................................................................. 1260
Special Considerations .......................................................................................................... 1262
Sample CAPTCHA Validation Form .................................................................................. 1263

Chapter 65: Authentication and Authorization Errors

Chapter 66: Configuring Adapters and Virtual LANs

Changing the Default Adapter and Interface Settings ............................................................ 1294
About Multiple IP Addresses............................................................................................... 1294
Configuring a Network Adapter ......................................................................................... 1294
Improve Resiliency or Create a Bigger Pipe with an Aggregate Interface .................... 1300
Viewing Interface Statistics ......................................................................................................... 1305

14
Chapter 67: Software and Hardware Bridges
Configuring a Software Bridge ................................................................................................... 1312

Chapter 68: Configuring Management Services

Creating a Management Service................................................................................................. 1325
Creating a Notice and Consent Banner for the Management Console .......................... 1329
Managing the SSH Console......................................................................................................... 1330
Managing the SSH Host Key Pairs ...................................................................................... 1330
Creating a Notice and Consent Banner for SSH ................................................................ 1331
Managing SSH Client Keys................................................................................................... 1332
Managing the Telnet Console ..................................................................................................... 1334

Chapter 69: Preventing Denial of Service Attacks

Creating the CPL........................................................................................................................... 1344

Chapter 70: Authenticating an Advanced Secure Gateway Appliance

Obtaining a Advanced Secure Gateway Appliance Certificate ............................................. 1351
Automatically Obtaining an Appliance Certificate........................................................... 1351
Manually Obtaining an Appliance Certificate................................................................... 1351
Creating an SSL Device Profile for Device Authentication .................................................... 1356

Chapter 71: Monitoring the Advanced Secure Gateway Appliance

System Configuration Summary ................................................................................................ 1361
Viewing System Environment Sensors...................................................................................... 1362
Viewing Disk Status and Taking Disks Offline........................................................................ 1364
Viewing SSL Accelerator Card Information ............................................................................. 1365
Selecting Which Events to Log ................................................................................................... 1367
Setting Event Log Size.................................................................................................................. 1368
Enabling Event Notification........................................................................................................ 1369
Syslog Event Monitoring....................................................................................................... 1370
Securely Retrieving Event Logs from the Appliance........................................................ 1372
Viewing Event Log Configuration and Content ...................................................................... 1375
Configuring SNMP Communities.............................................................................................. 1383
Configuring SNMP for SNMPv1 and SNMPv2c ..................................................................... 1385
Adding Community Strings for SNMPv1 and SNMPv2c................................................ 1385
Configuring SNMP Traps for SNMPv1 and SNMPv2c.................................................... 1386
Configuring SNMP for SNMPv3................................................................................................ 1389
About Passphrases and Localized Keys ............................................................................. 1389
Configuring SNMP Users for SNMPv3 .............................................................................. 1389
Configuring SNMP Traps and Informs for SNMPv3 ....................................................... 1391
About the Health Monitoring Metric Types ............................................................................. 1397
Thresholds and Notifications for General Metrics............................................................ 1398

15
 Thresholds and Notifications for Licensing Metrics......................................................... 1399
Notifications for Status Metrics............................................................................................ 1401
Thresholds and Notifications for Subscription Metrics.................................................... 1403
Quick Reference: Default Threshold Values and States ................................................... 1404
Changing Threshold and Notification Settings ................................................................. 1406
Viewing Health Monitoring Statistics................................................................................. 1408

Chapter 72: Verifying the Health of Services Configured on the Advanced Secure Gateway
Background DNS Resolution ...................................................................................................... 1414
Health Check Tests ....................................................................................................................... 1417
Changing Health Check Default Settings ................................................................................. 1425
Configuring Health Check Notifications .................................................................................. 1429
About Health Check Statistics .................................................................................................... 1453

Chapter 73: Maintaining the Advanced Secure Gateway Appliance

Performing Maintenance Tasks .................................................................................................. 1458
Managing Advanced Secure Gateway Appliance Systems.................................................... 1463
Setting the Default Boot System........................................................................................... 1463
Locking and Unlocking Advanced Secure Gateway Appliance Systems ..................... 1464
Replacing a Advanced Secure Gateway Appliance System ............................................ 1464
Deleting a Advanced Secure Gateway Appliance System............................................... 1464

Chapter 74: Diagnostics

Diagnostic Reporting (Service Information)............................................................................. 1469
Sending Service Information Automatically...................................................................... 1469
Managing the Bandwidth for Service Information ........................................................... 1470
Configure Service Information Settings.............................................................................. 1470
Creating and Editing Snapshot Jobs.................................................................................... 1473
Packet Capturing (PCAP—the Job Utility) ............................................................................... 1476
PCAP File Size ........................................................................................................................ 1476
PCAP File Name Format....................................................................................................... 1477
Common PCAP Filter Expressions...................................................................................... 1477
Configuring Packet Capturing ............................................................................................. 1478
Core Image Restart Options ........................................................................................................ 1484
Diagnostics: Blue Coat Customer Experience Program and Monitoring............................. 1485

Chapter 75: XML Protocol

16
Chapter 1: Introduction

This audience for this document is network administrators who are responsible
for managing Blue Coat® Advanced Secure Gateway® appliances. This
document provides reference information and procedures to configure
Advanced Secure Gateway.
The information in this document supersedes information in the appliance’s
Management Console online help.

Supporting Documentation
Supporting documentation for Advanced Secure Gatewayis available on
BlueTouch Online (BTO):
https://bto.bluecoat.com/documentation/All-Documents/

Note: Release Notes are available on BTO on the Downloads page. Log in to BTO
with your username and password to access the release image and release
notes.

❐ Blue Coat Advanced Secure Gateway Content Analysis Webguide

21
Advanced Secure Gateway Administration Guide

Section 1 Document Conventions

The following table lists the typographical and Command Line Interface (CLI)
syntax conventions used in this manual.

Table 1–1 Document Conventions

Conventions Definition

Italics The first use of a new or Blue Coat-proprietary term.

Courier font Screen output. For example, command line text, file names,
and Blue Coat Content Policy Language (CPL).
Courier Italics A command line variable that is to be substituted with a
literal name or value pertaining to the appropriate facet of
your network system.
Courier Boldface A Blue Coat literal to be entered as shown.
Arial Boldface Screen elements in the Management Console.
{ } One of the parameters enclosed within the braces must be
supplied
[ ] An optional parameter or parameters.
| Either the parameter before or after the pipe character can or
must be selected, but not both.

22
Section 2 Notes and Warnings
The following is provided for your information and to caution you against actions
that can result in data loss or personal injury:

Note: Supplemental information that requires extra attention.

Important: Critical information that is not related to equipment damage or

personal injury (for example, data loss).

WARNING! Used only to inform you of danger of personal injury or physical

damage to equipment. An example is a warning against electrostatic discharge
(ESD) when installing equipment.

23
Advanced Secure Gateway Administration Guide

Section 3 About Procedures

Many of the procedures in this guide begin:
❐ Select Configuration > TabName, if you are working in the Management Console,
or
❐ From the (config) prompt, if you are working in the command line interface (CLI).

Blue Coat assumes that you are logged into the first page of the Management
Console or entered into configuration mode in the CLI.
In most cases, procedures in this guide tell you how to perform a task in the
Management Console, even if there is a CLI equivalent.

24
Chapter 2: Accessing the Appliance

This section provides procedures for accessing the Advanced Secure Gateway
so that you can perform administrative tasks using the Management Console
and/or the command-line interface. It assumes that you have performed the
first-time setup using the Serial Console or the front panel and that you have
minimally specified an IP address, IP subnet mask, IP gateway, and DNS
server, and that you have tested the appliance and know that it is up and
running on the network. If you have not yet done this, refer to the hardware
guides for your appliance model.
This section includes the following topics:
❐ "Accessing the Advanced Secure Gateway Appliance Using the
Management Console" on page 26
❐ "Accessing the Advanced Secure Gateway Using the CLI" on page 41
❐ "Configuring Basic Settings" on page 43

25
Advanced Secure Gateway Administration Guide

Section 1 Accessing the Advanced Secure Gateway Appliance Using the

Management Console
The Management Console is a graphical web interface that allows you to manage,
configure, monitor, and upgrade the appliance from any location. To determine
the browser and Java requirements for the Management Console, refer to the
Advanced Secure Gateway Release Notes.
Figure 2–1 ProxySG appliance Management Console

Note: When you access the Management Console home page, if you see a host
mismatch or an invalid certificate message, you must recreate the security
certificate used by the HTTPS-Console. For information on changing the security
certificate, see "Managing the HTTPS Console (Secure Console)" on page 1326.

Ways to Access the Management Console

The methods available to you for accessing the Management Console depend on
what you want to achieve—for example, you might want to manage multiple
Management Console instances—and environmental factors specific to your
deployment. See Table 2–1 for details.

Note: To determine if you have a minimum supported Java version installed,

refer to Knowledge Base article 000031300:
http://bluecoat.force.com/knowledgebase/articles/Solution/000031300

26
Table 2–1 Ways to Access the Management Console

Use Case(s) Environmental Requirements How to access the

Management Console

You want to run the Your deployment must have all of the See "Load the
Management Console following: Management Console
directly in a browser. • Any Advanced Secure Gateway version. Directly in a Browser" on
• A browser with NPAPI support. page 27.
• Browsers enabled with the minimum
supported version of Java to run the
Management Console.

You require an alternative Your deployment must have workstations with See "Run the
to running the the minimum supported version of Java to run Management Console
Management Console the Management Console (browsers need not using Java Web Start" on
directly in a browser be Java-enabled), and at least one of the page 28.
because: following:
• You know that the • Advanced Secure Gateway 6.6.5.x and
browser does not later and a browser without NPAPI
support NPAPI. support.
• Your browser is not • Any Advanced Secure Gateway version
configured to run and any browser version, provided you can
Java or JavaScript. access the Internet or can host the Launcher
applet internally.

You want to launch Your deployment has all of the following: See "Launch Multiple
multiple appliances. • Any browser version. Management Consoles"
• Workstations with the minimum supported on page 30.
version of Java to run Java Web Start;
browsers need not be Java-enabled.
• Access to the Internet.

Load the Management Console Directly in a Browser

Loading the Management Console in a browser is the legacy way to access the
management interface of an appliance. Accessing any Advanced Secure Gateway
version through a browser that supports NPAPI loads the legacy Management
Console directly in the browser by default.

Note: (Version 6.6.5.x and later) If the browser does not load the content
immediately, you can use Java Web Start instead (as described in "Run the
Management Console using Java Web Start" on page 28). A “Click here if your
browser does not support embedded applets” link appears at the bottom of the
Management Console; if you click the link, you are prompted to open or save a
Java Network Launch Protocol (JNLP) file. Otherwise, refresh the browser or wait
for the console to load the legacy Management Console.

27
Advanced Secure Gateway Administration Guide

Load the Management Console in a browser:

1. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is
192.168.0.6, type https://192.168.0.6:8082 in the address bar.

2. Enter the user name and password that you created during initial
configuration. Upon successful login, the browser displays the Proxy tab of
the Advanced Secure Gateway Management Console.

Note: The event log records all successful and failed login attempts.

Run the Management Console using Java Web Start

Using Java Web Start simulates the experience of running the Management
Console in a browser. In Advanced Secure Gateway 6.6.5.x and later, if you access
the Management Console using a browser that does not support NPAPI, the
browser presents a message including a link for you to download a JNLP file.
Alternatively—provided you can access the Internet—you can download the
JNLP file from BlueTouch Online (BTO).

Run the Management Console using Java Web Start:

1. (Optional; applicable if you can connect to the Internet) Download the JNLP
file from BTO, and then proceed to step 5.

28
2. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is
192.168.0.6, type https://192.168.0.6:8082 in the address bar.
The browser prompts you to enter your user name and password.

3. Enter the user name and password that you created during initial
configuration.
The browser displays a message stating that NPAPI is not supported.

4. In the message, click the link to download the JNLP file (mc.jnlp).
Alternatively, in the Management Console footer, click the “Click here if your
browser does not support embedded applets” link to download the file.
If you have already downloaded the JNLP file, you can run it instead of
downloading a copy; go to step 5.
Save the file to a convenient location on disk. To avoid downloading copies of
the JNLP file, note the location for future use.

29
Advanced Secure Gateway Administration Guide

5. Open the JNLP file. When prompted, enter your user name and password
again.

Upon successful login, the applet loads the Management Console.

Note: The event log records all successful and failed login attempts.

Launch Multiple Management Consoles

The Management Console Launcher allows you to manage and launch multiple
Management Console instances from a single interface.

Note: If none of the appliances in your deployment run version 6.6.5.x or later,
you must have access to the internet to download the launcher.JNLP file from
BTO.

Launch multiple Management Consoles:

1. If you have already downloaded the JNLP file, you can run it instead of
downloading a copy; go to step 4.
2. Perform the appropriate step for your deployment:
• If none of the appliances in your deployment run version 6.6.5.x or later,
use a workstation with access to the internet. Then, go to Blue Coat
Knowledge Base article 000032374 to download the JNLP file:
https://bluecoat.secure.force.com/knowledgebase/articles/Solution/
000032374
• Designate an appliance running Advanced Secure Gateway 6.6.5.x or later
as the one you will use to launch multiple consoles.
Log in to this appliance using steps 2 and 3 in "Run the Management
Console using Java Web Start" on page 28. When you are logged in, the
browser displays the Management Console banner. In the banner, click the
Launcher link.

3. Download the JNLP file (loader.jnlp) to a convenient location on disk. To

avoid downloading copies of the JNLP file, note the location for future use.

30
4. Run the JNLP file. The Management Console Launcher opens.
Figure 2–2 Management Console Launcher - Main dialog

5. Select an appliance in the list and click Launch.

When prompted, enter your console user name and password. After a few
moments, Java Web Start launches the Management Console.
To manage the list of appliances, see "Use the Management Console Launcher" on
page 31.

Use the Management Console Launcher

Use the Management Console Launcher to manage multiple Management
Console instances from a single interface. On the main Launcher dialog, click the
Manage Devices link to display the Device Connection Manager dialog. See
Figure 2–3.
Figure 2–3 Management Console Launcher - Device Connection Manager dialog

31
Advanced Secure Gateway Administration Guide

Manage multiple instances through the Management Console Launcher:

1. Perform the following tasks as required:
• Add or remove appliance using Launcher - See "Add or Remove a Device"
on page 32.
• Change an appliance’s network properties or description - See "Modify a
Device’s Properties" on page 33.
• Back up or restore the list of managed appliances - See "Import or Export a
List of Devices" on page 33.
• Change the order in which the appliances appear in the list - See "Re-order
the List of Devices" on page 34.
2. Launch a Management Console. On the main Launcher dialog, select the
instance and click Launch.

Add or Remove a Device

Use Launcher to add or remove appliances for convenient management of
multiple appliances across your organization.

Add or remove a device:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3.
2. To add an appliance, specify the device properties:

Note: If you ran Launcher using the Launcher link in the Management
Console banner, the IP address and port fields are pre-populated with the
appliance’s console IP address and port.

a. Select the protocol (HTTP or HTTPS) and type the IP address in the
field.
b. In the Port field, type the port number of the appliance’s Management
Console.
c. (Recommended) In the Description field, enter a description for the
appliance to help identify it.
d. Click Add as New. The appliance you added appears in the list of
devices.
e. (Recommended) Test connectivity to the appliance you added. Select
the appliance in the list and click Test.
If the test is successful, a green checkmark appears beside the Test button.
If the test is unsuccessful, a red “X” appears beside the Test button. Check
the settings you entered and modify them if needed (see "Modify a
Device’s Properties" on page 33). Then, test the connection again.

32
3. To remove an appliance, select it in the list and click Delete. The appliance is
deleted from the list.
4. Click Done. Return to Launcher. The dialog displays the updated list of devices.

Note: You can also add appliances from the main Launcher dialog. The steps are
similar to the ones outlined previously.

Modify a Device’s Properties

If a managed appliance has changed network settings or other details, update its
details in the Launcher.

Modify a device’s properties:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3 on page 31.
2. Select a device.
3. Change or edit the protocol, IP address, port, or description as needed.
4. Click Update.
5. (If applicable) Modify other devices as needed.
6. Click Done. Return to Launcher. The dialog displays the list of devices.

Import or Export a List of Devices

The import/export function in the Launcher allows you to:
❐ Create a list of devices in comma-separated values (CSV) format outside of
Launcher, and then import it through the Launcher.
❐ Back up (export) the list of managed appliances.
❐ Restore (import) a list of appliances.

Note: Deleting installed applications and applets in the Java Control Panel
removes the list of appliances from Launcher; thus, to prevent inadvertent
deletion, export the list periodically or when you make significant changes to
it.

Prepare a list of devices for import:

1. Create/modify a CSV file. Enter one device per row with the following
properties:
• First cell: Type “TRUE” for HTTPS and “FALSE” for HTTP (not including
the quotation marks).
• Second cell: Enter the device IP address.
• Third cell: Enter the port number for the device’s HTTP/S console.

33
Advanced Secure Gateway Administration Guide

• Fourth cell: Enter a description for the device.

2. Save the file to a convenient location on disk. Note the location for when you
are ready to import the file.

Import/export devices:
1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list.
2. To import a list of devices:
a. Click the Import link at the top right of the dialog. See Figure 2–3 on
page 31.
b. In the dialog that opens, browse to the location of the CSV file to
import and select the file.
c. Specify what to do if devices already exist in the Launcher list:
• - This is selected by default. If devices exist in
Merge with current list
Launcher already, they are combined with the list of devices you
import.
• Replace the current list - If devices exist in Launcher already, the list of
devices you import replaces the existing list.
d. Click Done. Return to Launcher. The list of devices is imported.
3. To export the list of devices:
a. Click the Export link at the top right of the dialog. See Figure 2–3 on
page 31.
b. In the dialog that opens, browse to the location where you want to
save the CSV file. Enter a name for the file and save it.
4. Click Done. Return to Launcher. The list of devices is exported.

Re-order the List of Devices

You can change the order of devices of the list to make it easier to manage. For
example, if you are managing a large list of devices, you might want to move the
ones you monitor more frequently to the top of the list.

Change the order of the devices on the list:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3 on page 31.
2. Select a device and use the arrows to move it up or down in the list.
3. (If applicable) Move other devices as needed.
4. Click Done. Return to Launcher. The dialog displays the list of devices.

34
About the Management Console Banner
After you log in to the Advanced Secure Gateway appliance, the Management
Console displays a banner at the top of the page.

This guide covers the functions of the Advanced Secure Gateway Proxy tab.
The Proxy Management Console banner provides the following information:
❐ Appliance identification— the appliance name, hardware serial number, and
the software version.
❐ Appliance health status— Visible when the Proxy tab is selected. The health
state is represented by a text box and a color that corresponds to the health of
the system (OK-green, Warning- yellow or Critical -red). The system health
changes when one or more of the health metrics reaches a specified threshold
or returns to normal. The health state indicator is polled and updated every 10
seconds on the Advanced Secure Gateway.
To obtain more information about the health state, click the Health: status link
— OK, Warning, Critical. The Statistics > Health page displays; it lists the
current condition of the system’s health monitoring metrics. See "Verifying the
Health of Services Configured on the Advanced Secure Gateway" on page
1411 for more information about the health monitoring metrics.
❐ License status and version— Your Advanced Secure Gateway license includes
all the component licenses for the Proxy and Content Analysis features that
you have purchased. To view a list of the license components and their
expiration date, go to the Maintenance > Licensing > View tab.
❐ Blue Coat product documentation and customer support links. You must have
a Blue Touch Online account to access documentation and to request support.
To log out of the Management Console, click the Log Out link.
❐ Proxy and Content Analysis tabs. Advanced Secure Gateway appliances
include both a module and a Content Analysis module. Use the tabs to switch
from one to the next. For information on configuring ICAP services to use the
internal Content Anlaysis service, see Chapter 22: "Malicious Content
Scanning Services" or the help icon (?) in the Content Anlaysis module.

Viewing the Benefits of Deploying the Advanced Secure Gateway

Appliance
In addition to the Overview tab, which focuses on threat activities of the
Advanced Secure Gateway appliance as a whole, the Statistics > Summary page
displays the role of the Advanced Secure Gateway appliance in boosting the

35
Advanced Secure Gateway Administration Guide

performance of traffic within your network using its optimization, policy control,
and caching techniques. The Summary page visually demonstrates the overall
performance and efficiency of your network.
If you have just completed initial setup and have not configured the Advanced
Secure Gateway to intercept any traffic, the Summary page will not display much
information. For example, you cannot view bandwidth efficiency for traffic being
intercepted by the Advanced Secure Gateway.

Note: To view performance statistics, retrieve your license and create/enable

services on the Advanced Secure Gateway. For information on enabling
services, see Chapter 7: "Managing Proxy Services" on page 121. For licensing
details, see Chapter 3: "Licensing" on page 57.

When the Advanced Secure Gateway appliance is deployed and configured to

meet your business needs, the Summary page monitors and reports information on
your network traffic and applications. The on-screen information is automatically
refreshed every 60 seconds.

Viewing Efficiency and Performance Metrics

The Statistics > Summary > Efficiency tab displays the bandwidth gain achieved
within your network in the Savings panel, and the performance of each interface
in the Interface Utilization panel on the Advanced Secure Gateway. These metrics
represent the last hour of traffic, and are updated every 60 seconds.
The Savings panel displays the top 5 services that are intercepted by the
Advanced Secure Gateway, in your network. For detailed information on each
service, click the service and view the details in the Statistics > Traffic History page.

❐ Service: A service represents the type of traffic that is being intercepted; the top
5 services are ranked in descending order of bytes saved.
❐ Bytes Saved Last Hour:Bytes saved display bandwidth savings in the last 60
minutes. It represents data that did not traverse the WAN because of object
and byte caching, protocol optimization, and compression. It is calculated as:
Client Bytes - Server Bytes,
where Client Bytes is the data rate calculated to and from the client on the
client-side connection, and Server Bytes is the data rate calculated to and
from the server on the server-side connection.

36
❐ Percent Savings: A percentage value of bytes saved, calculated as:
{(Client Bytes - Server Bytes)/ Client Bytes} * 100

In the Savings panel shown above, the Percent Savings for FTP is 50% and
bandwidth savings is 2x, which is calculated as Client Bytes/Server Bytes.

Note: The graph in the percent savings column represents savings over the
last hour, while the label reflects the percent savings in the last minute. For
more information on bandwidth savings, click on any row and navigate to the
Statistics > Traffic History page. By default, the traffic history page displays
bandwidth usage and bandwidth gain statistics for the corresponding service
over the last hour.

The Interface Utilization panel displays statistics on interface use, reveals network
performance issues, if any, and helps determine the need to expand your network.

❐ Interface:
The interfaces are labeled with an adapter number followed by an
interface number. For example, on 2-port bridge cards, the interface number is
0 for WAN and 1 for LAN connections; 4-port bridge cards have 0 and 2 for
WAN and 1 and 3 for LAN.
❐ Link state:
Indicates whether the interface is in use and functioning. It also
displays the duplex settings and includes the following information:
• Up or Down: Up indicates that the link is enabled and can receive and
transmit traffic. Down indicates that the link is disabled and cannot pass
traffic.
• Auto or Manual: Indicates whether the link is auto-negotiated or manually
set
• 10Mbps, 100 Mbps or 1Gbps: Displays the capacity of the link.
• FDX or HDX: Indicates whether the interface uses full duplex or half duplex
connection, respectively. In some cases, if a duplex mismatch occurs when
the interface is auto-negotiated and the connection is set to half-duplex,
the display icon changes to a yellow warning triangle. If you view a
duplex mismatch, you can adjust the interface settings in the Configuration
> Network > Adapters tab.

37
Advanced Secure Gateway Administration Guide

❐ Transmit Rate and Receive Rate: Displays number of bits processed per second,
on each interface.
The graphs in the transmit rate and receive rate columns represent interface
activity over the last hour, while the value in the label represents interface
activity over the last minute.
❐ Errors: Displays the number of transmission errors, if any, in the last hour.
Interfaces with input or output errors are displayed in red.
For more information on an interface, click on any row; the Statistics > Network >
Interface History page displays.

Monitoring System Resources and Connectivity Metrics

The Statistics > Summary > Device tab displays a snapshot of the key system
resources, identification specifics, and the status of external devices that are
connected to the Advanced Secure Gateway appliance.
The identification panel provides information on the name of the Advanced
Secure Gateway, IP address, hardware serial number, software version and the
build (release) ID. You can copy and paste the information on this panel, into an
email for example, when communicating with Blue Coat Support.

This information is also displayed on the Management Console banner and under
Configuration > General > Identification. To assign a name to your Advanced Secure
Gateway, see "Configuring the Advanced Secure Gateway Appliance Name" on
page 44.

38
The Statistics area displays the current percentages of CPU usage and memory
utilization, and the number of concurrent users. Concurrent users represents the
number of unique IP addresses that are being intercepted by the Advanced Secure
Gateway. For more information on these key resources, click the link; the
corresponding panel under Statistics > System > Resources displays.
❐ The Statistics panel also displays whether the Advanced Secure Gateway is
enabled to act as Client Manager for ProxyClient and Unified Agent users.
The status information displayed for the remote clients include the following
options:

Feature Status Description

ProxyClient and Client Manager This Advanced Secure Gateway serves as a
Unified Agent Enabled; <number> Client Manager. Also displayed is the
Active Clients number of active clients that are connected
to this Client Manager.

Disabled This Advanced Secure Gateway is not

configured as a Client Manager.

The Connectivity area displays the status of external devices and services that the
Advanced Secure Gateway appliance relies on, for effective performance. The
status indicates whether the appliance is able to communicate with the external
devices and services that are configured on it.

The external devices or services, that can be configured on the Advanced Secure
Gateway, include:
❐ WCCP capable routers/switches
❐ External ICAP devices (such as Blue Coat ProxyAV or Content Analysis
appliances)
❐ DNS Servers
❐ Authentication realms
Only those external devices or services that are configured on the Advanced
Secure Gateway are displayed on this panel. If, for example, ICAP is not yet
enabled on the Advanced Secure Gateway, ICAP is not listed in the connectivity
panel.
The connectivity status for these external devices is represented with an icon —
Ok, Warning, or Critical. The icon and the text portray the most severe health
status, after considering all the health checks configured, for the device or service.

39
Advanced Secure Gateway Administration Guide

With the exception of WCCP, click on any row to view the health status details in
the Statistics > Health Checks tab. The Statistics > Health Checks tab provides
information on the general health of the Content Analysis services configured on
the Advanced Secure Gateway, allows you to perform routine maintenance tasks
and to diagnose potential problems. For more information on health checks, see
"Verifying the Health of Services Configured on the Advanced Secure Gateway"
on page 1411.
To view details on the status of WCCP capable devices in your network, click on
the WCCP service row, the Statistics> Network > WCCP tab displays. The Statistics >
Network > WCCP tab provides information on the configured service groups and
their operational status. For more information on how to configure WCCP on the
Advanced Secure Gateway, see Chapter 33: "WCCP Configuration" on page 813.
For more detailed information about WCCP, refer to the WCCP Reference Guide.

Logging Out of the Management Console

To exit the current session, click the Log out link on the Management Console
banner.
You may be logged out of the Advanced Secure Gateway automatically when a
session timeout occurs. This security feature logs the user out when the
Management Console is not actively being used. For more information, see
"Changing the Advanced Secure Gateway Timeout" on page 47.
Thirty seconds before the session times out, the console displays a warning
dialog. Click the Keep Working button or the X in the upper-right corner of the
dialog box to keep the session alive.

If you do not respond within the 30-second period, you are logged out and lose all
unsaved changes. To log in again, click the You need to log in again to use the console
hyperlink in the browser (legacy Management Console only). To log out
completely, close the browser window.

40
Section 2 Accessing the Advanced Secure Gateway Using the CLI
You can connect to the Advanced Secure Gateway command-line interface via
Secure Shell (SSH) using the IP address, username, password that you defined
during initial configuration. The SSH management console service is configured
and enabled to use SSHv2 and a default SSH host key by default. If you wish to
access the CLI, you can use SSHv2 to connect to the Advanced Secure Gateway.
An SSH host key for SSHv2 and an SSH management service are configured by
default. If you want to use SSHv1 or Telnet without additional configuration.

Note: You can also access the CLI using Telnet or SSH v1. However, these
management services are not configured by default. For instructions on
configuring management services, see Chapter 68: "Configuring
Management Services" on page 1323.

To log in to the CLI, you must have:

❐ the account name that has been established on the Advanced Secure Gateway
❐ the IP address of the Advanced Secure Gateway
❐ the port number (22 is the default port number)
Advanced Secure Gateway supports different levels of command security:
❐ Standard, or unprivileged, mode is read-only. You can see but not change
system settings and configurations. This is the level you enter when you first
access the CLI.
❐ Enabled, or privileged, mode is read-write. You can make immediate but not
permanent changes to the Advanced Secure Gateway, such as restarting or
shutting down the system. This is the level you enter when you first access the
Management Console.
❐ Configuration mode allows you to make permanent changes to the Advanced
Secure Gateway configuration. To access Configuration mode, you must be in
Enabled mode.
When you log in to the Management Console using your username and
password, you are directly in configuration mode.
However, if you use the CLI, you must enter each level separately:
Username: admin
Password:
> enable
Enable Password:
# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)
For detailed information about the CLI and the CLI commands, refer to the
Command Line Interface Reference.

41
Advanced Secure Gateway Administration Guide

Note: Most tasks can be performed in both the Management Console and the
CLI. This guide covers procedures for the Management Console; refer to the
Command Line Interface Reference for related CLI tasks. Tasks that are available only
in the Management Console or only in the CLI are noted as such.

42
Section A: Configuring Basic Settings
This sections describes how to configure basic settings, such as the Advanced
Secure Gatewayappliance name, time settings, and login parameters. It includes
the following topics:
❐ "How Do I...?" on page 43
❐ "Configuring the Advanced Secure Gateway Appliance Name" on page 44
❐ "Changing the Login Parameters" on page 45
❐ "Viewing the Appliance Serial Number" on page 48
❐ "Configuring the System Time" on page 49
❐ "Synchronizing to the Network Time Protocol" on page 52

How Do I...?
To navigate this section, identify the task to perform and click the link:

How do I...? See...

Assign a name to identify the Advanced "Configuring the Advanced Secure

Secure Gateway? Gateway Appliance Name" on page 44

Change the logon parameters? "Changing the Login Parameters" on page

45

Locate the Appliance Serial Number? "Viewing the Appliance Serial Number" on
page 48

Configure the local time on the "Configuring the System Time" on page 49
Advanced Secure Gateway?

Synchronize the Advanced Secure "Synchronizing to the Network Time

Gateway to use the Network Time Protocol" on page 52
Protocol (NTP)?

Change the log-in username and "Changing the Administrator Account

password? Credentials" on page 45

Configure a console realm name to "Changing the Advanced Secure Gateway

identify the Advanced Secure Gateway Realm Name" on page 46
that I am accessing (before I log in to the
Management Console)?

Configure the time for console log out on "Changing the Advanced Secure Gateway
the Advanced Secure Gateway? Timeout" on page 47

43
Advanced Secure Gateway Administration Guide

Section 3 Configuring the Advanced Secure Gateway Appliance Name

You can assign any name to a Advanced Secure Gateway. A descriptive name
helps identify the system.

To set the Advanced Secure Gateway name:

1. Select Configuration > General > Identification.
2. In the Appliance name field, enter a unique name for the appliance.
3. Click Apply.

44
Section 4 Changing the Login Parameters
You can change the console username and password, the console realm name
which displays when you log in to the appliance, and the auto-logout time. The
default value is 900 seconds.
The Management Console requires a valid administrator username and password
to have full read-write access; you do not need to enter a privileged-mode
password as you do when using the CLI. A privileged-mode password, however,
must already be set.

Note: To prevent unauthorized access to the Advanced Secure Gateway, only

give the console username and password to those who administer the system.

Changing the Administrator Account Credentials

During the initial configuration of your Advanced Secure Gateway appliance, a
console administrator username and password was created. This is a special
account that can always be used to administer the appliance from either the web-
based Management Console or the Command Line Interface. You can change the
username and the password of this administrator account.

Note: Changing the console account’s username or password causes the

Management Console to refresh, requiring you to log in again using the new
credentials. Each parameter must be changed and individually refreshed. You
cannot change both parameters at the same time.

To change the username:

1. Select Configuration > Authentication > Console Access > Console Account.

2. Edit the username of the administrator that is authorized to view and revise
console properties. Only one console account exists on the Advanced Secure
Gateway. If you change the console account username, that username
overwrites the existing console account username. The console account
username can be changed to anything that is not null and contains no more
than 64 characters.

45
Advanced Secure Gateway Administration Guide

3. Click Apply. After clicking Apply, an Unable to Update configuration error is

displayed. This is expected: although the username change was successfully
applied, the configuration could not be fetched from the Advanced Secure
Gateway appliance because the old username was offered in the fetch request.
4. Refresh the screen. You are challenged for the new username.

To change the password:

The console password and privileged-mode password were defined during initial
configuration of the system. The console password can be changed at any time.
The privileged-mode, or enabled-mode, password can only be changed through
the CLI or the serial console.
1. Select Configuration > Authentication > Console Access > Console Account.
2. Click Change Password.
3. Enter and re-enter the console password that is used to view and edit
configuration information. The password must be from 1 to 64 characters
long. As you enter the new password, it is obscured with asterisks. Click OK.

Note: This does not change the enabled-mode password. You can only
change the enabled-mode password through the CLI.

4. Refresh the screen, which forces the SGOS software to re-evaluate current
settings. When challenged, enter the new password.
5. (Optional) Restrict access by creating an access control list or by creating a
policy file containing <Admin> layer rules. For more information, see
"Limiting Access to the Advanced Secure Gateway" on page 67.

Changing the Advanced Secure Gateway Realm Name

When you have multiple Advanced Secure Gateway appliances in your network,
you can configure a console realm name to identify the appliance that you are
accessing.
When you log in to the Management Console, using a browser, the browser’s
pop-up dialog displays. This dialog identifies the Advanced Secure Gateway that
is requesting the username and password.
If configured, the realm name displays on the pop-up dialog. The default realm
name is usually the IP address of the Advanced Secure Gateway. You can,
however, change the display string to reflect your description of the Advanced
Secure Gateway.

To change the realm name:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Enter a new realm name in Console realm name.
3. Click Apply.
The next time you log in to the Management Console, the new realm name
displays on the browser’s pop-up dialog.

46
 Realm Name

Changing the Advanced Secure Gateway Timeout

The timeout is the length of time a Web or CLI session persists before you are
logged out. The default timeout for these options is as follows:
❐ Enforce Web auto-logout—15 minutes
❐ Enforce CLI auto-logout—5 minutes

To change the timeout:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Configure the timeout by doing one of the following:
• Set values for the Web or CLI auto-logout. Acceptable values are between
1 and 1440 minutes.

• Deselect the auto-timeout to disable it.

3. Click Apply.

47
Advanced Secure Gateway Administration Guide

Section 1 Viewing the Appliance Serial Number

The Advanced Secure Gateway serial number assists Blue Coat Systems
Customer Support when analyzing configuration information, including
heartbeat reports. The appliance serial number is visible on the Management
Console banner.

48
Section 2 Configuring the System Time
To manage objects, the Advanced Secure Gateway must know the current
Coordinated Universal Time (UTC), which is the international time standard and
is based on a 24-hour clock. The Advanced Secure Gateway accesses the Network
Time Protocol (NTP) servers to obtain accurate UTC time and synchronizes its
time clock.
By default, the Advanced Secure Gateway connects to an NTP server in the order
they are listed on the NTP tab and acquires the UTC time. You can view UTC time
under UTC in the Configuration > General > Clock > Clock tab. If the appliance cannot
access any of the listed NTP servers, you must manually set the UTC time.
You can, however, also record time stamps in local time. To record time stamps in
local time, you must set the local time based on your time zone. The Advanced
Secure Gateway appliance ships with a limited list of time zones. If a specific time
zone is missing from the included list, you can update the list at your discretion.
The list can be updated by downloading the full time zone database from http://
download.bluecoat.com/release/timezones.tar. Also, the time zone database
might need to be updated if the Daylight Savings rules change in your area.

49
Advanced Secure Gateway Administration Guide

To set local time:

1. Select Configuration > General > Clock > Clock.

2. Click Set Time zone. The Time Zone Selection dialog displays.

3. Select the time zone that represents your local time. After you select the local
time zone, event logs record the local time instead of GMT. To add additional
time zones to the list, update the appliance's time zone database, as described
in the following procedure.
4. Click OK to close the dialog.
5. Click Apply.

50
To update the database:
1. Select Configuration > General > Clock > Clock.
2. Enter the URL from which the database will be downloaded or click Set to
default.

3. Click Install.

To acquire the UTC:

1. Ensure that Enable NTP is selected.
2. Click Acquire UTC Time.

51
Advanced Secure Gateway Administration Guide

Section 3 Synchronizing to the Network Time Protocol

The Network Time Protocol (NTP) is used to synchronize the time of a computer
client or server to another server or reference time source, such as a radio or
satellite receiver or modem. There are more than 230 primary time servers,
synchronized by radio, satellite and modem.
The Advanced Secure Gateway ships with a list of NTP servers available on the
Internet, and attempts to connect to them in the order they appear in the NTP
server list on the NTP tab. You can add others, delete NTP servers, and reorder the
NTP server list to give a specific NTP server priority over others.
The Advanced Secure Gateway appliance uses NTP and the Coordinated
Universal Time (UTC) to keep the system time accurate.
You can add and reorder the list of NTP servers the appliance uses for acquiring
the time. (The reorder feature is not available through the CLI.)

52
To add an NTP server:
1. Select Configuration > General > Clock > NTP.

2. Click New. The Add List Item dialog displays.

3. Choose one of the following:
• Domain name: Enter a domain name of an NTP server that resolves to an
IPv4 or IPv6 address.
• IP address: Enter an IPv4 or IPv6 address of an NTP server.
4. Click OK to close the dialog.
5. Click Apply.

To change the access order:

NTP servers are accessed in the order displayed. You can organize the list of
servers so the preferred server appears at the top of the list. This feature is not
available through the CLI.
1. Select Configuration > General > Clock > NTP.
2. Select an NTP server to promote or demote.
3. Click Promote entry or Demote entry as appropriate.
4. Click Apply.

Depending on your ProxySG appliance configuration, you must open certain

ports and protocols on your firewalls for the appliance to function as intended, or
to allow connectivity to various components and data centers. The following
tables present basic configurations, and some commonly used options.

Basic Ports
This table presents the non-configurable ports which must be available.

53
Advanced Secure Gateway Administration Guide

Port Protocol Direction Description

123 UDP Out NTP*
53 TCP/UDP Out DNS
443 TCP Out Heartbeats, Service information uploading, Licensing
check
444 TCP Out Appliance certificate update
* NTP may be disabled; in that case, the port is not required.

Management and Administration Ports

This table presents ports required for management and administrative functions,
when the listed features are enabled.

Port Protocol Direction Description

22 TCP Out Director registration
514 UDP Out Syslog
161 UDP In SNMP
162 UDP Out SNMP traps
25 TCP Out SMTP for email alerts
8082 TCP Out HTTPS Java Management Console
8081 TCP Out HTTP Console

Networking Ports
This table presents ports required for networking, when the listed features are
enabled.

Port Protocol Direction Description

520 UDP In/Out Routing Information Protocols (RIP)
2048 UDP Out WCCP

IWA Direct Ports

This table presents ports required for IWA Direct authentication realms.

Port Protocol Direction Description

88 TCP/UDP Out Kerberos, used in IWA Direct authentication realms
445 TCP Out SMB, used in IWA Direct authentication realms
389 TCP Out LDAP, used in IWA Direct authentication realms

Application Data Network (ADN) and Proxy Client Ports

54
 This table presents ports required for ADNs and Proxy Client, when the listed
features are enabled.

Port Protocol Direction Description

3030 TCP In/Out Connection Forwarding
3034 TCP In/Out ADN Management
3035 TCP In/Out ADN Data Tunnel
3036 TCP In/Out ADN Management (Secure)
3037 TCP In/Out ADN Data Tunnel (Secure)

8084 TCP In Proxy Client

Other Ports
This table presents other ports which are required when the indicated
feature is in use.

Port Protocol Direction Description

16101 TCP Out IWA-BCAAA authentication
1812 TCP Out Radius authentication
8443 TCP In/Out SafeNet Java HSM

55
Advanced Secure Gateway Administration Guide

56
Chapter 3: Licensing

This section describes Advanced Secure Gateway licensing behavior and

includes the following topics:
❐ "About Licensing" on page 57"Registering and Licensing the Appliance" on
page 59
❐ "Enabling Automatic License Updates" on page 64
❐ "Viewing the Current License Status" on page 65

About Licensing
Each Advanced Secure Gateway requires a license to function. The license is
associated with an individual Advanced Secure Gateway serial number and
determines what software features are available and the number of concurrent
users that are supported.
When you configure a new Advanced Secure Gateway appliance, a license
must be installed before it can intercept and process user traffic.
The following sections describe the licensing options:
❐ "License Expiration" on page 58
❐ "License Types" on page 57
❐ "License Expiration" on page 58

License Types
The following license types are available:
❐ Permanent—A license for hardware platforms that permanently unlocks
the software features you have purchased. When a permanent license is
installed, any user limits imposed by that license are enforced, even if the
trial period is still valid.
❐ Subscription-based—A license that is valid for a set period of time. After
you have installed the license, the Advanced Secure Gateway appliance
will have full functionality, and you will have access to software upgrades
and product support for the subscription period.

Licensing Terms
Advanced Secure Gateway Appliances
Within sixty (60) days of the date from which the user powers up the Advanced
Secure Gateway (“Activation Period”), the Administrator must complete the
Advanced Secure Gateway licensing requirements as instructed by the
Advanced Secure Gateway appliance to continue to use all of the features. Prior

57
Advanced Secure Gateway Administration Guide

to the expiration of the Activation Period, the Advanced Secure Gateway software
will deliver notices to install the license each time the Administrator logs in to
manage the product. Failure to install the license prior to the expiration of the
Activation Period may result in some Advanced Secure Gateway features
becoming inoperable until the Administrator has completed licensing.

ProxyClient/Unified Agent
The Administrator may install ProxyClient or Unified Agent only on the number
of personal computers licensed to them. Each personal computer shall count as
one “user” or “seat.” The ProxyClient or Unified Agent software may only be
used with Blue Coat Advanced Secure Gateway appliances. The Administrator
shall require each user of the Blue Coat ProxyClient software to agree to a license
agreement that is at least as protective of Blue Coat and the Blue Coat ProxyClient
or Unified Agent software as the Blue Coat EULA.

License Expiration
When the base license expires, the appliance stops processing requests and a
license expiration notification message is logged in the Event Log (see "Viewing
Event Log Configuration and Content" on page 1375 for details on how to view
the event log).
In addition, for services set to Intercept:
❐ In a transparent deployment, Advanced Secure Gateway if the default policy
is set to Allow, the appliance acts as if all services are set to Bypass, passing
traffic through without examining it. If default policy is set to Deny, traffic to
these services is denied with an exception. For details, see "Exceptions Due to
Base License Expiration" .
❐ In an explicit deployment, regardless of the default policy setting, traffic to
these services is denied with an exception. For details, see "Exceptions Due to
Base License Expiration" .

Exceptions Due to Base License Expiration

In some cases, the following exceptions occur when the base license expires:
❐ HTTP (Web browsers)—An HTML page is displayed stating the license has
expired.
❐ SSL—An exception page appears when an HTTPS connection is attempted,
but only if the appliance is deployed explicitly or in the case of transparent
proxy deployments, SSL interception is configured.
❐ FTP clients—If the FTP client supports it, a message is displayed stating the
license has expired.
❐ Streaming media clients—If the Windows Media Player, RealPlayer, or
QuickTime player version supports it, a message is displayed stating the
license has expired.
❐ Unified Agent/ProxyClient—After the license has expired, remote clients
cannot connect to the Internet.

58
 ❐ You can still perform configuration tasks through the CLI, SSH console, serial
console, or Telnet connection. Although a component is disabled, feature
configurations are not altered. Also, policy restrictions remain independent of
component availability.
Content Analysis—When the subscription licenses expire for your Antivirus, File
Reputation (Whitelisting), or Sandboxing services, files are not scanned with
those options. If policy is configured to ICAP scan all content, users may receive
exception messages relating to ICAP processing.

Registering and Licensing the Appliance

Before you can register and license your appliance, you must have the following:
❐ The serial number of your appliance. See "Locating the System Serial
Number" on page 59.
❐ A BlueTouch Online account. See "MACH5 or Secure Web Gateway Obtaining
a BlueTouch Online Account" on page 59.
You can then register the appliance and install the license key. The following
sections describe the available options for completing the licensing process:
❐ If you have not manually registered the appliance, you can automatically
register the appliance and install the software license in one step. See
"Registering and Licensing Blue Coat Appliance and Software" on page 60.
❐ If you have a new appliance that previously has been registered, the license is
already associated with the appliance. In this case you just need to retrieve the
license. See "Installing a License on a Registered System" on page 60.
❐ If you have older hardware that previously has been registered or if the
Advanced Secure Gateway does not have Internet access, you must install the
license manually. See "Manually Installing the License" on page 61.
❐ After the initial license installation, you might decide to use another feature
that requires a license. The license must be updated to support the new
feature.

Locating the System Serial Number

Each Advanced Secure Gateway serial number is the appliance identifier used to
assign a license key file. The Advanced Secure Gateway contains an EEPROM
with the serial number encoded. The appliance recognizes the serial number upon
system boot-up. The appliance serial number is located in the information bar at
the top of the Management Console.

MACH5 or Secure Web Gateway Obtaining a BlueTouch Online Account

Before you can register your Advanced Secure Gateway and retrieve the license
key, you must have a Blue Coat BlueTouch Online user account.
If you do not have a BlueTouch Online account or have forgotten your account
information, perform the following procedure.

59
Advanced Secure Gateway Administration Guide

To obtain a BlueTouch Online account:

1. Select the Maintenance > Licensing > Install tab.
2. In the License Administration field, click Register/Manage. The License
Configuration and Management System Web page displays.
3. Perform one of the following:
• To obtain a new account, click the link for Need a BlueTouch Online User ID.
Under Login Assistance (BlueTouch Online), click Request Login User ID/Password.
Fill out the Web form; BlueTouch Online information will be sent to you.
• To obtain your current information for an existing account, click the Forgot
your password link.

Registering and Licensing Blue Coat Appliance and Software

If you have not manually registered the appliance, you can automatically register
the appliance and install the software license in one step as described in the
following procedure.

To register the appliance and software:

1. In a browser, go to the following URL to launch the Management Console:
2. https://appliance_IP_Address:8082 Enter the access credentials specified
during initial setup.
3. In the Proxy tab, select Maintenance > Licensing > Install.
4. Click Register/Manage. A browser window with the Blue Coat License
Configuration and Management System page opens.

5. Enter your Blue Touch Online (BTO) credentials and click Login. If you do not
have a Blue Touch Online account, or you do not remember your credentials,
click the Forgot your password? link on this page.
6. Enter the serial number and hardware appliance model for your appliance
into the available fields and click Register New Appliance.

Installing a License on a Registered System

If the Advanced Secure Gateway is a new system and the appliance has been
registered, retrieve the associated license by completing this procedure.

To retrieve the software license:

1. In the Proxy module, Select the Maintenance > Licensing > Install tab.
2. Click Retrieve. The appliance serial number is used to facilitate the request. No
credentials are required.
3. A dialog reports a successful license download.
4. Restart the appliance.
This will validate the Advanced Secure Gateway license, and allow you to
proceed to the next step.

60
 • In the Management Console, select Proxy > Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.
5. When the appliance completes the restart, browse to the Content Analysis tab in
the Management Console.
6. Enable File inspection subscriptions:
• Browse to Content Analysis > System > Licensing.
• Select each available subscription element and click Save Changes.

Manually Installing the License

Perform manual license installation if:
❐ The Advanced Secure Gateway serial number is not associated with a
software license (you have registered the hardware separately)
❐ The Advanced Secure Gateway appliance is unable to access the licensing
portal.
Beyond the initial setup, you must ensure that your Advanced Secure
Gateway appliance has access to the licensing server, as the Content Analysis
subscription services constantly validate the licenses you’ve purchased.

Note: Locate the email from Blue Coat that contains the activation code(s) for
your software. You require these activation codes, as well as your appliance serial
number, to complete the licensing process on the Blue Coat Licensing Portal.

Manually retrieve and install the license:

1. In the Management Console, select Maintenance > Licensing > Install.
2. Click Register/Manage. The licensing portal opens in a browser window and
prompts you for your BlueTouch Online login information.
3. Enter your login credentials and click Login. The Licensing Portal prompts you
to enter your activation code.
4. Enter the activation code and follow the prompts to complete the process.
When prompted to accept the license agreement, read and accept the terms.
The software license is now associated with the appliance.
5. (If necessary) Repeat the previous steps for your other activation codes.

61
Advanced Secure Gateway Administration Guide

Download and manually install the license:

Tip: Follow these steps if the appliance does not have access to the Internet. In the
activation email, click the link to the Licensing Portal. The browser opens the
portal on the main page.
1. Select > License Download. The portal prompts you for your appliance serial
number.

62
2. Follow the prompts to enter your serial number and download the license file.

3. Save the license file to a location that your appliance can access.
4. In the Management Console, select Maintenance > Licensing > Install, and then
select the appropriate option from the License Key Manual Installation drop-down
list:

Note: A message is written to the event log when you install a license through
the Advanced Secure Gateway.

• Remote URL—Choose this option if the file resides on a Web server;

then click Continue. The console displays the Install License Key dialog.
Enter the URL path and click Install. When installation is complete,
click OK.
• Local File—Choose this option if the file resides in a local directory;
then click Continue. The Open window displays.
Navigate to the license file and click Open. When installation is
complete, click OK.
The license is now installed. All Proxy features that you subscribed to are fully
operational. See the Content Analysis tab to ensure that you have activated
the available subscription licenses.

63
Advanced Secure Gateway Administration Guide

Section 1 Enabling Automatic License Updates

The license automatic update feature allows the Advanced Secure Gateway to
contact the Blue Coat licensing Web page 31 days before the license is to expire. If
a new license has been purchased and authorized, the license is automatically
downloaded. If a new license is not available on the Web site, the Advanced
Secure Gateway continues to contact the Web site daily for a new license until the
current license expires. Outside the above license expiration window, the
Advanced Secure Gateway performs this connection once every 30 days to check
for new license authorizations. This feature is enabled by default.

To configure the license auto-update:

1. Select the Maintenance > Licensing > Install tab.
2. Select Use Auto-Update.
3. Select Apply.
4. Click Update License Key.

64
Section 2 Viewing the Current License Status
You can view the license status in the Management Console in the following
ways:
❐ Select Statistics > Configuration > Maintenance. The license status displays as a link
in the upper right hand-corner. Hovering over the license link displays
information, such as the expiration date of the trial period. Click the link to
switch to the View license tab.
❐ Select Maintenance > Licensing > View. The tab displays the license components
with expiration dates.
❐ Select Maintenance > Health Monitoring. The tab displays thresholds for license
expiration dates.

Current high-
level license
data

License
components

For more
details, select a
component and
click.

Each licensable component is listed, along with its validity and its expiration
date.
• To view the most current information, click Refresh Data.
• Highlight a license component and click View Details. A dialog displays
more detailed information about that component.

See Also
❐ "About Licensing" on page 57
❐ "Locating the System Serial Number" on page 59
❐ "MACH5 or Secure Web Gateway Obtaining a BlueTouch Online Account" on
page 59
❐ "Registering and Licensing Blue Coat Appliance and Software" on page 60

65
Advanced Secure Gateway Administration Guide

66
Chapter 4: Controlling Access to the Advanced Secure
Gateway

This section describes how to control user access to the Advanced Secure
Gateway. It includes the following topics:
❐ "Limiting Access to the Advanced Secure Gateway" on page 67
❐ "About Password Security" on page 68
❐ "Limiting User Access to the Advanced Secure Gateway—Overview" on
page 69
❐ "Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 72
❐ "Maximum Security: Administrative Authentication and Authorization
Policy" on page 73

Limiting Access to the Advanced Secure Gateway

You can limit access to the Advanced Secure Gateway by:
❐ Restricting physical access to the system and by requiring a PIN to access
the front panel.
❐ Restricting the IP addresses that are permitted to connect to the Advanced
Secure Gateway CLI.
❐ Requiring a password to secure the Setup Console.
These safeguards are in addition to the restrictions placed on the console
account (a console account user password) and the Enable password.
By using every possible method (physically limiting access, limiting
workstation IP addresses, and using passwords), the Advanced Secure
Gateway is very secure.
This section discusses:
❐ "Limiting Workstation Access" on page 67
❐ "Securing the Serial Port" on page 68

Limiting Workstation Access

During initial configuration, you have the option of preventing workstations
with unauthorized IP addresses from accessing the Advanced Secure Gateway
for administrative purposes. This covers all access methods - Telnet, SNMP,
HTTP, HTTPS and SSH. If this option is not enabled, all workstations are
allowed to access the Advanced Secure Gateway administration points. You
can also add allowed workstations later to the access control list (ACL). (For

67
Advanced Secure Gateway Administration Guide

more information on limiting workstation access, see "Moderate Security:

Restricting Management Console Access Through the Console Access Control
List (ACL)" on page 72.)

Securing the Serial Port

If you choose to secure the serial port, you must provide a Setup Console
password that is required to access the Setup Console in the future.
Once the secure serial port is enabled:
❐ The Setup Console password is required to access the Setup Console.
❐ An authentication challenge (username and password) is issued to access the
CLI through the serial port.
To recover from a lost Setup Console password, you can:
❐ Use the Front Panel display to either disable the secure serial port or enter a
new Setup Console password.
❐ Use the CLI restore-defaults factory-defaults command to delete all
system settings. For information on using the restore-defaults factory-
defaults command, see "Factory-Defaults" on page 1461.

❐ Use the reset button (if the appliance has a reset button) to delete all system
settings. Otherwise, reset the to its factory settings by holding down the left
arrow key on the front-panel for 5 seconds. The appliance will be reinitialized.
To reconfigure the appliance or secure the serial port, refer to the hardware guides
for your appliance.

About Password Security

In the Advanced Secure Gateway, the console administrator password, the Setup
Console password, and Enable (privileged-mode) password are hashed and
stored. It is not possible to reverse the hash to recover the plain text passwords.
In addition, the show config and show security CLI commands display these
passwords in their hashed form. The length of the hashed password depends on
the hash algorithm used so it is not a fixed length.
Passwords that the Advanced Secure Gateway uses to authenticate itself to
outside services are encrypted using triple-DES on the appliance, and using RSA
public key encryption for output with the show config CLI command. You can use
a third-party encryption application to create encrypted passwords and copy
them into the Advanced Secure Gateway using an encrypted-password command
(which is available in several modes and described in those modes). If you use a
third-party encryption application, verify it supports RSA encryption, OAEP
padding, and Base64 encoded with no new lines.
These passwords, set up during configuration of the external service, include:
❐ Access log FTP client passwords (primary, alternate)—For configuration
information, see "Editing the FTP client" on page 648.
❐ Archive configuration FTP password—For configuration information, see
Chapter 5: "Backing Up the Configuration" on page 77.

68
 ❐ RADIUS primary and alternate secret—For configuration information, see
Chapter 57: "RADIUS Realm Authentication and Authorization" on page
1125.
❐ LDAP search password—For configuration information, see "Defining LDAP
Search & Group Properties" on page 1084.
❐ Content filter download passwords—For configuration information, see
"Downloading the Content Filter Database" on page 375.

Limiting User Access to the Advanced Secure Gateway—Overview

When deciding how to give other users read-only or read-write access to the
Advanced Secure Gateway, sharing the basic console account settings is only one
option. The following summarizes all available options:

Note: If Telnet Console access is configured, Telnet can be used to manage the
Advanced Secure Gateway with behavior similar to SSH with password
authentication.
SSL configuration is not allowed through Telnet, but is permissible through SSH.
Behavior in the following sections that applies to SSH with password
authentication also applies to Telnet. Use of Telnet is not recommended because it
is not a secure protocol.

❐ Console account—minimum security

The console account username and password are evaluated when the
Advanced Secure Gateway is accessed from the Management Console
through a browser and from the CLI through SSH with password
authentication. The Enable (privileged-mode) password is evaluated when
the console account is used through SSH with password authentication and
when the CLI is accessed through the serial console and through SSH with
RSA authentication. The simplest way to give access to others is sharing this
basic console account information, but it is the least secure and is not
recommended.
To give read-only access to the CLI, do not give out the Enable (privileged-
mode) password.
❐ Console access control list—moderate security
Using the access control list (ACL) allows you to further restrict use of the
console account and SSH with RSA authentication to workstations identified
by their IP address and subnet mask. When the ACL is enforced, the console
account can only be used by workstations defined in the console ACL. Also,
SSH with RSA authentication connections are only valid from workstations
specified in the console ACL (provided it is enabled).
After setting the console account username, password, and Enable
(privileged-mode) password, use the CLI or the Management Console to
create a console ACL. See "Moderate Security: Restricting Management
Console Access Through the Console Access Control List (ACL)" on page 72.

69
Advanced Secure Gateway Administration Guide

❐ Per-user RSA public key authentication—moderate security

Each administrator’s public keys are stored on the appliance. When
connecting through SSH, the administrator logs in with no password
exchange. Authentication occurs by verifying knowledge of the
corresponding private key. This is secure because the passwords never go
over the network.
This is a less flexible option than CPL because you cannot control level of
access with policy, but it is a better choice than sharing the console credentials.
❐ Blue Coat Content Policy Language (CPL)—maximum security
CPL allows you to control administrative access to the Advanced Secure
Gateway through policy. If the credentials supplied are not the console
account username and password, policy is evaluated when the Advanced
Secure Gateway is accessed through SSH with password authentication or the
Management Console. Policy is never evaluated on direct serial console
connections or SSH connections using RSA authentication.
• Using the CLI or the Management Console GUI, create an authentication
realm to be used for authorizing administrative access. For administrative
access, the realm must support BASIC credentials—for example, LDAP,
RADIUS, Local, or IWA with BASIC credentials enabled.
• Using the Visual Policy Manager, or by adding CPL rules to the Local or
Central policy file, specify policy rules that: (1) require administrators to
log in using credentials from the previously-created administrative realm,
and (2) specify the conditions under which administrators are either
denied all access, given read-only access, or given read-write access.
Authorization can be based on IP address, group membership, time of
day, and many other conditions. For more information, refer to the Visual
Policy Manager Reference.
• To prevent anyone from using the console credentials to manage the
Advanced Secure Gateway, set the console ACL to deny all access (unless
you plan to use SSH with RSA authentication). For more information, see
"Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 72. You can also restrict access
to a single IP address that can be used as the emergency recovery
workstation.
The following chart details the various ways administrators can access the
Advanced Secure Gateway console and the authentication and authorization
methods that apply to each.

Table 4–1 Advanced Secure Gateway Console Access Methods/Available Security Measures

Security Measures Available Serial SSH with SSH with RSA Management
Console Password Authentication Console
Authentication

Username and password X X

evaluated (console-level
credentials)

70
Table 4–1 Advanced Secure Gateway Console Access Methods/Available Security Measures (Continued)

Console Access List evaluated X X X (if console

(if console credentials are
credentials are offered)
offered)

CPL <Admin> Layer evaluated X (see Note 1 X (see Note 2

below) below)

Enable password required to X X X

enter privileged mode (see Note
2 below)

CLI line-vty timeout X X X

command applies.

Management Console Login/ X

Logout

Notes
❐ When using SSH (with a password) and credentials other than the console
account, the enable password is actually the same as the login password. The
privileged mode password set during configuration is used only in the serial
console, SSH with RSA authentication, or when logging in with the console
account.
❐ In this case, user credentials are evaluated against the policy before executing
each CLI command. If you log in using the console account, user credentials
are not evaluated against the policy.

71
Advanced Secure Gateway Administration Guide

Section 1 Moderate Security: Restricting Management Console Access

Through the Console Access Control List (ACL)
The Advanced Secure Gateway allows you to limit access to the Management
Console and CLI through the console ACL. An ACL, once set up, is enforced only
when console credentials are used to access either the CLI or the Management
Console, or when an SSH with RSA authentication connection is attempted. The
following procedure specifies an ACL that lists the IP addresses permitted access.

To create an ACL:
1. Select Configuration > Authentication > Console Access > Console Access.

2b

2a

2. (Optional) Add a new address to the ACL:

a. Click New. The Add List Item dialog displays.
b. In the IP/Subnet fields, enter a static IP address. In the Mask fields, enter
the subnet mask. To restrict access to an individual workstation, enter
255.255.255.255.

c. Click OK to add the workstation to the ACL and return to the Console
Access tab.

3. Repeat step 2 to add other IP addresses.

4. To impose the ACL defined in the list box, select Enforce ACL for built-in
administration. To allow access to the CLI or Management Console using
console account credentials from any workstation, clear the option. The ACL
is ignored.

Important: Before you enforce the ACL, verify the IP address for the
workstation you are using is included in the list. If you forget, or you find
that you mis-typed the IP address, you must correct the problem using the
serial console.

72
 5. Click Apply.

Maximum Security: Administrative Authentication and Authorization Policy

The Advanced Secure Gateway permits you to define a rule-based administrative
access policy. This policy is enforced when accessing:
❐ the Management Console through HTTP or HTTPS
❐ the CLI through SSH when using password authentication
❐ the CLI through telnet
❐ the CLI through the serial port if the secure serial port is enabled
These policy rules can be specified either by using the VPM or by editing the
Local policy file. Using policy rules, you can deny access, allow access without
providing credentials, or require administrators to identify themselves by
entering a username and password. If access is allowed, you can specify whether
read-only or read-write access is given. You can make this policy contingent on IP
address, time of day, group membership (if credentials were required), and many
other conditions.
Serial-console access is not controlled by policy rules. For maximum security to
the serial console, physical access must be limited.
SSH with RSA authentication also is not controlled by policy rules. You can
configure several settings that control access: the enable password, the console
ACL, and per-user keys configured through the Configuration > Services > SSH > SSH
Client page. (If you use the CLI, SSH commands are under Configuration> Services >
SSH-Console.)

Defining Administrator Authentication and Authorization Policies

Administrative authentication uses policy, (either Visual Policy or CPL in the local
policy file) to authenticate administrative users to the appliance. This is done with
two layers in policy: one to define the realm that is used to authenticate users
(Admin Authentication layer) and the other to define security rights for authenticated
users or groups (Admin Access layer).

Note: If you choose a realm that relies on an external server and that server is
unavailable, the appliance will not be able to authenticate against that realm.

For best security, the following authentication realms are recommended by Blue
Coat for administrative authentication to the appliance.
❐ IWA-BCAAA (with TLS -- not SSL) with basic credentials
❐ Local
❐ .509 certificate based (including certificate realms; refer to the Common Access
Card Solutions Guide for information)
❐ LDAP with TLS (not SSL)
❐ IWA-Direct with basic credentials

73
Advanced Secure Gateway Administration Guide

❐ RADIUS
The following realms can be configured for administrative authentication, but
pass administrative credentials in clear text. These realms should not be used for
administrative authentication:
❐ Windows SSO
❐ Novell SSO
❐ IWA-BCAAA without SSL or TLS
❐ LDAP without SSL or TLS

The following realms do not support administrative authentication:

❐ IWA-BCAAA/IWA-Direct realms that do not accept basic credentials
❐ SiteMinder
❐ COREid
❐ SAML (Policy Substitution)
❐ XML

Note: Other authentication realms can be used, but will result in administrative
credentials being sent in clear text.

Configure Administrative Authentication with a Local Realm

The process to provide read-only access for administrators includes the following
steps:
❐ Create a local authentication realm.
❐ Create a list that includes usernames and passwords for members whom you
wish to provide read-only access in the Management Console.
❐ Connect the list to the local realm.
❐ Create policy to enforce read-only access to members included in the list.
Use the steps below to complete the tasks detailed above.
1. Create a local realm:
a. Select the Configuration > Authentication > Local > Local Realms tab.
b. Click New to add a new realm. In this example the realm is named
MC_Access.

2. Using the Command Line Interface (CLI), create a list of users who need read-
only access. The list must include a username and password for each user.
a. Enter configuration mode in the CLI; this example creates a list called
Read_Access.
#(config)security local-user-list create Read_Access

74
 b. Edit the list to add user(s) and to create usernames and passwords.
This example adds a user named Bob Kent.
#(config)security local-user-list edit Read_Access
#(config)user create Bob_Kent
#(config)user edit Bob_Kent
#(config)password 12345

3. Connect the user list (created in Step 2) to the local realm (created in Step 1).
a. In the Configuration > Authentication > Local > Local Main tab, select
MC_Access from the Realm name drop-down menu.

b. Select Read_Access from the Local user list drop-down menu.

4. Use the for creating policy to enforce read-only access to the users in your list:
a. Launch the VPM.
b. Create an Admin Authentication Layer (or add a new rule in an existing
layer). This layer determines the authentication realm that will be used
to authenticate users who access the Management Console of the
Advanced Secure Gateway.

c. In the Action column, right click and select Set. In the Set Action dialog
that displays, click New and select Authenticate. The Add Authentication
Object displays.

75
Advanced Secure Gateway Administration Guide

d. In the Add Authenticate Object dialog that displays, select the local realm
you created in Step 1.
e. Create an Admin Access Layer.
f. In the Source column, right click and select Set. In the Set Source Object
dialog that displays, click New and select User. The Add User Object
dialog displays.

g. Enter the name of the user for whom you want to provide read-only
access.
h. Click OK in both dialogs.

i. In the Action column, right click and select Allow Read-only Access.
5. Click Install Policy.
The user can now log in the Management Console as a user with read-only
access. Repeat step 4 and use Allow Read/Write access to define user access
with read/write privileges

76
Chapter 5: Backing Up the Configuration

This chapter describes how to back up your configuration and save it on a

remote system so that you can restore it in the unlikely event of system failure
or replacement. Advanced Secure Gateway appliance configuration backups are
called archives.

Important: You should archive the system configuration before performing

any software or hardware upgrade or downgrade.

System archives can be used to

❐ Restore the appliance to its previous state in case of error.
❐ Restore the appliance to its previous state because you are performing
maintenance that requires a complete restoration of the system
configuration. For example, upgrading all the disk drives in a system.
❐ Save the system configuration so that it can be restored on a replacement
appliance. This type of configuration archive is called a transferable archive.
❐ Propagate configuration settings to newly-manufactured Advanced Secure
Gateway appliances. This process is called configuration sharing.

Topics in this Chapter

The following topics are covered in this chapter:
❐ Section A: "About Configuration Archives" on page 78
❐ Section B: "Archiving Quick Reference" on page 80
❐ Section C: "Creating and Saving a Standard Configuration Archive" on page
84
❐ Section D: "Creating and Saving a Secure (Signed) Archive" on page 86
❐ Section E: "Preparing Archives for Restoration on New Devices" on page 89
❐ Section F: "Uploading Archives to a Remote Server" on page 100
❐ Section G: "Restoring a Configuration Archive" on page 105
❐ Section H: "Sharing Configurations" on page 107
❐ Section I: "Troubleshooting" on page 109

77
Advanced Secure Gateway Administration Guide

Section A: About Configuration Archives

This section describes the archive types and explains archive security and
portability.
This section includes the following topics:
❐ "About the Archive Types and Saved Information" on page 78
❐ "About Archive Security" on page 78
❐ "About Archive Portability" on page 79
❐ "What is not Saved" on page 79

About the Archive Types and Saved Information

Three different archive types are available. All archive types include Content
Analysis configuration details, which are represented by a hashed string. Each
archive type contains a different set of configuration data:
❐ Configuration - post setup: This archive contains the configuration on the current
system—minus any configurations created through the setup console, such as
the IP address. It also includes the installable lists but does not include SSL
private key data. Use this archive type to share an appliance’s configuration
with another. See "Sharing Configurations" on page 107 for more information.
❐ Configuration - brief:
This archive contains the configuration on the current
system and includes the setup console configuration data, but does not
include the installable lists or SSL private key and static route information.

Note: An installable list is a list of configuration parameters that can be

created through a text editor or through the CLI inline commands and
downloaded to the Advanced Secure Gateway appliance from an HTTP server
or locally from your PC.

❐ Configuration - expanded:This is the most complete archive of the system

configuration, but it contains system-specific settings that might not be
appropriate if pushed to a new system. It also does not include SSL private
key data. If you are trying to create the most comprehensive archive, Blue
Coat recommends that you use the configuration-expanded archive.
Options in the Management Console enable you to create standard, secure, and
transferable versions of the three archive types.

About Archive Security

The Advanced Secure Gateway appliance provides two methods for creating
archives, signed and unsigned. A signed archive is one that is cryptographically
signed with a key known only to the signing entity—the digital signature
guarantees the integrity of the content and the identity of the originating device.

78
 To create signed archives, your appliance must have an SSL certificate guaranteed
by a CA. You can then use a trusted CA Certificate List (CCL) to verify the
authenticity of the archive.
Use signed archives only when security is high priority. Otherwise, use unsigned
archives. For information about creating secure archives, see "Creating and Saving
a Secure (Signed) Archive" on page 86.

About Archive Portability

To retain the option to transfer the configuration from the source appliance to
another appliance, the configuration cannot be restored unless you save the SSL
keyrings, and the configuration-passwords-key in particular.
The configuration-passwords-key keyring must be saved. This keyring is used to
encrypt and decrypt the passwords (login, enable, FTP, etc.) and the passwords
cannot be restored without it. This is because the purpose of public/private key
authentication is to disallow decryption by a device other than the device with the
private key. To restore any encrypted data from an archive, you must have the
corresponding SSL keyring.
See "Creating a Transferable Archive" on page 91 for more information about
creating transferable archives.

What is not Saved

Archiving saves the Advanced Secure Gateway appliance configuration only.
Archives do not save the following:
❐ Cache objects
❐ Access logs
❐ Event logs
❐ License data (you might need to reapply the licenses)
❐ Software image versions
❐ SSL key data
❐ Content-filtering databases
❐ Exception pages

79
Advanced Secure Gateway Administration Guide

Section B: Archiving Quick Reference

This section provides a table of quick reference tasks and describes the high-level
archive creation and restoration tasks.
This section includes the following topics:
❐ "Archiving Quick Reference Table" on page 81
❐ "Overview of Archive Creation and Restoration" on page 82

80
Section 1 Archiving Quick Reference Table
The following table lists common archive management tasks and where to get
more information.

Table 5–1 Archiving Task Table

If You Want to... Go To...

Understand the archive and restoration "Overview of Archive Creation and

process Restoration" on page 82

Find out what is not archived "What is not Saved" on page 79

Learn about the archive types "About the Archive Types and Saved
Information" on page 78

Learn about secure archives "About Archive Security" on page 78

Learn about transferable archives "About Archive Portability" on page 79

A transferable archive is a configuration
archive that can be imported to a new
device.

Create a standard archive "Creating and Saving a Standard

Configuration Archive" on page 84

Create a secure archive "Creating and Saving a Secure (Signed)

Archive" on page 86

Create a transferable archive "Creating a Transferable Archive" on

page 91

Upload an archive to a remote server "Uploading Archives to a Remote

Server" on page 100

Schedule archive creation You cannot schedule archive creation

from the Advanced Secure Gateway
appliance. To schedule archive creation,
use Blue Coat Management Center 1.5.x
or later. Refer to the documentation on
BTO.

Understand file name identifiers "Adding Identifier Information to

Archive Filenames" on page 103

Restore an archive "To install the archived configuration:"

on page 105

Share Configurations "Sharing Configurations" on page 107

Troubleshoot archive configuration "Troubleshooting" on page 109

81
Advanced Secure Gateway Administration Guide

Overview of Archive Creation and Restoration

The following list describes all of the possible steps required to create and restore
an unsigned, signed, or transferable configuration archive. You do not have to
perform all of these steps to complete a standard, unsigned archive. Non-
standard archiving steps are indicated by the word “Optional.”
1. Optional (for transferable archives only)—Record the configuration-
passwords-key data on the source Advanced Secure Gateway appliance, as
described in "Option 1: Recording SSL Keyring and Key Pair Information" on
page 91. If you need to restore the archive onto a different appliance, you must
have this data.
Do not lose the password used to encrypt the private key. If you do, you will
not be able to recover your private keys.
2. Optional (for transferable archives only)—Record any other SSL keyring data
you want to save.
3. Determine the type of archive to create—secure or standard. See "About
Archive Security" on page 78.
If you are creating an standard archive, go to Step 5. Otherwise, go to Step 4.
4. Optional (for secure archives only)—Verify that the source Advanced Secure
Gateway appliance has an appliance certificate, as described in "Using the
Appliance Certificate to Sign the Archive" on page 86. If it does not have an
appliance certificate:
a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR.
To get more information about appliance certificates, see "Managing X.509
Certificates" on page 1153.
5. Archive the configuration:
• Standard, unsigned archive—"Creating and Saving a Standard
Configuration Archive" on page 84.
• Secure archive—"Creating and Saving a Secure (Signed) Archive" on page
86
• Transferable archive—"Creating a Transferable Archive" on page 91.
6. Store the archive in a secure location.
7. If you are restoring the archive to another device, import the configuration-
passwords-key onto the target device, as described in "Restoring an Archived
Key Ring and Certificate" on page 98.

82
8. Restore the archive, as described in "Restoring a Configuration Archive" on
page 105.
Figure 5–1 on page 83 describes the archive creation process.

Figure 5–1 Flow Chart of Archive Creation Process

83
Advanced Secure Gateway Administration Guide

Section C: Creating and Saving a Standard Configuration Archive

Use the Management Console to create a standard archive of the system
configuration. This is the simplest method of archive creation. This type of archive
cannot be transferred to another appliance unless you save the SSL keyrings as
described in Section E: "Preparing Archives for Restoration on New Devices" on
page 89.

To create a standard configuration archive:

1. Access the Proxy tab of the Management Console of the Advanced Secure
Gateway appliance you want to back up:
https://Appliance_IP:8082

2. Select Configuration > General > Archive. The Archive Configuration tab displays.

3b

3a

3. Select a configuration type:

a. In the View Current Configuration section, select Configuration - expanded
from the View File drop-down list.
b. View the configuration you selected by clicking View.
A browser window opens and displays the configuration.

Note: You can also view the file by selecting Text Editor in the Install
Configuration panel and clicking Install.

4. Save the configuration.

You can save the file two ways:
• Use the browser Save As function to save the configuration as a text file on
your local system. This is advised if you want to re-use the file.
• Copy the contents of the configuration. (You will paste the file into the
Text Editor on the newly-manufactured system.)

To restore a standard archive:

1. Select Configuration > General > Archive.
2. Select Local File and click Install.

84
3. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.

85
Advanced Secure Gateway Administration Guide

Section D: Creating and Saving a Secure (Signed) Archive

This section describes how to use the Management Console to save a secure
(signed) archive of the system configuration. A signed archive is an archive
signed with a digital signature that can only be read by the device that created it,
thus guaranteeing the integrity and authenticity of the archive. To create signed
archives, your appliance must have an SSL certificate guaranteed by a CA.
Signed archives have a .bcsc extension and contain the following files:
❐ show configuration output
❐ PKCS#7 detached signature
This section includes the following topics:
❐ "Using the Appliance Certificate to Sign the Archive" on page 86
❐ "Creating Signed Configuration Archives" on page 87
❐ "Modifying Signed Archives" on page 88

Before Reading Further

If you are not familiar with SSL authentication, read the following before
proceeding:
❐ "About Archive Security" on page 78
❐ The device authentication information in "Authenticating an Advanced
Secure Gateway Appliance" on page 1347.
❐ The X.509, CCL, and SSL information in "Managing X.509 Certificates" on
page 1153.

Using the Appliance Certificate to Sign the Archive

If your appliance has a built-in appliance certificate, you can use it, and the
corresponding appliance-ccl CCL, to sign the archive.

To determine if your device has an appliance certificate:

1. Use an SSH client to establish a CLI session with the Advanced Secure Gateway
appliance.
2. Enter enable mode:
# enable

3. Enter the following command:

# show ssl certificate appliance-key

The appliance certificate displays if the appliance has one. Otherwise, the
following error is displayed:
Certificate "appliance-key" not found

4. If the appliance does not have an appliance certificate, create one as follows:

86
 a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR (this process results in a digital certificate).
d. Import the keyring and certificate as described in "Restoring an
Archived Key Ring and Certificate" on page 98.
For more information about appliance certificates, see "Managing X.509
Certificates" on page 1153.

Creating Signed Configuration Archives

This section describes how to save a signed configuration archive to the computer
you are using to access the Management Console.

To create and save a signed configuration archive to your computer:

1. Access the Management Console of the Advanced Secure Gateway appliance

you want to back up:
https://Appliance_IP:8082

2. Select the Configuration > General > Archive > Archive Storage tab.

3. From the Sign archives with keyring drop-down list, select a signing keyring to
use or accept the default (appliance-key).
4. Click Apply.

Note: If you do not click Apply, a pop-up displays when you click Save that
indicates that all unsaved changes will be saved before storing the archive
configuration. The unsaved changes are the Sign archives with keyring option
changes you made in Step 3.

5. From the Save archive drop-down list, select the archive type (Blue Coat
recommends Configuration - expanded).
6. Click Save.

87
Advanced Secure Gateway Administration Guide

A new browser window displays, prompting you to open or save the

configuration to the local disk of the device you are using to access the
Advanced Secure Gateway appliance.

To restore a signed archive:

1. Connect to the appliance Management Console of the target appliance, that is
the Advanced Secure Gateway appliance that you are installing the
configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 6.6.2.2

You can also verify the version from the appliance CLI:
# enable
# show version

3. Select Configuration > General > Archive.

4. In the Install Configuration panel, check the setting of the Enforce installation of
signed archives option. If this option is selected, only signed archives can be
restored.
5. Select a CCL to use to verify the archive from the Verify signed archive with CCL
drop-down list. If you used the appliance-key keyring, select appliance-ccl.
6. Select Local File and click Install.

Modifying Signed Archives

If you modify a signed archive, you must subsequently restore it as an unsigned
archive.
If you created a signed archive and want to verify its authenticity before
modifying it, use OpenSSL or another tool to verify the signature before making
modifications. (The use of OpenSSL is beyond the scope of this document.)
Because a signed archive contains the output of the show configuration
command, you can extract the show configuration command output, modify it as
required, and treat the archive as unsigned thereafter.

88
Section E: Preparing Archives for Restoration on New Devices
While a configuration archive will back up the appliance configuration, that
configuration cannot be transferred to another device unless you save the SSL
keyrings on the appliance—especially the configuration-passwords-key keyring.
The process of creating the archive and saving the associated SSL keyrings is
called creating a transferable archive.

Note: You must also save the SSL keyrings if you plan to restore an encrypted
archive after a reinitialization. When you reinitialize the appliance, new keys get
created, and you will therefore not be able to restore the configuration unless you
first restore the configuration-passwords-key.

This section includes the following topics:

❐ "About the configuration-passwords-key" on page 89
❐ "Creating a Transferable Archive" on page 91
❐ "Option 1: Recording SSL Keyring and Key Pair Information" on page 91
❐ "Option 2: Changing Encrypted Passwords to Clear Text" on page 97
❐ "Restoring an Archived Key Ring and Certificate" on page 98

About the configuration-passwords-key

The configuration-passwords-key is an SSL keyring. SSL is a method of securing
communication between devices. SSL uses a public key to encrypt data and
private key to decrypt data. These keys (stored in “keyrings”) are unique to the
device. This ensures that date encrypted with a device’s public key can only be
decrypted by the corresponding private key.
On Advanced Secure Gateway appliances, the configuration-passwords-key SSL
keyring is used to encrypt and decrypt the following passwords on the appliance:
❐ Administrator console passwords (not needed for shared configurations)
❐ Privileged-mode (enable) passwords (not needed for shared configurations)
❐ The front-panel PIN (recommended for limiting physical access to the system)
❐ Failover group secret
❐ Access log FTP client passwords (primary, alternate)
❐ Archive configuration FTP password
❐ RADIUS primary and alternate secret
❐ LDAP search password
❐ SNMP read, write, and trap community strings
❐ RADIUS and TACACS+ secrets for splash pages
Because every appliance has a different configuration-passwords-key, you will
receive a decryption error if you try to restore an archive to another device.

89
Advanced Secure Gateway Administration Guide

To ensure that the archive can be transferred to another appliance, you must do
one of the following:
❐ Restore the original configuration-passwords-key keyring
While it is possible to reset each of the passwords using the Management
Console, it is easier to save the original keyring so that you can import it to the
new appliance (before restoring the configuration). Restoring the keyring
allows all previously configured passwords to remain valid after archive
restoration.
❐ Change the encrypted passwords to clear text so that they can be regenerated.

Note: To save an SSL keyring, you must be able to view it. If the key is marked
no-show, you cannot save it.

90
Section 1 Creating a Transferable Archive
This section describes the steps required to create a transferable archive.

To create a transferable archive:

1. Record the configuration-passwords-key data on the source Advanced Secure
Gateway appliance, as described in "Option 1: Recording SSL Keyring and Key
Pair Information" on page 91. If you need to restore the archive onto a
different appliance, you must have this data.
Do not lose the password used to encrypt the private key. If you do, you will
not be able to recover your private keys.
2. Record any other SSL keyring data you want to save.
3. Store the keyring data and archive in a secure location.
4. Create the archive as described in "Creating and Saving a Standard
Configuration Archive" on page 84.

To restore a transferable archive:

1. Connect to the appliance Management Console of the target appliance, that is
the Advanced Secure Gateway appliance that you are installing the
configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 5.3.0.2 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

3. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 98.
4. Select Configuration > General > Archive.
5. Select Local File and click Install.
6. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.

Option 1: Recording SSL Keyring and Key Pair Information

For security reasons, Blue Coat recommends that you do not change encrypted
passwords to clear text. Instead, preserve the configuration-passwords-key
keyring on the source device (the appliance that you created the archive from)
and import that keyring to the target device before you restore the archive.

91
Advanced Secure Gateway Administration Guide

You can also use the following procedure to save any other keyrings required to
reload SSL-related configuration that references those keyrings.

To record the configuration-passwords-key keyring on the source appliance:

1. Copy the following template to a text file and use it to record the certificate
information so that you can import and restore it later. This template allows
you to import a certificate chain containing multiple certificates, from the CLI.
Alternatively, you can simply copy the SSL data into a blank text file.

Note: The following example is shown in smaller text to preserve the

structure of the commands.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
!
end-inline
inline keyring show default "end-inline"
!
end-inline
!
inline certificate default "end-inline"
!
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Do not specify your passwords; the system will prompt you for them when
you restore the keys. You can modify the template to include other keyrings
and certificates.
2. From the CLI, access the config prompt (using the serial console or SSH):
# config terminal

3. Enter the following commands:

#(config) ssl
#(config ssl) view keyring

A listing of existing keyrings (and certificates) is displayed.

For example (your keyrings might be different):
#(config ssl) view keyring

92
 Keyring ID: appliance-key
Private key showability: no-show
Signing request: present
Certificate: absent

Keyring ID: configuration-passwords-key

Private key showability: show
Signing request: absent
Certificate: absent

Keyring ID: default

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:04 2007 GMT
Certificate valid to: Dec 03 20:11:04 2009 GMT
Certificate thumbprint:
9D:B2:36:E5:3D:B7:88:21:CB:0A:08:39:2C:A1:4B:CB

Keyring ID: passive-attack-protection-only-key

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:07 2007 GMT
Certificate valid to: Dec 03 20:11:07 2009 GMT
Certificate thumbprint:
0B:AD:07:A7:CF:D9:58:03:89:5B:67:35:43:B9:F2:C9

4. Enter the following command:

#(config ssl) view keypair des3 configuration-passwords-key

Note: The aes128 and aes256 encryption options are also supported.

5. When prompted, enter an encryption key password:

Encryption key: *****
Confirm encryption key: *****

This password is used to encrypt the private-key before displaying it. After
confirming the password, the Advanced Secure Gateway appliance displays the
encrypted private-key associated with that keyring.

Important: Do not lose the password used to encrypt the private key. If you
do, you will not be able to recover your private keys.

For example:
#(config ssl)view keypair des3 configuration-passwords-key
Encryption password: *****
Confirm encryption password: *****

93
Advanced Secure Gateway Administration Guide

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D542F10E3FFF899F

aFqxQNOD+321IXdQjCGmT+adeQqMiQDAyCOvWd+aJ+OmDjITpd7bwijcxWA89RB8
y65NSia0UmTClY9MM4j6T/fXhBspEu7Wyc/nM+005pJldxTmZgPig6TiIiOlXtMI
ymCLolxjAr+vFSx7ji6jUT13JxZHfksNd9DS06DHLr6hJNERDi9dGog561zlwBo8
zvs0x4PqB+mq05qewmReMs9tnuLkGgBXguH+2Nw9hI0WKEa9KPFWrznD/+zEZbEo
nM+VOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBn0uBOMR4a3C+F/W/v0p71jJ9o
JL6Ao/S46A4UgPkuswGMYXo1kG3K2J/Ev4nMBua6HSZgM87DxvMSiCZ1XxlKlBqv
F9P+l1o3mdR3g2LzK1DLTvlcA9pEPbW65gmnpGj/WLqhEyNPm+DkplxMtMESxNqM
4attb8fXAEcRI+1iUWpjxnycqlm+dcFqq6/bLixYSQ4HGXFLx5qTot+FtIvB5h3g
KwQusgaLVTiesn9K7BQK4wjXJKlDclIrog+ET1fkxtj2oA5/7HN10Ar0ogBxsZLj
0LS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRfiWe3e/eJvazIaErEk40NvIaaXP1j9p
ENzK2dw9WS7xtcU5kAcdoiX1lFONauKDVUkHwhvqz3KnMt1p81fkdUpiD1xaVfMg
s2FApgjAsYciEJxDUfPLzYV1vpOpx6DW3t0D0AlEKkPVNmd9RzlnXjk2CPTdPErC
pKN+EIKs2kqpRE6hHu37zzN06ipPNu2cCSHI/ozc0X4=
-----END RSA PRIVATE KEY-----

6. Copy the configuration-passwords-key and paste it into the template (copied

in step 1) beneath the line inline keyring show configuration-passwords-key
"end-inline".

7. If a certificate is associated with a keyring, enter the following command:

#(config ssl) view certificate keyring-name

For example:
#(config ssl)view certificate appliance-key
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwHhcNMDcxMjA0MjAxMTA3WhcNMDkxMjAzMjAxMTA3WjBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ/F/Sn3CzYvbFPWDD03g9Y/
O3jwCrcXLU8cki6SZUVl9blgZBTgBY3KyDl2baqZNl2QGwkspEtDI45G3/K2GRIF
REs3mKGxY7fbwgRpoL+nRT8w9qWHO393pGrlJKFldXbYOzn3p31EXUuGRfXkIqeA
919uvOD5gOX0BEzrvDRnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEASgIR9r2MuRBc
ltHq/Lb5rIXn13wFZENd/viO54YOiW1ZixlpCBbDIkef3DdJZLxVy3x7Gbw32OfE
3a7kfIMvVKWmNO+syAn4B2yasy0nxbSyOciJq1C42yPJ+Bj1MuYDmgIvMP6ne5UA
gYYhe/koamOZNcIuaXrAS2v2tYevrBc=
-----END CERTIFICATE-----

8. Copy the certificate and paste it into the template (copied in step 1) beneath
the inline certificate cert_name "end-inline" line).

94
9. Optional—For each named keyring that you want to restore, repeat steps 4
to 8.

Note: The appliance-key keyring's private key is not viewable, and cannot be
transferred to another Advanced Secure Gateway appliance. The default and
passive-attack-protection-only-key keys typically do not need to be
restored either.

10. Save the template with the configuration-passwords-key and other SSL key
data on a secure server.
11. Save the password information (that you used to encrypt the keys) in a secure
place, for example, a restricted access cabinet or safe.
After saving this data, create a configuration archive as described in "Creating a
Transferable Archive" on page 91. When you are ready to restore the archive, you
must first restore the SSL data on the target appliance as described in "Restoring
an Archived Key Ring and Certificate" on page 98.

Example: Completed SSL Data Template

The following example shows how the template might look after completing the
procedure in "To record the configuration-passwords-key keyring on the source
appliance:" on page 92.
The template allows you to import a certificate chain containing multiple
certificates, from the CLI. When you restore the data to the appliance, you will be
prompted for the encryption password that you used to encrypt the keys.

Note: The commands in the following example are bounded by the document
text area and wrap to the next line. They are not shown here as they would
appear in the CLI. See Step 1 in "Option 1: Recording SSL Keyring and Key Pair
Information" on page 91 to view an example of how the commands should
appear.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A9902D7F

1lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsB
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3N
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzE
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/

95
Advanced Secure Gateway Administration Guide

bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline keyring show default "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A99AAAA

2lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsC
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3G
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzW
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline certificate default "end-inline"
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFjnHtzANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTwwHhcNMDcxMDI1MTkxNzExWhcNMTcxMDI1MTkxNzExWjBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UEdwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANF9BL25FOJuBIFVyvjo3ygu
ExUM0GMjF1q2TRrSi55Ftt5d/KNbxzhhz3i/DLxlwh0IFWsjv9+bKphrY8H0Ik9N
Q81ru5HlXDvUJ2AW6J82CewtQt/I74xHkBvFJa/leN3uZ+D+fiZTXO15m9+NmZMb
zzGGbCWJRzuqp9z1DVNbqgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAwMUYIa1KFfI0
J+lS/oZ+9g9IVih+AEtk5nVVLoDASXuIaYPG5Zxo5ddW6wT5qvny5muPs1B7ugYA
wEP3Eli+mwF49Lv4NSJFEkBuF7Sgll/R2Qj36Yjpdkxu6TPX1BKmnEcpoX9Q1Xbp

96
 XerHBHpMPwzHdjl4ELqSgxFy9aei7y8=
-----END CERTIFICATE-----
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Option 2: Changing Encrypted Passwords to Clear Text

Important: Blue Coat strongly recommends recording your SSL keyring and
key pair data because changing encrypted passwords to clear text is highly
insecure. Use the following procedure at your own risk.

You can edit the configuration to change encrypted passwords to clear text if you
choose to keep the existing configuration-passwords-key keyring intact on the
new appliance. You do not need to change hashed passwords to clear text—when
you restore the archive, new hashed-passwords are automatically generated using
the target Advanced Secure Gateway appliance’s configuration-passwords-key
keyring.

Important: This procedure is not valid for signed archives. Signing guarantees
that the archive has not been modified.

To change encrypted passwords to clear text:

Manually search for every instance of encrypted-password, remove the
encrypted- prefix, and change the encrypted password to clear text. For example:
security encrypted-password "$1$rWzR$BT5c6F/RHLPK7uU9Lx27J."
In the previous example, if the actual password is bluecoat, then you must edit
the entry as follows:
security password "bluecoat"

Note: Hashed passwords do not have to be changed to clear text. When you
restore the archive, they are restored as specified on the source device. The
difference between hashing and encryption is that encryption enables
information to be decrypted and read, while hashing is a mathematical
function used to verify the validity of data. For example, a system might not
need to know a user’s password to verify that password. The system can run a
hash function on the password and confirm that the mathematical result
matches that specified for the user.

97
Advanced Secure Gateway Administration Guide

Restoring an Archived Key Ring and Certificate

Use the following procedure to import key pair and certificate data (saved in
"Option 1: Recording SSL Keyring and Key Pair Information" on page 91) onto the
system you are restoring the archive to.

Note: You can also import a certificate chain containing multiple certificates.
Use the inline certificate command to import multiple certificates through
the CLI. See "Example: Completed SSL Data Template" on page 95 for more
information.

If you are importing a keyring and one or more certificates onto a Advanced Secure
Gateway appliance, first import the keyring, followed by its related certificate. The
certificate contains the public key from the keyring, and the keyring and
certificate are related.

Importing the configuration-passwords-keyring:

1. Retrieve your saved configuration-passwords-key data.
2. Select Configuration > SSL > Keyrings > SSL Keyrings.
3. Examine the existing keyrings. If a configuration-passwords-key keyring
already exists, select the keyring and click Delete and Apply.
4. Click Create. The Create Keyring dialog displays.

5a

5b
5c

5d

5e

5. Configure the keyring options:

a. In the Keyring Name field, enter configuration-passwords-key.
b. Select Show keypair.

c. Select Import Existing Private Key.

d. Paste the configuration-passwords-key data into the Private Key text
field.

98
 e. Select Private Key Password and enter the configuration-passwords-key
password into the field. This is the password you saved when you
archived the keyring.
6. Click OK.
7. Click Apply.
The configuration-passwords-key does not have a certificate. However, if one or
more keyrings has a certificate, you must import it and associate it with a keyring.

To import a certificate and associate it with a keyring:

1. Copy the certificate onto the clipboard.
2. Select Configuration > SSL > Keyrings and click Edit/View.
3. From the drop-down list, select the keyring that you just imported.
4. Click Import in the Certificate field.
5. Paste the certificate into the Import Certificate dialog that appears. Be sure to
include the ----BEGIN CERTIFICATE---- and -----END CERTIFICATE----
statements.
6. Click OK.

99
Advanced Secure Gateway Administration Guide

Section F: Uploading Archives to a Remote Server

This section describes how to create an archive and upload it to a remote server.
Archives can be uploaded using HTTPS, HTTP, FTP, or TFTP. If you are concerned
about security, use HTTPS.
This section includes the following topics:
❐ "Creating and Uploading an Archive to a Remote Server" on page 101
❐ "Adding Identifier Information to Archive Filenames" on page 103

100
Section 2 Creating and Uploading an Archive to a Remote Server
Use the following procedure to create a signed or unsigned archive and upload it
to a secure, remote host.

To create and upload an archive to a remote server:

Note: This procedure creates only Configuration - expanded archives. You

cannot choose another type.

1. If you use HTTPS, you must specify an SSL device profile to use for the SSL
connection.
An SSL device profile, which can be edited, contains the information required
for device authentication, including the name of the keyring with the private
key and certificate this device uses to authenticate itself. The default keyring is
appliance-key. (For information on private keys, public keys, and SSL device
profiles, see "Managing X.509 Certificates" on page 1153.)
2. Obtain write permission to a directory on a secure, remote host. This is where
the archive will be stored.
3. Access the Management Console of the Advanced Secure Gateway appliance
you want to back up:
https://Appliance_IP:8082

4. Select Configuration > General > Archive.

5. Select the Archive Storage tab.

7a
7b
7c
7d
7e

6. For signed archives, ensure that a keyring has been selected in the Sign archive
with keyring option.

7. In the Remote Upload section, configure the upload settings:

101
Advanced Secure Gateway Administration Guide

a. From the Protocol drop-down list, select an upload protocol.

Note: For maximum security, Blue Coat recommends using HTTPS.

b. Optional: Add filename prefixes to identify the archive.

The prefixes add unique, time-based variables to the filename. For
example:
%H%A

In the preceding example, the %H%A prefix adds the hour (in 24-hour
format) and the full weekday name. Various combinations can be used.
See "Adding Identifier Information to Archive Filenames" on page 103 for
a list of allowed substitution values.
c. Optional, for HTTPS—Select an SSL device profile to use for the SSL
connection.
See "Uploading Archives to a Remote Server" on page 100 for more
information about device profiles.
d. Enter the remote server host name or IP address and port number. The
remote server can have an IPv4 or IPv6 address, or be a domain name
that resolves to an IPv4 or IPv6 address.
e. Enter the remote server upload path (not required for TFTP).

102
 f. Enter the user name associated with the remote host (not required for
TFTP).
g. Optional—Change the HTTP, HTTPS, or FTP password.
8. Click Upload.

Adding Identifier Information to Archive Filenames

Use the following prefix substitutions to add unique ID information to archive
filenames. Specify these prefixes when using the Remote Upload option.

Table 5–2 Filename Specifiers

Specifier Description
%% Percent sign.
%a Abbreviated weekday name.
%A Full weekday name.
%b Abbreviated month name.
%B Full month name.
%C The Advanced Secure Gateway appliance name.
%d Day of month as decimal number (01 – 31).
%H Hour in 24-hour format (00 – 23).
%i First IP address of the Advanced Secure Gateway appliance, displayed in
x_x_x_x format, with leading zeros removed.

%I Hour in 12-hour format (01 – 12).

%j Day of year as decimal number (001 – 366).
%l The fourth (last) octet in the Advanced Secure Gateway appliance IP
address (For example, for the IP address 10.11.12.13, %l would be 13)
%m Month as decimal number (01 – 12).
%M Minute as decimal number (00 – 59).
%p Current locale’s A.M./P.M. indicator for 12-hour clock.
%S Second as decimal number (00 – 59).
%U Week of year as decimal number, with Sunday as first day of week (00 –
53).

%w Weekday as decimal number (0 – 6; Sunday is 0).

%W Week of year as decimal number, with Monday as first day of week (00 –
53).

%y Year without century, as decimal number (00 – 99).

103
Advanced Secure Gateway Administration Guide

Table 5–2 Filename Specifiers (Continued)

%Y Year with century, as decimal number.

%Z Time-zone name or abbreviation; no characters if time zone is unknown.

104
Section G: Restoring a Configuration Archive
To restore a configuration archive, you must:
❐ Perform pre-restoration tasks, for example, restoring the SSL configuration.
❐ For signed archives—Select a CCL to use to verify the archive.
❐ Restore the archive.

To install the archived configuration:

1. Download a content filter database, if you previously had one and it was lost.
If you restore the archive and it includes content filtering policy, the database
must exist so that categories referenced within policy can be matched with the
currently installed database.
2. Connect to the appliance Management Console of the target appliance, that is
the Advanced Secure Gateway appliance that you are installing the
configuration onto.
https://Appliance_IP:8082

3. In the Management Console, click the Home link and look for the software
version in the banner to verify that the appliance is running the same software
version that was used to create the archive. The banner displays a version
such as:
SGOS 6.6.2.1 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

4. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 98.
5. Select Configuration > General > Archive.

105
Advanced Secure Gateway Administration Guide

6. Optional, for signed archives—Select a CCL to use to verify the archive from
the Verify signed archive with CCL drop-down list. If you used the appliance-key
keyring, select appliance-ccl.
7. Optional, for signed archives—In the Install Configuration panel, check the
setting of the Enforce installation of signed archives option. If this option is
selected, only signed archives can be restored.

Note: Depending on the CA that was used to sign the certificate used for the
archive signature, you might have to import a CA certificate and create an
appropriate CCL. For details, see Chapter 60: "Managing X.509 Certificates"
on page 1153.

8. Install the configuration using one of the following methods:

• Local File: If you saved the file to your system, select Local File and click
Install. Browse to the location of the archive and click Open. The
configuration is installed, and the results screen displays.
• Text File: If you copied the contents of the file, select Text Editor and click
Install. Copy the contents of the text file into the Edit and Install the
Configuration dialog and click Install. The configuration is installed, and
the results screen displays.
• Remote Download: If you uploaded the archive to a remote URL, select
Remote URL and click Install. Enter the full path to the archive into the
Install Configuration dialog and click Install. The configuration is installed,
and the results screen displays.
The username and password used to connect to the server can be
embedded into the URL. For FTP, the format of the URL is:
ftp://username:password@ftp-server

where ftp-server is either the IP address or the DNS-resolvable hostname

of the FTP server.
If you do not specify a username and password, the Advanced Secure
Gateway appliance assumes that an anonymous FTP is desired and thus
sends the following as the credentials to connect to the FTP server:
username: anonymous
password: proxy@

Note: A message is written to the event log when you install a

configuration on the Advanced Secure Gateway appliance.

106
Section H: Sharing Configurations
To ease initial configuration, you can take a configuration from a running
appliance and use it to configure another appliance. This process is called
configuration sharing. You can take a post-setup configuration file (one that does not
include those configuration elements that are established in the setup console)
from an already-configured Advanced Secure Gateway appliance and push it to a
newly-manufactured or restored system that is to have the same or similar
configuration.

If you push a configuration archive to an appliance that is already configured, the

archive is applied to the existing configuration, changing any existing values. This
means, for instance, that if the new configuration creates a realm called RealmA
and the existing configuration has a realm called RealmB, the combined
configuration includes two realms, RealmA and RealmB.

Configuration Sharing Requirements

To share configurations, you must download a content filter database, if the
configuration includes content filtering.
You can use either the Management Console or the CLI to create a post-setup
configuration file on one Advanced Secure Gateway appliance and push it to
another.

Note: You cannot push configuration settings to a newly-manufactured

system until you have completed initial setup of the system.

To create a configuration archive of the source device’s settings using the CLI:
1. Use an SSH client to establish a CLI session with the already configured
Advanced Secure Gateway appliance.
2. From the enable prompt (#), enter the following command:
show configuration post-setup

This displays the configuration on the current system, minus any

configurations created through the setup console, such as the hostname and IP
address. It also includes the installable lists.
3. Save the configuration. You can save the file two ways:
• Copy the contents of the configuration to the clipboard.
• Save it as a text file on an FTP server accessible to the Advanced Secure
Gateway appliance. This is advised if you want to re-use the file.

107
Advanced Secure Gateway Administration Guide

4. On the newly-manufactured Advanced Secure Gateway appliance, retrieve the

configuration file by doing one of the following:
• If you saved the configuration to the clipboard, go to the (config) prompt
and paste the configuration into the terminal.
• If you saved the configuration on a remote server:
At the enable command prompt, enter the following command:
# configure network “url”

See "Uploading Archives to a Remote Server" on page 100 for more

information about formatting the URL for FTP.

108
Section I: Troubleshooting
When pushing a shared configuration or restoring an archived configuration,
keep in mind the following issues:
❐ If the content-filtering database has not yet been downloaded, any policy that
references categories is not recognized.
❐ Unless you restore the SSL configuration-passwords-key keyring from the
source device, archives can only be restored onto the same device that was the
source of the archive. This is because the encrypted passwords in the
configuration (login, enable, FTP, etc.) cannot be decrypted by a device other
than that on which it was encrypted.
❐ Do not take an expanded archive from an operational Advanced Secure
Gateway appliance and install it onto another Advanced Secure Gateway
appliance. Expanded archives contain system-specific settings (for example,
hostnames, IP addresses, and connection forwarding settings) that will cause
conflicts.
❐ To use signed archives, your appliance must have an SSL certificate
guaranteed by a CA. If your appliance has a built-in appliance certificate, you
can use it and the corresponding appliance-ccl CCL to sign the archive.
Devices manufactured before July 2006 do not support appliance certificates.
If your appliance does not have a built-in appliance certificate, you must do
the following:
• Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
• Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
• Have the CA sign the CSR.
To determine if your appliance has a built-in certificate, see "Using the
Appliance Certificate to Sign the Archive" on page 86.

See Also
For more information about appliance certificates, see Chapter 60:
"Managing X.509 Certificates" on page 1153.

109
Advanced Secure Gateway Administration Guide

110
Chapter 6: Explicit and Transparent Proxy

Whether you select explicit or transparent proxy deployment is determined by

factors such as network configuration, number of desktops, desired user
experience, and desired authentication approach.

Note: While you must configure proxying to do authentication, verify the

proxy is configured correctly and is functioning before adding authentication to
the mix. Many network or other configuration problems can appear similar to
authentication errors.

Topics in this Section

❐ "About the Explicit Proxy" on page 111
❐ "About the Transparent Proxy" on page 117
❐ "Transparent Proxies" on page 118
❐ "Configuring IP Forwarding" on page 119

About the Explicit Proxy

In an explicit proxy configuration, every client system (user agent or browser)
must be explicitly configured to use a proxy server. You can either manually
configure each client with the IP address and port number of the proxy service
(the Advanced Secure Gateway) or you can configure the client to download the
proxy settings from a Web server. The proxy settings are contained in a file
called a Proxy Auto-Configuration (PAC) file.
After the client is configured for explicit proxy, all user requests are sent to the
Advanced Secure Gateway rather than to the OCS. The Advanced Secure Gateway
appliance will then determine whether to allow or deny the request based on
proxy service and policy configuration settings. For allowed transactions, the
appliance will either service the request locally (for example, by returning
cached objects) or, if necessary, it will send a request to the OCS on behalf of the
client.

Note: Explicit proxy allows a redundant configuration using IP address

failover among a cluster of machines. For information on creating a redundant
configuration for failover, see Chapter 35: "Configuring Failover" on page 819.

To configure browsers for explicit proxy, see:

❐ "Manually Configure Client Browsers for Explicit Proxy" on page 112
❐ "Creating an Explicit Proxy Server with PAC Files" on page 112

111
Advanced Secure Gateway Administration Guide

Manually Configure Client Browsers for Explicit Proxy

If you are using an explicit proxy deployment, you must set up each client Web
browser to use the Advanced Secure Gateway as its proxy server. Typically, the
browser proxy configuration requires the IP address or hostname of the
Advanced Secure Gateway appliance and the port on which the Advanced Secure
Gateway will listen for traffic. The default port is 8080. The required hostname
format (that is, whether you must provide a fully qualified DNS hostname or a
short hostname) depends on the DNS configuration on your client systems.
Use the following table to help you locate the browser proxy settings:
Browser Proxy Configuration Settings

Internet Explorer Tools > Internet Options > Connections > LAN
Settings

Firefox Tools > Options > Advanced > Network > Settings >
Manual Proxy Configuration

Chrome Settings > Show advanced settings> Change proxy

settings > LAN settings

Safari (Macintosh) Apple menu > System Preferences >Internet &

Wireless > Network > Advanced > Proxies

Safari (Windows) Settings menu > Preferences > Advanced >

Proxies > Change Settings > LAN settings

Creating an Explicit Proxy Server with PAC Files

If your network does not use transparent proxy, clients on the network must
configure their browsers to use either an explicit proxy server or a Proxy Auto-
Configuration (PAC) file.
Two PAC files ship with the Advanced Secure Gateway:
❐ default PAC file
❐ accelerated PAC file
They can be accessed using HTTP, port 80 or 8080. For example:
❐ http://Appliance_IP_Address:8080/proxy_pac_file for the default PAC file
❐ http://Appliance_IP_Address:8080/accelerated_pac_base.pac for the
accelerated PAC file.
As an alternative to port 8080, you can specify the port that is being
intercepted for the explicit HTTP proxy service. For example, if port 80 is
being intercepted and has the explicit attribute enabled, you can specify:
http://

Note: NEVER use the Advanced Secure Gateway management port (8081/8082)
to host the PAC file.

112
 For additional information about PAC files, see the following:
http://www.proxypacfiles.com/proxypac/
Note: Only the accelerated_pac_base.pac file can be edited. Any text editor can
be used to edit and customize the accelerated PAC file to meet your needs. After
editing the file, you can load a PAC file only through the CLI:
#(config)inline accelerated-pac 123
-paste PAC file here-
123
Then set the browser to use the following URL as the automatic configuration
script: http://Appliance_IP_Address:8080/accelerated_pac_base.pac

Example of an Accelerated PAC File

function FindProxyForURL(url, host)
{
if (shExpMatch(url, "*\.company\.com\.cn*") ||
(host == "ftp.company.com") ||
(host == "images.company.com") ||
(host == "graphics.company.com"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (url.substring(0, 4) == "mms:")
{
return "PROXY www.xxx.yyy.zzz:1755; DIRECT";
}
else if (url.substring(0, 5) == "rtsp:")
{
return "PROXY www.xxx.yyy.zzz:554; DIRECT";
}
else if (shExpMatch(url, "*streaming\.company\.com*"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (isPlainHostName(host) ||
shExpMatch(host, "*\.company\.com") ||
dnsDomainIs(host, ".trouble-site.com"))
{
return "DIRECT";
}
else
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
}
Explanation for this PAC file (above). This PAC file tells the browser to:

113
Advanced Secure Gateway Administration Guide

❐ Use the proxy over port 8080 for URLs containing:

• .company.com.cn anywhere within the URL
• ftp.company.com as the host
• images.company.com as the host
• graphics.company.com as the host
❐ Use the proxy over port 1755 for any URL using the scheme mms://
(Windows Media).
❐ Use the proxy over port 554 for any URL using the scheme rtsp:// (Windows
Media).
❐ Use the proxy over port 8080 for any URL containing
“streaming.company.com” anywhere within the URL.
❐ Go DIRECT (that is, not use a proxy) for any URL that:
• is a simple, one name host name (in other words, not fully qualified)
• is any internal, fully qualified host (for example, host.company.com)
• is any host in the trouble-site.com domain
❐ Otherwise, attempt to use the proxy on port 8080 (the default rule).
The “; DIRECT” after the proxy’s information means that any time the browser
cannot reach the Advanced Secure Gateway, the browser is allowed to fall-back
and “go direct.” This is helpful for laptop/mobile users who will not have to
adjust their browser connection settings manually, since (typically) they can not
reach their company Advanced Secure Gateway from a remote location (and
therefore need their browser to “go direct”).

Methods to Load or Install a PAC File on an Advanced Secure

Gateway
You can either input the content of the PAC file directly on your appliance or you
can put the PAC file on an internal web server and reference the PAC file name on
your Advanced Secure Gateway.

To install the PAC file directly on the appliance:

1. Go to the Advanced Secure Gateway CLI.
2. From enable mode, enter:
inline accelerated-pac EOF
<enter your pac file contents here>
EOF

To reference a PAC file on an internal web server:

1. Ensure the read permissions are set on the web server so the Advanced Secure
Gateway can read the text PAC file.
2. From the Advanced Secure Gatewayz command line, enter:
config t
#(config)accelerated-pac <path to the PAC file including file name>

114
 #load accelerated-pac

To configure the browser to use the PAC script:

It’s common for modern browsers to have a field where the PAC URL can be
entered. Some browsers (Internet Explorer is one example) have an additional
option to retrieve a PAC URL via DHCP option 252 (which may need to be added
to some DHCP servers). Internet Explorer calls this “Automatically detect
settings."
A PAC URL is typically in the form:
http://mycompany.com/accelerated_pac_base.pac
For this to work, your Advanced Secure Gateway’s TCP port 80 must be configured
to accept explicit connections. Internet Explorer can retrieve this URL via DHCP
option 252 if your DHCP server is configured to send option 252, and the host is
using DHCP (as opposed to a host configured with a static IP address.)
The default name of the accelerated PAC file (as served by the Advanced Secure
Gateway) is accelerated_pac_base.pac.
If you prefer, you can use policy to have the Advanced Secure Gateway return the
PAC file if an alternate name is requested. For example, suppose you configure
your browsers with the PAC file name http://proxy.company.com/mypacfile. You
will need to add policy to your Advanced Secure Gateway to redirect this request to
the name accelerated_pac_base.pac, as follows:
<Proxy>
url.path.exact="/pacfile" action.redirect_pac(yes)
define action redirect_pac
request_redirect(307,".*","http://<proxysIP>/
accelerated_pac_base.pac")
end
You also need to have the HTTP port 80 defined as “explicit” on your Advanced
Secure Gateway. You can avoid this policy, and avoid the need for the browser to
make two requests for the PAC file, by naming the file accelerated_pac_base.pac.

To configure PAC files to be sent when using the "WPAD" method:

Another approach is to add the hostname “wpad” to your internal DNS. When
browsers open and attempt to “detect proxy settings,” they issue an HTTP GET
request to the host named wpad.yourcompanydomain.com. In DNS, if you point
wpad.company.com to the IP address of your Advanced Secure Gateway, and add
local policy, the browser will successfully install the PAC file.
1. Your DNS deployment: Add a DNS record to resolve the WPAD hostname
with the local domain to the Advanced Secure Gateway IP address. For example,
if the local domain is example.com, add a record resolving wpad.example.com to
the Advanced Secure Gateway IP address.
2. To receive the wpad.example.com requests, enable an explicit HTTP proxy
service for port 80 on the Advanced Secure Gateway (Configuration > Services >
Proxy Services).

115
Advanced Secure Gateway Administration Guide

Note: You can also use port 8080, but port 80 is preferred because it doesn’t
require that you specify a port for the PAC-URL in the users’ browsers.

3. Configure a redirect policy to convert the client’s http://wpad.example.com/

wpad.dat request into a request for http://Proxy_IP_Address_or_hostname/
accelerated_pac_base.pac to the proxy.
Example policy:
<Proxy>
ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)

define action ReturnRedirect1

request_redirect( 302, ".*", "http://wpad.example.com/
accelerated_pac_base.pac" )
end

Additional PAC File Tips and Information

❐ Not all applications know how to parse PAC files correctly. Internet Explorer,
Firefox, Chrome, and most other browsers can use PAC files, but other
applications don’t always know what to do.
❐ Using TCPView.exe from http://www.sysinternals.com will show you where
the browser is connecting. For example, you may expect the PAC file to tell the
browser to connect via the Advanced Secure Gateway, but TCPView shows that
the browser is connecting “direct.” This utility can help you troubleshoot your
PAC file.
❐ Typically, if there's a problem with the PAC script syntax, a typo, or if the PAC
script cannot be found, browsers will just go “direct.” This is where TCPView
can come in handy as well.
❐ Browsers cache the PAC file. Making any changes to the PAC file won’t be
reflected in the browser unless you clear the browsers cache and close all open
browser windows. The only time the browser can be convinced to re-read the
PAC file is if it’s:
a. opening a new browser session, and
b. it’s not already cached
❐ PAC file syntax is Javascript. You will need to use Shell expressions instead of
Regular expressions for text comparisons. Internet Explorer allows you to use
the alert(); Javascript function to pop-up an alert. This can be handy when
troubleshooting PAC-file logic.
❐ Although it is perfectly valid to use the hostname of the proxy server within
the PAC file’s PROXY directive, using an IP address will minimize the need
for the browser to do a DNS lookup. Those clients with a small DNS cache or
low timeout value, may see a performance boost if only the Proxy’s IP address
were used within the PAC file’s PROXY string.
❐ A browser must parse the PAC file’s Javascript for EVERY URL the browser
finds within the HTML page you have browsed.

116
 ❐ For a web page that contains a large number of URLs, a poorly written PAC
file may cause browser performance problems.
❐ It’s best to write your PAC files as small and efficiently as possible. Fast and
efficient Javascript will perform better within the browser, especially on
“busy” web pages.

Serving Multiple PAC files

For steps to configure your Advanced Secure Gateway to serve multiple PAC files,
refer to Blue Coat Knowledge Base Articles 000010223 and 000010223.

About the Transparent Proxy

When transparent proxy is enabled, the client (browser) does not know the traffic
is being processed by a machine other than the OCS. The browser believes it is
talking to the OCS, so the request is formatted for the OCS and the proxy
determines for itself the destination server based on information in the request,
such as the destination IP address in the packet, or the Host: header in the
request.
To enable the Advanced Secure Gateway to intercept traffic sent to it, you must
create a service and define it as transparent. The service is configured to intercept
traffic for a specified port, or for all IP addresses on that port. A transparent HTTP
proxy, for example, typically intercepts all traffic on port 80 (all IP addresses).
To ensure that the appropriate traffic is directed to the Advanced Secure Gateway,
deploy hardware (such as a Layer-4 switch or a WCCP router) or a Advanced
Secure Gateway software bridge that redirects selected traffic to the appliance.
Traffic redirection is managed through polices you create on the redirection
device.
For detailed information on explicit proxies, continue with the next section; for
detailed information on transparent proxies, continue with "Transparent Proxies"
on page 118.

117
Advanced Secure Gateway Administration Guide

Transparent Proxies
Configure transparent proxy in the following ways:
❐ Through hardware: See "Configuring Transparent Proxy Hardware" on page
118.
❐ Through bridging: "Bridging" on page 118.
❐ Through using the Advanced Secure Gateway as a gateway: See "Configuring
IP Forwarding" on page 119.
In addition to the transparent proxy configuration, you must create a proxy
service for the transparent proxy and enable the service. At this time, you can also
set other attributes for the service, including the destination IP address and port
range. For information on creating or editing a proxy service for transparent
configuration, see Chapter 7: "Managing Proxy Services" on page 121.

Configuring Transparent Proxy Hardware

For transparent proxy to work, you must use one of the following:
❐ A bridge, either hardware or software
❐ Layer-4 switch
❐ WCCP

Bridging
Network bridging through the Advanced Secure Gateway provides transparent
proxy pass-through and failover support. This functionality allows Advanced
Secure Gateways to be deployed in environments where L4 switches and WCCP-
capable routers are not feasible options.
The Advanced Secure Gateway provides bridging functionality by two methods:
❐ Software—A software, or dynamic, bridge is constructed using a set of
installed interfaces. Within each logical bridge, interfaces can be assigned or
removed. Note that the adapters must of the same type. Although the
software does not restrict you from configuring bridges with adapters of
different types (10/100 or GIGE), the resultant behavior is unpredictable.
For instructions on setting up a software bridge, see "Configuring a Software
Bridge" on page 1312.
❐ Hardware—The Blue Coat Pass-Through card is a 10/100 dual interface
Ethernet device that enables a bridge, using its two adapters, so that packets
can be forwarded across it. However, if the system crashes, the Pass-Through
card becomes a network: the two Ethernet cables are connected so that traffic
can continue to pass through without restriction.
When the Pass-Through card is installed on the Advanced Secure Gateway, a
bridge is automatically created and traffic going through the bridge is
intercepted according to the proxy-service setting. Note that:
• Forwarding traffic behavior: By default, the bridge forwards packets that
are not to be intercepted.

118
 • Proxy request behavior: Requests are proxied on either adapter, so if you
connect one side of the bridge to your Internet connection, there might be
a number of issues.

Configuring a Layer-4 Switch

In transparent proxy acceleration, as traffic is sent to the origin content server, any
traffic sent on port 80 is redirected to the Advanced Secure Gateway by the Layer 4
switch. The benefits to using a Layer 4 switch include:
❐ Built-in failover protection. In a multi-Advanced Secure Gateway setup, if one
fails, the Layer 4 switch can route to the next Advanced Secure Gateway.
❐ Request partitioning based on IP address instead of on HTTP transparent
proxying. (This feature is not available on all Layer 4 switches.)
❐ Advanced Secure Gateway bypass prevention. You can configure a Layer 4
device to always go through the Advanced Secure Gateway even for requests to
a specific IP address.
❐ Advanced Secure Gateway bypass enabling. You can configure a Layer 4 device
to never go through the Advanced Secure Gateway.
For information on configuring a layer-4 switch, refer to the manufacturer’s
documentation.

Configuring a WCCP-Capable Router

WCCP is a Cisco®-developed protocol that allows you to establish redirection of
the traffic that flows through routers.
The main benefits of using WCCP are:
❐ Scalability—With no reconfiguration overhead, redirected traffic can be
automatically distributed to up to 32 Advanced Secure Gateways.
❐ Redirection safeguards—If no Advanced Secure Gateways are available,
redirection stops and the router forwards traffic to the original destination
address.
For information on using WCCP with a Advanced Secure Gateway, see "WCCP
Configuration" on page 781.

Configuring IP Forwarding
IP Forwarding is a special type of transparent proxy. The Advanced Secure Gateway
is configured to act as a gateway and is configured so that if a packet is addressed
to the Advanced Secure Gateway adapter, but not its IP address, the packet is
forwarded toward the final destination. If IP forwarding is disabled, the packet is
rejected as being mis-addressed.
By default, IP forwarding is disabled to maintain a secure network.

119
Advanced Secure Gateway Administration Guide

Important: When IP forwarding is enabled, be aware that all Advanced Secure

Gateway ports are open and all the traffic coming through them is not subjected to
policy, with the exception of the ports that have explicitly defined through the
Configuration > Services > Proxy Services tab.

To enable IP forwarding:
1. Select the Configuration > Network > Routing > Gateways tab.
2. Select the Enable IP forwarding option at the bottom of the pane.
3. Click OK; click Apply.

120
Chapter 7: Managing Proxy Services

This chapter discusses proxy services and service groups and their roles in
intercepting traffic.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Proxy Services Concepts" on page 122
❐ Section B: "Configuring a Service to Intercept Traffic" on page 129
❐ Section C: "Creating Custom Proxy Services" on page 132
❐ Section D: "Proxy Service Maintenance Tasks" on page 136
❐ Section E: "Global Options for Proxy Services" on page 140
❐ Section F: "Exempting Requests From Specific Clients" on page 148
❐ Section G: "Trial or Troubleshooting: Restricting Interception From Clients
or To Servers" on page 153
❐ Section H: "Reference: Proxy Services, Proxy Configurations, and Policy" on
page 156

121
Advanced Secure Gateway Administration Guide

Section A: Proxy Services Concepts

This section describes the purposes of Blue Coat Advanced Secure Gateway proxy
services.
❐ "About Proxy Services"
❐ "About Proxy Service Groups" on page 123
❐ "About the Default Listener" on page 124
❐ "About Multiple Listeners" on page 124
❐ "About Proxy Attributes in the Services" on page 126

About Proxy Services

In Blue Coat terminology, proxy service defines:
❐ The combinations of IP addresses and ports that the proxy matches against.
❐ Whether to intercept or bypass matched traffic; if intercepted, which proxy to
use to process the traffic.
• When a service is set to Intercept, the Advanced Secure Gateway appliance
listens on the port for traffic and upon detection, terminates the
connection, performs an action (such as a policy check), and initiates a
new connection to the traffic destination.
• When a service is set to Bypass, the traffic pass through the Advanced
Secure Gateway appliance. Proxy Edition: By default, services are set to
Bypass.

A collection of attributes that control what type of processing the Advanced Secure
Gateway appliance performs on the intercepted traffic. A proxy service listener
specifies where a Advanced Secure Gateway service listens for traffic. Four
attributes comprise the listener:
❐ Source address—Most of the time, this attribute is set to all source addresses,
which means any IPv4 or IPv6 address that originates the request. You can
also specify specific IP addresses and subnets. For example, you want to
exclude a network segment, so you specify a subnet and set to Bypass.
❐ Destination address—

• All addresses, which means any IPv4 or IPv6 destination.

• Transparent—Acts on connections without awareness from the client or
server. Only connections to IPv4 or IPv6 destination addresses that do not
belong to the Advanced Secure Gateway appliance are intercepted. This
setting requires a bridge, such as that available in the Advanced Secure
Gateway appliance; a Layer-4 switch, or a WCCP-compliant router. You
can also transparently redirect requests through a Advanced Secure Gateway
appliance by setting the workstation’s gateway to the appliance IP
address.

122
 • Explicit—Requires Web browser and service configuration. It sends
requests explicitly to a proxy instead of to the origin content servers. Only
destination addresses that match one of the IPv4 or IPv6 addresses on the
Advanced Secure Gateway appliance are intercepted.
• Destination IP address or subnet/prefix length—This listener type ensures
that only destination addresses matching the IPv4/IPv6 address or
subnet/prefix length are intercepted.
❐ Port—A specific port or port range. All default Advanced Secure Gateway
services are configured to their industry-standard ports. For example, the
explicit HTTP service is configured to listen on ports 80 and 8080.
❐ Action—The aforementioned action to take on traffic detected by this service:
Intercept or Bypass.

Note: For a complete list of supported proxy services and listeners, see
"Reference: Proxy Services, Proxy Configurations, and Policy" on page 156.

About Proxy Service Groups

The Advanced Secure Gateway appliance groups services into predefined service
groups based on the type of traffic that service carries. Service groups enable you
to:
❐ Quickly locate a specific service and view its attributes.
❐ Create a custom service group and add custom services or existing services to
that group.

Predefined Service Groups and Services

Table 7–1, "Service Groups and Services" lists all service groups and their
associated services.

Note: This list applies to new installations or the result of restoring the appliance
to factory defaults after the ab upgraded from a lower version. Upon upgrading
to the current version, the Services tab retains existing services, service group
names, and policies.

123
Advanced Secure Gateway Administration Guide

Table 7–1 Service Groups and Services

Services Group Services Group Description Predefined Service Types

Name (or Examples)
Standard The most commonly intercepted • HTTP/HTTPS—external
services. (transparent and explicit)
and internal
• Endpoint Mapper (for
MAPI protocol—Microsoft
Exchange)
• CIFS (file sharing)
• Streaming (MMS, RTSP)
• Instant Messaging (AOL,
MSN, Yahoo)
• FTP
• DNS
• SOCKS
Bypass Services that contain encrypted • Cisco VPN
Recommended data and therefore recommended • Blue Coat ADN/WanOp
to not be ADN-optimized; also
• Blue Coat management
includes other interactive services.
• Oracle over SSL
• Other encrypted services
Tunnel Services that employ the TCP • Citrix, IMAP, LDAP, Lotus
Recommended Tunnel proxy to provide basic Notes, and various other
application-independent common business
acceleration. applications
Default See "About the Default Listener".

Note: The HTTPS Reverse Proxy service is also available but not created by
default. For information about configuring the HTTPS Reverse Proxy, see
Chapter 15: "Configuring and Managing an HTTPS Reverse Proxy" on page 313.

About the Default Listener

The Default listener detects any traffic that does not match any other listeners on
any of the services.

About Multiple Listeners

A listener identifies network traffic based on a source IP address or range,
destination IP address or range, or both. Multiple listeners can be defined for a
proxy service or console service. Each service has a set of default actions to apply
to the traffic identified by the listeners it owns.

124
 The destination IP address of a connection can match multiple proxy service
listeners. Multiple matches are resolved using the most-specific match algorithm
used by routing devices. A listener is more specific if it has a larger Destination IP
subnet prefix. For example, the subnet 10.0.0.0/24 is more specific than
10.0.0.0/16, which is more specific than 10.0.0.0/8.
When a new connection is established, the Advanced Secure Gateway appliance
first finds the most specific listener destination IP. If a match is found, and the
destination port also matches, the connection is then handled by that listener. If
the destination port of the listener with the most specific destination IP does not
match, the next most-specific destination IP is found; this process continues until
either a complete match is found or no more matching addresses are found. If a
destination IP address is not specified, the closest matching explicit proxy service
listener has priority over a subnet match. In that instance, the explicit proxy
service listener handles the connection instead of the subnet listener. Explicit port
80 listeners with a destination host IP identical to the Advanced Secure Gateway
appliance have priority over other explicit listeners.
For example, assume the following services were defined as given in the
following table.

Table 7–2 Example Configuration for Most Specific Match Algorithm

Proxy Service Listener

Service Name Proxy Source IP Address Destination IP Address Port Range

New York Data Center HTTP 192.168.20.22 10.167.10.0/24 80

New York CRM HTTP 10.167.10.2 80

HTTP Service HTTP <Transparent> 80

An HTTP connection initiated to server 10.167.10.2 could match any of the three
listeners in the above table. The most specific match algorithm finds that a listener
in the New York CRM service is the most specific and since the destination port of
the connection and the listener match, the connection is handled by this service.
The advantage of the most specific match algorithm becomes evident when at
some later point another server is added in the New York Data Center subnet. If
that server needs to be handled by a different service than the New York Data
Center service, a new service with a listener specific to the new server would be
added. The administrator does not need to be concerned about rule order in order
to intercept traffic to this particular server using the new, most specific service
listener.
As another example, assume the following service and listeners were defined:
Table 7–3 Second Example Configuration for Most Specific Match Algorithm

Listener Name Proxy Destination IP Address Port Range

L1 HTTP Explicit 80

L2 HTTP 10.0.0.0/8 80

125
Advanced Secure Gateway Administration Guide

Consider the following scenario: an HTTP connection to an Advanced Secure

Gateway appliance matches to all listeners in the above table. L2 is a subnet match
with the Advanced Secure Gateway appliance, however, the destination IP address
is not specified within the listener configuration. When there is only a subnet and
explicit proxy service listener match, the explicit listener (L2) is the better match.
Among explicit listener matches, a port 80 IP address listener has priority. Only
listeners with a specific destination IP address are considered a better match to
explicit listeners.

About Proxy Attributes in the Services

In addition to the listener information, each service contains one or more settings
that affect how the Advanced Secure Gateway appliance proxies the traffic. The
following sections provide an overview of those settings. The proxy configuration
topics provide more information about these attributes.

About Authenticate-401
Available on the Explicit HTTP and External HTTP services.
When this option is selected, all transparent and explicit requests received on the
port always use transparent authentication (cookie or IP, depending on the policy
configuration).
If you have deployed Authentication in the way recommended by Blue Coat—
where only the Advanced Secure Gateway appliance nearest the user performs the
authentication tasks—configuring Authenticate-401 is not necessary. However,
multiple, explicitly-configured Advanced Secure Gateway appliances in a proxy
chain are all attempting to perform authentication tasks can cause issues with
browsers. By forcing one of the proxies (recommended: the one furthest away
from the client) to use 401-style authentication instead of the standard proxy 407-
style authentication, the browser can better handle the multiple authentication
challenges.

About Protocol Detection

Applies to the HTTP, HTTPS, SOCKS, and TCP Tunnel services.
Protocol detection identifies HTTP, SOCKS CONNECT requests, and TCP
tunnels. You can enable protocol detection on the aforementioned services or
implement it using policy. Policy can further be used to negate protocol detection
for SSL requests. Defining a policy for protocol detection enhances granularity by
matching on a richer set of conditions rather than the specific service; policy
always overrides manual settings.
If protocol detection is enabled, the appliance inspects the first bytes sent from
the client and determines if a corresponding application proxy is available to
hand off the connection. For example, an HTTP request identified on a TCP
tunnel has full HTTP policy applied to it, rather than just simple TCP tunnel
policy. In particular, this means that:
❐ The request arrives as a client protocol HTTP rather than a TCP Tunnel.

126
 ❐ The URL used while evaluating policy is an http:// URL of the tunneled
HTTP request, not a tcp:// URL to which the tunnel was connecting.
❐ Forwarding policy is applied based on the new HTTP request; therefore, the
selected forwarding host selected support HTTP. A forwarding host of type
TCP cannot handle the request, which forces the request to be blocked.
Enabling protocol detection helps accelerate the flow of traffic. However, the TCP
session must be fully established with the client before either the application
proxy or the TCP tunnel proxy contacts the origin server. In some cases, like in the
active-mode FTP data connections, enabling protocol detection might cause a
delay in setting up the connection.
To avoid this connection delay, either use a protocol specific proxy, such as the
FTP proxy, or disable protocol detection.
If protocol detection is disabled, traffic flows over a TCP tunnel without
acceleration provided by a protocol-specific proxy.

Note: Protocol detection is disabled by default.

About Early Intercept

Opening a TCP connection involves a three-way handshake involving packets: the
client contacts the server, the server acknowledges the client, and the client
acknowledges the server.
❐ With early intercept, the Advanced Secure Gateway appliance returns a server
acknowledgement back to the client and waits for the client
acknowledgement, which completes the TCP 3-way handshake, before the
appliance connects upstream to the server. Furthermore, proxies that support
object caching (such as HTTP), the Advanced Secure Gateway appliance serves
from the cache—a server connection is not necessary.
❐ With delayed intercept, the Advanced Secure Gateway appliance attempts to
connect upstream immediately after receiving the client's initial connection
request, but waits to return the server acknowledgement until determining
whether or not the upstream connection succeeds. This provides greater
transparency, as the client receives either an RST or no response, which
mirrors what is sent from a server when connections fail.
For every proxy listener except CIFS and TCP Tunnel services, early intercept is
hard-coded to enabled.
❐ For CIFS, the listener is hard-coded as delayed intercept because of a specific
issue with the way clients attempt to connect to ports 139 and 445
simultaneously. Without a full transparency in our response to the TCP three-
way handshakes, client connections might break.

127
Advanced Secure Gateway Administration Guide

❐ For TCP Tunnel, you have the option to select either (disabled by default). For
the TCP Tunnel service, the Early Intercept option is selectable and disabled by
default. When this option is disabled, the proxy delays responding to the
client until after it has attempted to contact the server. For maximum
transparency, disable this option. If reduced latency is more important, enable
it.

128
Section B: Configuring a Service to Intercept Traffic
This section describes:
❐ "Changing the State of a Service (Bypass/Intercept)" on page 130
❐ "Moving a Service" on page 136
❐ "Deleting a Service or Service Group" on page 137
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 137
❐ "Importing a Service from the Service Library" on page 138
To learn more details about Blue Coat services, see "Proxy Services Concepts" on
page 122.

129
Advanced Secure Gateway Administration Guide

Section 1 Changing the State of a Service (Bypass/Intercept)

There are two service states:
❐ Bypass—Traffic for this service passes through the Advanced Secure Gateway
appliance without receiving an optimization or policy checking (as
applicable).
❐ Intercept—The Advanced Secure Gateway appliance intercepts traffic for this
service and applies optimization or policy checks (as applicable).
Depending on the type of installation performed on the Advanced Secure Gateway
appliance, the state of existing services varies.
❐ New installation or you invoke a re-initialization—All services are set to
Bypass unless during a new installation process, the person performing the
installation might have set some services, such as External HTTP, to Intercept
You cannot change the state of entire predefined group; you must set each service
required for your deployment to Intercept.
Changing the state of a service to Intercept is only the first step in configuring a
protocol proxy. To achieve your corporate deployment goals, you must also
configure the proxy settings and define policy, both of which determine how the
Advanced Secure Gateway appliance processes the intercepted traffic. These aspects
are discussed in each proxy section later in this guide.
For more conceptual information about services, see "About Proxy Services" on
page 122.

To change the state of a service:

1. In the Management Console, select the Configuration > Services > Proxy Services >
Proxy Services tab.

2: Click to
expand a group

3 (optional)

2. Click the group name to expand the group. For example, you want to
intercept the CIFS services.
3. Optional: Select the Default Action for traffic that does not match any current
service.

130
 Source IP->Destination IP/Port Select action

4. From the drop-down for the service or an individual service port, select to
Bypass or Intercept.

5. Repeat for other services, as required.

6. Click Apply.

Next Tasks
As previously mentioned, setting a service to Intercept is one step in controlling
specific traffic types. There are other options for the services themselves, plus
proxy configurations and policy definitions. You can also create custom services
and service groups.

Proxy Configuration/Policy Definitions

"Reference: Service/Proxy Matrices" on page 158

Other Service Options

❐ "Moving a Service" on page 136
❐ "Deleting a Service or Service Group" on page 137
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 137
❐ Section C: "Creating Custom Proxy Services" on page 132
❐ Section E: "Global Options for Proxy Services" on page 140

131
Advanced Secure Gateway Administration Guide

Section C: Creating Custom Proxy Services

This section describes how to create a new proxy service. Follow this procedure if
you need to create a proxy service for a custom application.
You can also create custom proxy service groups and populate them with custom
services or move default services to them. For example, this Advanced Secure
Gateway appliance serves a specific purpose and you want a custom group that
contains only those services. This procedure discusses creating a service group,
creating a new service, and placing that service in the custom group.

Note: If you only need to change the state of the proxy service (Bypass/Intercept),
you can do so from the main Proxy Services tab. You do not need to enter New/
Edit mode to change this setting.

Before you begin, you must understand the goal of your deployment, how the
application proxy operates, and the IP addresses (source and/or destination) and
ports to intercept. Some proxy services, such as DNS, are simple—comprised only
of IP addresses and ports. Others, such as HTTP, have more attributes to consider.
For a high-level description of these options, see "About Proxy Attributes in the
Services" on page 126.
For specific proxy descriptions, see

To create a new proxy service:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2
3

2. At the bottom of the tab, click New Service Group. The New Service Group dialog
displays.
3. In the Service Group field, name the custom service group.

132
4. Click OK. The new service group displays under Custom Service Groups.

5. Click New Service. The New Service dialog displays.

6a

6b

6c

6d

6. Configure service attributes, including applicable proxy settings:

a. In the Name field, enter a name that describes the service.
b. From the Service Group drop-down list, select which group displays the
service on the main page. You can add the service to a default group or
any already-created custom group.
c. Proxy settings—From the Proxy drop-down list, select the supported
proxy that is compatible with the application protocol.
The Proxy settings sub-options are dynamic (including TCP/IP Settings),
based on the selected proxy. See "About Proxy Attributes in the Services"
on page 126 for overviews of these options; for more detailed information,
see the chapter that explains each proxy in more detail.

133
Advanced Secure Gateway Administration Guide

Note: The Detect Protocol setting is disabled by default. You must select
this check box for filtering to be recognized.

7. Create a listener, or the IP address(es) and ports that this application protocol
uses. In the Listeners area, click New. The New Listener dialog displays.

8a

8b

8c

8d

8. Configure the new listener attributes:

a. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 and IPv6).
You can also restrict this listener to a specific IP address (IPv4 or IPv6)
or user subnet (for IPv4) or prefix length (for IPv6).
b. Select a Destination address from the options. The correct selection
might depend on network configuration. For overviews of the options,
see "About Proxy Services" on page 122.

134
 c. In the Port Range field, enter a single port number or a port range on
which this application protocol broadcasts. For a port ranges, enter a
dash between the start and end ports. For example: 8080-8085
d. In the Action area, select the default action for the service: Bypass
configures the service to ignore any traffic matching this listener.
Intercept configures the service to intercept and proxy the associated
traffic.
e. Click OK to close the dialog. The new listener displays in the Listeners
area.
9. Click Ok add the new service to the selected service group.
10. Click Apply.

See Also
❐ "Moving a Service"
❐ "Importing a Service from the Service Library"

135
Advanced Secure Gateway Administration Guide

Section D: Proxy Service Maintenance Tasks

This section provides various tasks for managing existing services.
❐ "Moving a Service"
❐ "Deleting a Service or Service Group" on page 137
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 137
❐ "Importing a Service from the Service Library" on page 138

Moving a Service
The predefined services are not anchored to their default groups. You can move a
service to any other predefined or custom group.

Note: You must move the entire service; that is, you cannot move individual
service listeners.

To move a service to another service group:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2a

2b

2c

2. Move the service:

a. Select a service.
b. Click Move Service. The Move Service dialog displays.
c. From the drop-down list, select an existing service group (custom or
pre-defined).
d. Click OK.

136
 3. Click Apply.

Deleting a Service or Service Group

You can delete a service within a predefined service group but you cannot delete
an empty predefined service group itself. However, you can delete a custom
service group if it is empty.
You can add back a default service you deleted from the service library by using
the Import Service feature. See "Importing a Service from the Service Library" on
page 138.

To delete a service:
1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. Select the service or custom service group to delete.

3. Click Delete. A confirmation prompt displays.
4. Click Yes. The selected service or custom service group is deleted.
5. Click Apply.

Bypassing All Proxy Services (Troubleshooting)

The Bypass All Proxies feature is intended as an interim solution while
application-breaking problems are repaired. When Force Bypass is invoked,
transparent proxy connections are bypassed and explicit proxy connections are
rejected.

Note: Downgrading to a version that does not support force bypass while
running in bypass mode will result in restoration of proxy services.

To bypass all proxy services:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. In the Force Bypass area, select the Temporarily bypass all proxy services option.
The bypass statement to red.
3. Click Apply.

137
Advanced Secure Gateway Administration Guide

Importing a Service from the Service Library

Importing a service procedure is required if you delete a default service and want
to re-add it. If you import an existing service, you are prompted to confirm the
replacement of a service. Existing service settings are overwritten with the default
settings.
In addition, after upgrading the software, any new services added to the service
library must be imported if you want to use them.

To import a service from the service library:

1. From the Management Console, select the Configuration > Services > Proxy
Services > Proxy Services tab.

2. Click Import Service. The Import Service dialog displays.

3a

3b

3c

3. Configure the import service options:

a. From the Name drop-down list, select the service to import.
b. All other settings adjust automatically to the service’s default values.
Perform changes if required.
c. Click New to configure a new listener or Edit to modify existing listener
settings.

138
 d. Click OK.
4. Click Apply.

139
Advanced Secure Gateway Administration Guide

Section E: Global Options for Proxy Services

This section describes features that apply to all proxies and services. See "Proxy
Service Global Options" for details.

140
Section 2 Proxy Service Global Options
Blue Coat provides optional settings that apply to all proxy services when
configured:
❐ "Ensuring Application Availability (Tunnel on Protocol Error)"
❐ "Using the Client IP Address for Server Connections" on page 143
❐ "Improving Performance by Not Performing a DNS Lookup" on page 144
❐ "Exempting Requests From Specific Clients" on page 148

Note: You can subscribe to the CachePulse service to optimize HTTP traffic. For
information, see "Enabling CachePulse" on page 192.

Ensuring Application Availability (Tunnel on Protocol Error)

HTTP Proxy
In many networks, business-critical applications send traffic over port 80—the
default HTTP port—because it is used as a generic route through the firewall.
However, the Advanced Secure Gateway HTTP proxy encounters problems when
it receives non-HTTP requests from clients or browsers. The client receives an
exception page and the connection closes. The following deployment operations
create this situation:
❐ The client request from an application or browser is not HTTP.
❐ The request is HTTP but also contains components that are not HTTP.
❐ The request contains an unexpected formatting error in a line or header.
The Advanced Secure Gateway appliance provides an option that enables the
HTTP proxy to tunnel the connection when it receives non-HTTP traffic or broken
HTTP request. This allows application traffic to continue and employee
production to continue. The transactions remain labeled as HTTP; therefore, the
access logs and the Traffic Mix and Active Sessions statistics display TCP_TUNNELED
to indicate when a connection passed through the HTTP proxy. The HTTP proxy
cannot apply security policies; however, benefits provided by ADN
configurations might occur.
The TCP Tunnel on Error option is viable with the following deployments:
❐ Applies only to HTTP traffic; HTTPS is not supported in either forward or
reverse proxy modes.
❐ Applies only to errors in requests from the client browser or application to the
appliance. Any issues that arise from server responses are not accommodated
by this feature.

141
Advanced Secure Gateway Administration Guide

SSL Proxy
For the SSL proxy, the Tunnel on Protocol Error option applies when non-SSL
traffic arrives at the SSL port (443 by default). A common scenario that causes this
is having peer-to-peer applications (viz, Skype, BitTorrent, Gnutella, older AOL-
IM and eMule) configured to enable port 443 for peer-to-peer traffic without SSL
set as the transport protocol. A Advanced Secure Gateway appliance
transparently intercepting all 443 traffic cannot process these connections,
rendering the application unusable.
With an explicit proxy deployment, SSL errors during the initial handshake
causes the same issue. The following example illustrates this:
❐ The Advanced Secure Gateway appliance is configured to have an explicit
HTTP service on port 8080.
❐ The HTTP service is configured with detect protocol enabled, which hands off
SSL traffic to the SSL proxy from an HTTP CONNECT request. Detect Protocol is
set to OFF by default.

Note: The same applies to an explicit SOCKS proxy deployment with protocol
detection enabled or an explicit TCP listener.

Forwarding Note
Enabling the TCP Tunnel on Error option might cause issues if the Advanced
Secure Gateway appliance has forwarding rules that direct traffic to upstream
proxies or other devices:
❐ Forwarding hosts are not viewed as HTTP proxies (even if they are). The
initial Advanced Secure Gateway HTTP proxy connects with a TCP tunnel to
the forwarding host. If the appliance has a policy to forward and tunnels on
error, the forwarding rule might not match if the forwarding rule has a
condition based on information that is not present—any HTTP conditions,
such as:
• Request method
• Request URL
• Request headers
❐ In the case of tunnel on error with explicit proxy, HTTP must match a
forwarding host for the connection of a successful TCP tunnel to occur. If no
forwarding host matches, HTTP will not tunnel on error.

To enable TCP tunnel on HTTP protocol errors:

1. Select the Configuration > Proxy Settings > General > General tab.

142
 2. In the Tunnel on Protocol Error area, select TCP tunnel requests when a protocol error
is detected.

3. Click Apply.

Related Policy
The Visual Policy Manager (VPM) provides the Client Certificate Requested object in
the SSL Intercept Layer > Service column (the equivalent CPL is
client.certificate.requested={yes|no}).Use this policy in conjunction with an
SSL.Intercept(no) action, or a Do Not Intercept SSL action in the VPM, to minimize
traffic disruption when the SSL proxy intercepts secure traffic where the OCS
requests a client certificate.
When Tunnel on Error is enabled, the first detection of a client certificate request
from an OCS causes the connection to fail. The appliance adds the details for that
exchange to an internal list of connections for which SSL interception should be
negated. Subsequent requests function as expected.

Using the Client IP Address for Server Connections

This section discusses configuring the Advanced Secure Gateway appliance to use
the IP address of the client to connect to destination servers rather than use the
Advanced Secure Gateway address.

About Reflecting the Client Source IP when Connecting to Servers

By default, the Advanced Secure Gateway appliance uses its own IP address as
the source IP address for requests (when connecting to servers). If Reflect Client
IP is enabled, the Advanced Secure Gateway appliance uses the client IP address
for all requests. Enabling this option is not an arbitrary decision; it depends on the
deployment and role of the Advanced Secure Gateway appliance.

Note: The Reflect Client IP option is only supported in transparent Advanced

Secure Gateway deployments.

You can globally enable the Reflect Client IP option for all services that will be
intercepted. To apply Reflect Client IP option to only a few services, first enable
this option globally and then create policy to disable the Reflect Client IP option
for the exceptions. Or, disable the option globally and create policy to enable it.

143
Advanced Secure Gateway Administration Guide

Enabling Reflect Client Source IP

To configure the Advanced Secure Gateway appliance to connect to servers using
client source IP addresses:
1. Select the Configuration > Proxy Settings > General > General tab.

2. In the Reflect Client IP area, select Reflect client’s source IP when connecting to
servers.

3. Click Apply.

Important:If you enable Reflect Client IP and want the Advanced Secure
Gateway appliance to preserve persistent client connections, you must also add
policy.
VPM object: Web Access Layer > Action > Support Persistent Client Requests (static)
CPL:
<proxy>
http.client.persistence(preserve)

Improving Performance by Not Performing a DNS Lookup

This section describes how to improve performance by configuring the Advanced
Secure Gateway appliance to trust the destination IP address provided by the
client.

About Trusting the Destination IP Address Provided by the Client

If, in your environment, a client sometimes provides a destination IP address that
the Advanced Secure Gateway appliance cannot identify, you have the option to
configure the appliance to not perform a DNS lookup and allow that IP address.
This can improve performance, but potentially presents a security issue.
You can configure the Advanced Secure Gateway appliance to trust a client-
provided destination IP address in transparent proxy deployments where:
❐ DNS configuration on the client is correct, but is not correct on the appliance.
❐ The client obtains the destination IP address using Windows Internet Name
Service (WINS) for NetBIOS name resolution.

144
❐ DNS imputing on the Advanced Secure Gateway appliance is not configured
correctly. On the Advanced Secure Gateway appliance, you can configure a
list of suffixes to help with DNS resolution. In the event that the host name is
not found, these suffixes are appended to the host name provided by the
client. For information on DNS imputing, see "Resolving Hostnames Using
Name Imputing Suffixes" on page 833.
In each of the cases above, the Advanced Secure Gateway appliance cannot obtain
the destination IP address to serve client requests. When you enable the
Advanced Secure Gateway appliance to trust a client-provided destination IP
address, the Advanced Secure Gateway appliance uses the IP address provided
by the client and does not perform a DNS lookup.

Figure 7–1 No DNS lookup occurs; the transactions goes straight to the OCS.

Figure 7–2 The Advanced Secure Gateway appliance initiates a DNS lookup and initiates a new
connection to the server.
The Advanced Secure Gateway appliance cannot trust the client-provided
destination IP address in the following situations:
❐ The Advanced Secure Gateway appliance receives the client requests in an
explicit proxy deployment.
❐ The Advanced Secure Gateway appliance has a forwarding rule configured
for the request.
❐ The Advanced Secure Gateway appliance has a SOCKS gateway rule
configured for the request.

145
Advanced Secure Gateway Administration Guide

❐ The Advanced Secure Gateway appliance has policy that rewrites the server
URL.
A transproxy deployment is one where a client is configured to contact a
Advanced Secure Gateway appliance explicitly, and a new Advanced Secure
Gateway appliance is deployed between the client and its explicit proxy. The new
Advanced Secure Gateway appliance, now transparently intercepts the traffic
between the client and its explicit proxy. In a transproxy deployment, the
destination IP address used by the client does not match the host header in the
HTTP request, since the client is configured to use the explicit proxy. The path that
the client request takes in a transproxy deployment depends on whether or not
Trust Destination IP is enabled on the transparently deployed Advanced Secure
Gateway appliance.
❐ When Trust Destination IP is enabled on the transparent Advanced Secure
Gateway appliance, the transparent proxy trusts the destination IP included in
the request and forwards the request to the explicit proxy which is serviced
either from cache or from the Origin Content Server (OCS).
❐ When Trust Destination IP is disabled on the transparent Advanced Secure
Gateway appliance, the transparent proxy performs a DNS resolution on the
host header in the request. The request is then completed based on the
configured policy—forwarding rules, SOCKS gateway policy, and server URL
rewrite policy.

Note: If a client gives the destination address of a blocked site but the host name
of a non-blocked site, with Trust Destination IP enabled, the Advanced Secure
Gateway appliance connects to the destination address. This might allow clients
to bypass the configured security policy for your environment.

146
 About the Default Settings
During the initial configuration tasks, the administrator determined the default
Trust Destination IP setting. In most deployments, the role of the appliance
determines the setting:
❐ Acceleration role: enabled.
❐ Most other proxy deployments: disabled for tighter security.
You can change these defaults through the Management Console, the CLI, or
through policy. If you use policy, however, be aware that it overrides the setting in
the in Management Console.
For information about using the trust_destination_ip(yes|no) CPL property,
refer to the Content Policy Language Guide.

Configuring the Advanced Secure Gateway Appliance to Trust or Not

Trust the Destination IP Address
To change the current trust destination default setting:
1. Select the Configuration > Proxy Settings > General tab.

2. Select or clear the Trust client-provided destination IP when connecting to servers

option.
3. Click Apply.

147
Advanced Secure Gateway Administration Guide

Section F: Exempting Requests From Specific Clients

The bypass list contains IP addresses/subnet masks of client and server
workstations. Used only in a transparent proxy environment, the bypass list
allows the Advanced Secure Gateway appliance to skip processing requests sent
from specific clients to specific servers. The list allows traffic between protocol
incompliant clients and servers to pass through the Advanced Secure Gateway
appliance without a disruption in service.

Note: This prevents the appliance from enforcing any policy on these requests
and disables any caching of the corresponding responses. Because bypass entries
bypass Blue Coat policy, use bypass sparingly and only for specific situations.

This section covers the following topics:

❐ "Adding Static Bypass Entries"
❐ "Using Policy to Configure Dynamic Bypass" on page 149

148
Section 3 Adding Static Bypass Entries
You can add entries to prevent the Advanced Secure Gateway appliance from
intercepting requests from specified systems.

Note: Dynamic bypass cannot be configured through the Management

Console. You must define policy or use the CLI. For more information, see
"Using Policy to Configure Dynamic Bypass" on page 149.

To add static bypass entries:

1. Click the Configuration > Services > Proxy Services > Static Bypass List tab.

2. Click New to create a new list entry (or click Edit to modify a list entry). The
New Bypass List Entry dialog displays.
3. Create a Client Address or Server Address entry. The IP address can be IPv4 or
IPv6. If you enter an IPv4 address, you can specify a subnet mask. For IPv6
addresses, you can specify a prefix length.
4. (Optional) Add a Comment that indicates why you are creating the static
bypass rule for the specific source/destination combination. This is useful if
another administrator needs to tune the settings later.
5. Click OK to close the dialog.
6. Click Apply.

Using Policy to Configure Dynamic Bypass

Dynamic bypass, available through policy, can automatically compile a list of
response URLs that return various types of errors.

149
Advanced Secure Gateway Administration Guide

Note: Because bypass entries bypass Blue Coat policy, the feature should be used
sparingly and only for specific situations.

About Dynamic Bypass

Dynamic bypass keeps its own (dynamic) list of which connections to bypass,
where connections are identified by both source and destination. Dynamic bypass
can be based on any combination of policy triggers. In addition, some global
settings can be used to selectively enable dynamic bypass based on specific HTTP
response codes. After an entry exists in the dynamic bypass table for a specific
source/destination IP pair, all connections from that source IP to that destination
IP are bypassed in the same way as connections that match against the static
bypass list.
For a configured period of time, further requests for the error-causing URLs are
sent immediately to the origin content server (OCS), bypassing the Advanced
Secure Gateway appliance. The amount of time a dynamic bypass entry stays in
the list and the types of errors that cause the Advanced Secure Gateway appliance
to add a site to the list, as well as several other settings, are configurable from the
CLI.
After the dynamic bypass timeout for a client and server IP address entry ends,
the Advanced Secure Gateway appliance removes the entry from the bypass list.
On the next client request for the client and server IP address, the Advanced
Secure Gateway appliance attempts to contact the OCS. If the OCS still returns an
error, the entry is again added to the local bypass list for the configured dynamic
bypass timeout. If the entry does not return an error, entries are again added to
the dynamic list and not the local list.

Notes
❐ Dynamic bypass entries are lost when the Advanced Secure Gateway
appliance is restarted.
❐ No policy enforcement occurs on client requests that match entries in the
dynamic or static bypass list.
❐ If a site that requires forwarding policy to reach its destination is entered into
the bypass list, the site is inaccessible.

Configuring Dynamic Bypass

Dynamic bypass is disabled by default. Enabling and fine-tuning dynamic bypass
is a two-step process:
❐ Set the desired dynamic bypass timeout and threshold parameters.
❐ Use policy (recommended) or the CLI to enable dynamic bypass and set the
types of errors that cause dynamic bypass to add an entry to the bypass list.

150
Adding Dynamic Bypass Parameters to the Local Bypass List
The first step in configuring dynamic bypass is to set the server-threshold,
max-entries, or timeout values in the CLI.

Note: This step is optional because the Advanced Secure Gateway appliance uses
default configurations if you do not specify them. Use the default values unless
you have specific reasons for changing them. Contact Blue Coat Technical
Support for detailed advice on customizing these settings.

❐ The server-threshold value defines the maximum number of client entries

before the Advanced Secure Gateway appliance consolidates client–server
pair entries into a single server entry that then applies to all clients connecting
to that server. The range is 1 to 256. The default is 16. When a consolidation
occurs, the lifetime of the consolidated entry is set to the value of timeout.
❐ The max-entries defines the maximum number of total dynamic bypass
entries. The range is 100 to 50,000. The default value is 10,000. When the
number of entries exceeds the max-entries value, the oldest entry is replaced
by the newest entry.
❐ The timeout value defines the number of minutes a dynamic bypass entry can
remain unreferenced before it is deleted from the bypass list. The range is 1 to
86400. The default value is 60.

Enabling Dynamic Bypass and Specifying Triggers

Enabling dynamic bypass and specifying the types of errors that causes a URL to
be added to the local bypass list are done with the CLI. You cannot use the
Management Console.
Using policy to enable dynamic bypass and specify trigger events is better than
using the CLI, because the CLI has only a limited set of responses. For
information about available CLI triggers, refer to the <Emphasis>Blue Coat
Content Policy Language Guide. For information about using policy to configure
dynamic bypass, refer to the Visual Policy Manager Reference.

Bypassing Connection and Receiving Errors

In addition to setting HTTP code triggers, you can enable connection and receive
errors for dynamic bypass.
If connect-error is enabled, any connection failure to the origin content server
(OCS), including timeouts, inserts the OCS destination IP address into the
dynamic bypass list.
If receive-error is enabled, when the cache does not receive an HTTP response
on a successful TCP connection to the OCS, the OCS destination IP address is
inserted into the dynamic bypass list. Server timeouts can also trigger receive-
error. The default timeout value is 180 seconds, which can be changed.

151
Advanced Secure Gateway Administration Guide

CLI Syntax to Enable Dynamic Bypass and Trigger Events

❐ To enter configuration mode for the service:
#(config) proxy-services
#(config proxy-services) dynamic-bypass

❐ The following subcommands are available:

#(config dynamic-bypass) {enable | disable}
#(config dynamic-bypass) max-entries number
#(config dynamic-bypass) server-threshold number
#(config dynamic-bypass) trigger {all | connect-error | non-http |
receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504}
#(config dynamic-bypass) timeout minutes
#(config dynamic-bypass) no trigger {all | connect-error | non
http | receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 |
504}
#(config dynamic-bypass) clear
#(config dynamic-bypass) view

152
Section G: Trial or Troubleshooting: Restricting Interception From
Clients or To Servers
This section discusses Restricted Intercept topics. See "Restricted Intercept Topics"
for details.

153
Advanced Secure Gateway Administration Guide

Section 4 Restricted Intercept Topics

❐ "About Restricted Intercept Lists"
❐ "Creating a Restricted Intercept List" on page 154

About Restricted Intercept Lists

By default, all clients and servers evaluate the entries in Proxy Services where the
decision is made to intercept or bypass a connection. To restrict or reduce the
clients and servers that can be intercepted by proxy services, create restricted
intercept lists. A restricted intercept list is useful in a rollout, before entering full
production—you only want to intercept a subset of the clients. After the
Advanced Secure Gateway appliance is in full production mode, you can disable
the restricted intercept list.
A restricted intercept list is also useful when troubleshooting an issue because
you can reduce the set of systems that are intercepted.

Notes
❐ Restricted intercepts lists are only applicable to transparent connections.
❐ An entry can exist in both the Static Bypass List and the Restricted Intercept List.
However, the Static Bypass List overrides the entries in the Restricted Intercept
List.

Creating a Restricted Intercept List

To create a Restricted Intercept List:
1. From the Management Console, select the Configuration > Services > Proxy
Services > Restricted Intercept List tab.

154
 2

3a

2. Select Restrict Interception to the servers and clients listed below-- all other
connections are bypassed.

3. Create a new entry:

a. Click New; the New Restricted Intercept Entry dialog displays.
b. Restrict interception from specific clients: In the Client Address area,
select Client host or subnet. Enter an IPv4 or IPv6 address in the IP
Address field and enter the subnet mask (for IPv4 addresses) or prefix
length (IPv6) in the Prefix/Subnet field.
c. Restrict interception to specific servers: In the Server Address area,
select Server host or subnet. Enter an IPv4 or IPv6 address in the IP
Address field and enter the subnet mask (for IPv4 addresses) or prefix
length (IPv6) in the Prefix/Subnet field.
d. Click OK to close the dialog.
4. Click Apply.

155
Advanced Secure Gateway Administration Guide

Section H: Reference: Proxy Services, Proxy Configurations, and

Policy
This section provides reference material.
❐ "Reference: Proxy Types"
❐ "Reference: Service/Proxy Matrices" on page 158
❐ "Reference: Access Log Fields" on page 159

Reference: Proxy Types

This section provides descriptions of the available proxies.

Table 7–4 Proxy Types

Proxy Name Protocol/Description Capabilities and Benefits

AOL-IM AOL Instant • Controls AOL instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users (both employee identities and IM handles), groups,
file types and names, and other triggers.
• All IM communications can be logged and archived for
review.
DNS Domain Name Service • Speeds up domain name resolution by looking up domain
names in the Advanced Secure Gateway appliance's
DNS cache. If the name isn't found in the cache, the
appliance forwards the request to the configured DNS
server list.
• Ability to rewrite DNS requests and responses.
Flash Adobe Flash Real • Live streaming—The Advanced Secure Gateway
Time Messaging appliance fetches the live Flash stream once from the OCS
Protocol and serves it to all users behind the appliance.
• Video-on-demand—As Flash clients stream pre-recorded
content from the OCS through the Advanced Secure
Gateway appliance, the content is cached on the
appliance. After content gets cached on the Advanced
Secure Gateway appliance, subsequent requests for the
cached portions are served from the appliance; uncached
portions are fetched from the OCS.
FTP File Transfer Protocol • Controls, secures, and accelerates file transfer requests
• Caches FTP objects.
HTTP Hyper Text Transfer • Controls, secures, and accelerates Web traffic
Protocol • Caches copies of frequently requested web pages and
objects.

156
Table 7–4 Proxy Types (Continued)

Proxy Name Protocol/Description Capabilities and Benefits

HTTPS A proxy positioned in • Accelerates secure web requests, improving the response
Reverse Proxy front of an HTTPS time to clients.
server that answers • Because the Reverse Proxy is processing the requests, it
secure web requests allows the HTTPS server to handle a heavier traffic load.
from clients (using the
Advanced Secure
Gateway appliance's
local cache when
possible)
MMS Microsoft Media • Monitors, controls, limits, or blocks streaming media
Services; streaming traffic that uses Microsoft's proprietary streaming
protocol protocol.
• Reduces stutter and improves the quality of streaming
media.
• Logs streaming connections.
MSN-IM MSN Instant • Controls MSN instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users, groups, file types and names, and other triggers.
• Logs all IM communications for review.
RTSP Real Time Streaming • Monitors, controls, limits, or blocks streaming media
Protocol traffic that uses the Internet standard RTSP protocol.
• Reduces stutter and improves the quality of streaming
media.
• Logs streaming connections.
Shell A proxy that allows a • Monitors, controls, limits, or blocks outbound Telnet
client to connect to connections.
other destinations via • Enforces access control to a group of users and
Telnet, after the client destinations via policy.
has created an
• Logs all connections.
authenticated Telnet
connection to the
Advanced Secure
Gateway appliance
SOCKS A proxy that allows a • Monitors, controls, limits, or blocks outbound client
client to connect to connections requested using the SOCKS protocol.
other destination • Through policy, enforces access control to a group of users
servers/ports in a and destinations.
SOCKS tunnel, after
• SOCKS traffic can be passed to other proxies (such as
the client's connection
HTTP or AOL-IM) for acceleration.
to the SOCKS proxy is
authenticated • Logs all connections.

157
Advanced Secure Gateway Administration Guide

Table 7–4 Proxy Types (Continued)

Proxy Name Protocol/Description Capabilities and Benefits

SSL Secure Socket Layer • Allows authentication, virus scanning and URL filtering
of encrypted HTTPS content.
• Accelerates performance of HTTPS content, using HTTP
caching.
• Validates server certificates presented by various secure
websites at the gateway.
TCP-Tunnel A tunnel for any TCP- Compresses and accelerates tunneled traffic.
based protocol for
which a more specific
proxy is not available
Yahoo-IM Yahoo Instant • Controls Yahoo instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users, groups, file types and names, and other triggers.
• Logs all unencrypted IM communications for review.

Reference: Service/Proxy Matrices

Expanding on the service port listing at the beginning of this chapter, the table
below provides a list of the pre-defined proxy services and listeners that the Proxy
can accelerate and interpret. Links to the related proxy configuration sections are
included.

Table 7–5 Proxy Name and Listeners (alphabetical order)

Service Proxy Destination Port Range Configuration Discussed

Name IP Address
AOL-IM AOL-IM All 5190

DNS DNS All 53 Chapter 12: "Managing the

Domain Name Service (DNS)
Proxy" on page 295
Explicit HTTP Explicit 8080, 80 Chapter 8: "Intercepting and
HTTP Optimizing HTTP Traffic" on
page 161
External HTTP Transparent 80
HTTP

FTP FTP All 21 Chapter 11: "Managing the File

Transport Protocol (FTP) Proxy"
on page 285
HTTPS SSL All 443 Chapter 9: "Managing the SSL
Proxy" on page 227

158
Table 7–5 Proxy Name and Listeners (alphabetical order) (Continued)

Service Proxy Destination Port Range Configuration Discussed

Name IP Address
Internal TCP-Tunnel 192.168.0.0/16 80 Chapter 8: "Intercepting and
HTTP 10.0.0.0/8 Optimizing HTTP Traffic" on
172.16.0.0/16 page 161
169.254.0.0/16
192.0.2.0/24

MMS MMS All 1755 Chapter 24: "Managing

Streaming Media" on page 535
MSN-IM MSN-IM All 1863, 6891

MS Terminal TCP-Tunnel Transparent 3389 Chapter 24: "Managing

Services Streaming Media" on page 535
SOCKS SOCKS Explicit 1080 Chapter 40: "SOCKS Gateway
Configuration" on page 853
Yahoo-IM Yahoo-IM All 5050, 5101

Reference: Access Log Fields

The access log has two fields: service name and service group name.
❐ Name of the service used to intercept this connection:
• x-service-name (ELFF token) service.name (CPL token)

Note: The x-service-name field replaces the s-sitename field. The s-sitename
field can still be used for backward compatibility with squid log formats, but it
has no CPL equivalent.

❐ Service group name:

• x-service-group (ELFF token) service.group (CPL token)

Note: See Chapter 29: "Creating Custom Access Log Formats" on page 663 and
Chapter 30: "Access Log Formats" on page 671 for detailed information about
creating and editing log formats.

159
Advanced Secure Gateway Administration Guide

160
Chapter 8: Intercepting and Optimizing HTTP Traffic

This chapter describes how to configure the HTTP proxy to manage traffic and
accelerate performance in your environment.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "About the HTTP Proxy" on page 163
❐ Section B: "Changing the External HTTP (Transparent) Proxy Service to
Intercept All IP Addresses on Port 80" on page 165
❐ Section C: "Managing the HTTP Proxy Performance" on page 166
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 182
❐ Section E: "Using a Caching Service" on page 191
❐ Section F: "Fine-Tuning Bandwidth Gain" on page 194
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy
Authenticated Data (CPAD)" on page 202
❐ Section H: "Viewing HTTP/FTP Statistics" on page 213
❐ Section I: "Supporting IWA Authentication in an Explicit HTTP Proxy" on
page 219
❐ Section J: "Supporting Authentication on an Upstream Explicit Proxy" on
page 221
❐ Section K: "Detect and Handle WebSocket Traffic" on page 222

How Do I...?
To navigate this chapter, identify the task to perform and click the link:

How do I...? See...

Intercept traffic on the HTTP Proxy? "Changing the External HTTP

(Transparent) Proxy Service to Intercept
All IP Addresses on Port 80" on page 165

Create a new HTTP Proxy service? Section C: "Creating Custom Proxy

Services" on page 132

Configure the HTTP Proxy for object "Allocating Bandwidth to Refresh Objects
freshness? in Cache" on page 195
Step 4 in "To set HTTP default object
caching policy:" on page 180

161
Advanced Secure Gateway Administration Guide

How do I...? See...

Bypass the cache or not cache content Refer to:

using policy? Visual Policy Manager Reference
Content Policy Language Guide
Use either the VPM or CPL to create
policy that allows for bypassing the
cache or for prohibiting caching based
on your needs.
Choose a proxy acceleration profile? "Selecting an HTTP Proxy Acceleration
Profile" on page 182

Cache content without having to use "Using a Caching Service" on page 191
policy?

Configure the HTTP proxy to be a:

server accelerator or reverse proxy? "About the Normal Profile" on page 182

forward proxy? "About the Portal Profile" on page 182

server-side bandwidth accelerator? "About the Bandwidth Gain Profile" on

page 183

Fine-tune the HTTP Proxy for "Using a Caching Service" on page 191
bandwidth gain? "Using Byte-Range Support" on page 196

Configure Internet Explorer to "Supporting IWA Authentication in an

explicitly proxy HTTP traffic? Explicit HTTP Proxy" on page 219

Configure the Advanced Secure "Detect and Handle WebSocket Traffic" on

Gateway appliance to detect and page 222
handle WebSocket traffic?

162
Section A: About the HTTP Proxy
Before Reading Further
Before reading this section, Blue Coat recommends that you be familiar with the
concepts in these sections:
❐ "About Proxy Services" on page 122.
The HTTP proxy is designed to manage Web traffic from the Internet, providing:
❐ Security
❐ Authentication
❐ Virus Scanning and Patience Pages
❐ Performance, achieved through Object Caching and Object Pipelining
❐ Transition functionality between IPv4-only and IPv6-only networks
The proxy can serve requests without contacting the Origin Content Server (OCS)
by retrieving content saved from a previous request made by the same client or
another client. This is called caching. The HTTP proxy caches copies of frequently
requested resources on its local hard disk. This significantly reduces upstream
bandwidth usage and cost and significantly increases performance.
Proxy services define the ports and addresses where a Advanced Secure Gateway
listens for incoming requests. The Advanced Secure Gateway has three default
HTTP proxy services: External HTTP, Explicit HTTP, and Internal HTTP. Explicit HTTP and
External HTTP use the HTTP proxy, while Internal HTTP uses TCP tunnel.

❐ The Explicit HTTP proxy service listens on ports 80 and 8080 for explicit
connections.
❐ The Internal HTTP proxy service listens on port 80 and transparently intercepts
HTTP traffic from clients to internal network hosts.
❐ The External HTTP proxy service listens on port 80 for all other transparent
connections to the Advanced Secure Gateway. Typically, these requests are for
access to Internet resources.
Although you can intercept SSL traffic on either port, to enable the Advanced
Secure Gateway to detect the presence of SSL traffic you must enable Detect
Protocol on the explicit HTTP service so that the SSL traffic is handed off to the SSL
Proxy. Default is set to OFF. For more information on SSL proxy functionality, see
Chapter 9: "Managing the SSL Proxy" on page 227.
Furthermore, you can create a bypass list on the Advanced Secure Gateway to
exclude the interception of requests sent from specific clients to specific servers
and disable caching of the corresponding responses. The static bypass list also
turns off all policy control and acceleration for each matching request. For
example, for all clients visiting www.bluecoat.com you might exclude interception
and caching of all requests, the corresponding responses, acceleration and policy
control. To create a static bypass list, used only in a transparent proxy
environment, see "Adding Static Bypass Entries" on page 149.

163
Advanced Secure Gateway Administration Guide

When accessing internal IP addresses, Blue Coat recommends using the TCP
tunnel proxy instead of the HTTP proxy. Some applications deployed within
enterprise networks are not always fully compatible with HTTP specs or are
poorly designed. Use of these applications can cause connection disruptions
when using HTTP proxy. As a result internal sites and servers use the Internal HTTP
service, which employs the TCP tunnel proxy.

Important: The TCP tunnel does not support HTTP proxy service functionality.
That is, only the TCP header of a request, (containing source and destination port
and IP) will be visible to the Advanced Secure Gateway for policy evaluation. To
ensure you get the most from the appliance, you must edit the External
(transparent) HTTP service to use the HTTP proxy instead of the default TCP
tunnel.

IPv6 Support
The HTTP proxy is able to communicate using either IPv4 or IPv6, either
explicitly or transparently.
In addition, for any service that uses the HTTP proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.

About Web FTP

Web FTP is used when a client uses the HTTP protocol to access an FTP server.
Web FTP allows you to connect to a FTP server with the ftp:// URL. The
Advanced Secure Gateway translates the HTTP request into an FTP request for
the origin content server (OCS), if the content is not already cached. Further, it
translates the FTP response with the file contents into an HTTP response for the
client.
To manage Web FTP connection requests on the Advanced Secure Gateway, the
HTTP service on port 80 (or 8080 in explicit deployments) must be set to
Intercept.
For information on using an FTP client to communicate via the FTP protocol, see
Chapter 11: "Managing the File Transport Protocol (FTP) Proxy" on page 285.

Configuring Internet Explorer for Web FTP with an Explicit HTTP

Proxy
Because a Web FTP client uses HTTP to connect to the Advanced Secure Gateway,
the HTTP proxy manages this Web FTP traffic. For an explicitly configured HTTP
proxy, Internet Explorer version 10.0 users accessing FTP sites over HTTP must
clear the Enable folder view for FTP sites browser setting.

To disable Web FTP in Internet Explorer v10.0:

1. In Internet Explorer, select Tools > Internet Options.
2. Click the Advanced tab.
3. Clear the Enable FTP folder view option and click OK.

164
Section B: Changing the External HTTP (Transparent) Proxy Service
to Intercept All IP Addresses on Port 80
By default, the External HTTP service includes an HTTP proxy service listener
configured on port 80. During the initial Advanced Secure Gateway
configuration, if it hasn’t already been set, you can set External HTTP to Intercept.
The following procedure describes how to set the service to Intercept mode.

To intercept traffic using the External HTTP proxy service:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Intercept External HTTP traffic:

a. Scroll the list of service groups, click Standard, and select External HTTP.
b. Select Intercept from the drop-down list.
3. Click Apply.
Now that the Advanced Secure Gateway is intercepting HTTP traffic, configure
the HTTP proxy options. The following sections provide detailed information and
procedures:
❐ Section C: "Managing the HTTP Proxy Performance" on page 166
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 182
❐ Section E: "Using a Caching Service" on page 191
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy
Authenticated Data (CPAD)" on page 202

165
Advanced Secure Gateway Administration Guide

Section C: Managing the HTTP Proxy Performance

This section describes the methods you can use to configure the HTTP proxy to
optimize performance in your network.
❐ "HTTP Optimization"
❐ "Customizing the HTTP Object Caching Policy"
❐ "About the HTTP Object Caching Policy Global Defaults" on page 176
❐ "About Clientless Requests Limits" on page 177
❐ "Preventing Exception Pages From Upstream Connection Errors" on page 179
❐ "Setting the HTTP Default Object Caching Policy" on page 180

HTTP Optimization
The HTTP proxy alleviates the latency in data retrieval and optimizes the delivery
of HTTP traffic through object caching and object pipelining. Caching minimizes
the transmission of data over the Internet and over the distributed enterprise,
thereby improving bandwidth use. Pipelining allows the Advanced Secure
Gateway to open several connections to a server, speeding up the delivery of
content into the cache. Pre-fetching is another method the Advanced Secure
Gateway uses to improve the user experience. Content on a requested web page
several levels deep is requested and cached for fast delivery to users.
For objects in cache, an intelligent caching mechanism in the Advanced Secure
Gateway maintains object freshness. This is achieved by periodically refreshing
the contents of the cache, while maintaining the performance within your
network.
The method of storing objects on disk is critical for performance and scalability.
SGOS, the operating system on the Advanced Secure Gateway, uses an object
store system which hashes object lookups based on the entire URL. This hashing
allows access to objects with far fewer lookups, as compared to a directory-based
file system found in traditional operating systems. While other file systems run
poorly when they are full, the Advanced Secure Gateway’s cache system achieves
its highest performance when it is full.

Customizing the HTTP Object Caching Policy

Object caching is the saving of an application object locally so that it can be served
for future requests without requiring retrieval from the OCS. Objects can, for
example, be documents, videos, or images on a Web page. When objects are
cached, the only traffic that crosses the WAN are permission checks (when
required) and verification checks that ensure that the copy of the object in cache is
still fresh. By allowing objects to be shared across requests and users, object
caching greatly reduces the bandwidth required to retrieve contents and the
latency associated with user requests.

166
 For more information on how the Advanced Secure Gateway executes permission
checks to ensure authentication over HTTP, see Section G: "Caching
Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)" on
page 202.
In case of a reverse proxy, object caching reduces the load on the OCS and
improves scalability of the OCS.

Figure 8–1 Object Caching on the Advanced

Secure Gateway
Before you begin customizing your HTTP Proxy policy, read the following
concepts:
❐ "About Object Pipelining" on page 167
❐ "About HTTP Object Freshness" on page 168
❐ "About Meta Tags" on page 169
❐ "About Tolerant HTTP Request Parsing" on page 169
❐ "About HTTP Compression" on page 170
❐ "About the HTTP Object Caching Policy Global Defaults" on page 176

About Object Pipelining

A Web page is typically composed of dozens of objects. When a client requests a
Web page, all the objects must be retrieved to display the Web page. This object
retrieval process presents a delay for the end user — for example, serial retrieval
of the content would create a significant time lag.

167
Advanced Secure Gateway Administration Guide

Although current browsers open multiple connections with the OCS to retrieve
objects in parallel, the Advanced Secure Gateway further accelerates the process
with its Object Pipelining algorithm which supports nested pipelines that are up
to three levels deep.
❐ The Object Pipelining algorithm allows the Advanced Secure Gateway to
open as many simultaneous TCP connections as the origin server allows, and
retrieves objects in parallel. The proxy also pre-fetches objects based on
pipelined requests. For example, if a pipelined HTML object has other
embedded objects, the HTTP proxy will pre-fetch those embedded objects
from the Web server without a request from the client. The objects are then
ready to be delivered from the cache straight to the user, as fast as the client
can request them.
While object pipelining enhances the user experience by minimizing latency and
improving response times for first-time Web page requests, it could increase
bandwidth utilization. Therefore by default, to avoid an increase in bandwidth
utilization, object pipelining is disabled for the reverse proxy and bandwidth gain
profiles. It is enabled, by default, only on the forward proxy — Normal profile,
where enhancing the response time for clients is vital.

About HTTP Object Freshness

HTTP proxy categorizes HTTP objects into three types:
❐ Type-T: The OCS specifies explicit expiration time.
❐ Type-M: Expiration time is not specified; however, the last modified time is
specified by the OCS.
❐ Type-N: Neither expiration nor last modified time has been specified.
The Advanced Secure Gateway Asynchronous Adaptive Refresh (AAR)
algorithm was designed to maintain the freshness for all three types of cached
HTTP objects in environments where the Internet was characterized by larger,
static pages and relatively low Internet connection speeds. With AAR enabled, the
Advanced Secure Gateway performs freshness checks with the OCS to expunge old
content from cache and to replace it with updated content. To maximize the
freshness of the next access to objects in the cache, the Advanced Secure Gateway
appliance uses the AAR algorithm to perform asynchronous revalidations on
those objects based on their relative popularity and the amount of time remaining
before their estimated time of expiration.
However, with the advent of Web 2.0, the nature of the Internet has changed. With
the general adoption of Web 2.0, which is characterized by dynamic content with
many small objects coupled with increasing bandwidth to the Internet, the
methods for caching are also evolving. In SGOS 6.2 the object cache model was
changed to support more objects per disk to allow for better support for Web 2.0
content. With the addition of this object model, the value of the original adaptive
refresh model has diminished markedly, and can in many instances actually
increase the latency due to system load.

168
 Therefore, AAR is now disabled by default on systems running SGOS 6.2.6 and
later. However, if you upgrade from a pre-SGOS 6.2.6 release, AAR may still be
enabled. For information on how to configure this feature to best serve your
environment, see "Allocating Bandwidth to Refresh Objects in Cache" on page 195.

About Meta Tags

A meta tag is a hidden tag that placed in the <head> of an HTML document. It
provides descriptions and keywords for search engines and can contain the
attributes — content, http-equiv, and name. Meta tags with an http-equiv
attribute are equivalent to HTTP headers.
The Advanced Secure Gateway does not parse HTTP meta tag headers if:
❐ The meta tag does not appear within the first 256 bytes of the HTTP object
body. To be parsed, relevant HTTP meta tags must appear within the first 256
bytes of the HTTP object body.
❐ The Blue Coat AV that is connected to your Advanced Secure Gateway, adds
or modifies the meta tags in its response to the Advanced Secure Gateway.
The response body modified by the Blue Coat AV is not parsed.

Planning Considerations
You can use CPL properties in the <Cache> layer to control meta tag processing.
The CPL commands can be used in lieu of the check boxes for parsing meta tags
through the Management Console. For details on the meta-tags, see Step 7 in "To
set HTTP default object caching policy:" on page 180.
The following CPL commands are applicable for HTTP proxy, HTTP refresh, and
HTTP pipeline transactions:
http.response.parse_meta_tag.Cache-Control(yes|no)
http.response.parse_meta_tag.Expires(yes|no)
http.response.parse_meta_tag.Pragma.no-cache(yes|no)
VPM support to control the processing of meta tags is not available.

Related CLI Syntax to Parse Meta Tags

#(config) http [no] parse meta-tag cache-control
#(config) http [no] parse meta-tag expires
#(config) http [no] parse meta-tag pragma-no-cache

About Tolerant HTTP Request Parsing

The tolerant HTTP request parsing flag causes certain types of malformed
requests to be processed instead of being rejected.The defaults are:
❐ Proxy Edition: The HTTP tolerant request parsing flag is not set, by default,
The Advanced Secure Gateway blocks malformed HTTP requests, returning a
400 Invalid Request error.
❐ MACH5 Edition: The HTTP tolerant request parsing flag is set by default.
Malformed HTTP requests are not blocked.

169
Advanced Secure Gateway Administration Guide

Implementation of HTTP Tolerant Request Parsing

By default, a header line that does not begin with a <Tab> or space character must
consist of a header name (which contains no <Tab> or space characters), followed
by a colon and an optional value.
When the tolerant HTTP request parsing flag is either not set or is disabled, if the
header name and required details are missing, the Advanced Secure Gateway
blocks malformed HTTP requests and returns a 400 Invalid Request error.
With tolerant request parsing enabled, a request header name is allowed to
contain <Tab> or space characters, and if the request header line does not contain
a colon, then the entire line is taken as the header name.
A header containing only one or more <Tab> or space characters is considered
ambiguous. The Advanced Secure Gateway cannot discern if this is a blank
continuation line or if it is a blank line that signals the end of the header section.
By default, an ambiguous blank line is illegal, and an error is reported. With
tolerant request parsing enabled, an ambiguous blank line is treated as the blank
line that ends the header section.

To enable the HTTP tolerant request parsing flag:

Note: This feature is only available through the CLI.

From the (config) prompt, enter the following command to enable tolerant HTTP
request parsing (the default is disabled):
#(config) http tolerant-request-parsing
To disable HTTP tolerant request parsing:
#(config) http no tolerant-request-parsing

About HTTP Compression

Compression reduces a file size but does not lose any data. Whether you should use
compression depends upon three resources: server-side bandwidth, client-side
bandwidth, and Advanced Secure Gateway CPU. If server-side bandwidth is more
expensive in your environment than CPU, always request compressed content from the
origin content server (OCS). However, if CPU is comparatively expensive, the Advanced
Secure Gateway appliance should instead be configured to ask the OCS for the same
compressions that the client requested and to forward whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is not the
case, you can change the Advanced Secure Gateway appliance behavior.

Note: Decompression, content transformation, and recompression increases response

time by a small amount because of the CPU overhead. (The overhead is negligible in most
cases.) RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because compression
results in a smaller file being served to the client than was retrieved by the Advanced
Secure Gateway appliance from the origin content server, bandwidth gain statistics
reflect such requests/responses as negative bandwidth gain.

170
 Compression is disabled by default. If compression is enabled, the HTTP proxy forwards
the supported compression algorithm (gzip and deflate) from the client’s request
(Accept-Encoding: request header) to the server as is, and attempts to send compressed
content to client whenever possible. This allows the Advanced Secure Gateway
appliance to send the response as is when the server sends compressed data, including
non-cacheable responses. Any unsolicited encoded response is forwarded to the client as
is.

Note: If compression is not enabled, the Advanced Secure Gateway appliance does
not compress the content if the server sends uncompressed content. However, the
appliance continues to uncompress content if necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page 213.

Understand Compression Behavior

The Advanced Secure Gateway compression behavior is detailed in the tables below.
Compression increases the overall percentage of cacheable content, increasing the hit rate
in terms of number of objects served from the cache.

Note: A variant is the available form of the object in the cache—compressed or

uncompressed. The Content-Encoding: header Identity refers to the uncompressed form
of the content.

For cache-hit compression behavior, see Table 8-1 below. For cache-miss compression
behavior, see Table 8-2.
.

Table 8-1. Cache-Hit Compression Behavior

Accept-Encoding: Variant Available when Variant Stored as a Content-Encoding: in

in client request the Request Arrived Result of the Request Advanced Secure
Gateway response

Identity Uncompressed object None Identity

Identity No uncompressed object Uncompressed Identity

gzip compressed

gzip, deflate Uncompressed object gzip compressed gzip

gzip, deflate Uncompressed object None gzip

gzip compressed

gzip, deflate Uncompressed object None deflate

deflate compressed

171
Advanced Secure Gateway Administration Guide

Table 8-1. Cache-Hit Compression Behavior (Continued)

Accept-Encoding: Variant Available when Variant Stored as a Content-Encoding: in

in client request the Request Arrived Result of the Request Advanced Secure
Gateway response

deflate No uncompressed object deflate compressed deflate

gzip compressed (This is effectively a cache-
miss. The appliance does
not convert from gzip to
deflate.)

Table 8-2. Cache-Miss Compression Behavior

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request Advanced Secure in Advanced
Gateway request Secure Gateway
response

Identity Identity Identity uncompressed object Identity

gzip, deflate gzip, deflate Identity uncompressed object gzip

gzip-compressed

gzip, deflate gzip, deflate gzip No uncompressed gzip

object
gzip-compressed

gzip, deflate, gzip, deflate gzip No uncompressed gzip

compress object
gzip-compressed

gzip, deflate gzip, deflate compress (illegal compress compress

response)

Compression Exceptions
❐ The Advanced Secure Gateway appliance issues a transformation_error exception
(HTTP response code 403), when the server sends an unknown encoding and the
appliance is configured to do content transformation.
❐ The Advanced Secure Gateway appliance issues an unsupported_encoding
exception (HTTP response code 415 - Unsupported Media Type) when the appliance
is unable to deliver content due to configured policy.
The messages in the exception pages can be customized. For information on using
exception pages, refer to “Advanced Policy Tasks” in the Visual Policy Manager Reference.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior

Three objects can be used to configure compression and compression levels through VPM:

172
 ❐ Client HTTP compression object: Allows you to determine the behavior when the
client wants the content in a different form than is in the cache.
❐ Server HTTP compression object: Allows you to enable or disable compression and to
set options.
❐ HTTP compression level object: Allows you to set a compression level of low,
medium, or high.
Refer to the Visual Policy Manager Reference to configure these HTTP compression
options.

Using Policy to Configure Compression Behavior

Compression and decompression are allowed if compression is enabled. If compression is
not enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the Advanced Secure
Gateway appliance. If compression is turned off, uncompressed content is served to the
client if a compressed variant is not available. If decompression is disabled, an
uncompressed version is fetched from the OCS if the variant does not exist and the client
requested uncompressed content.

Note: The Advanced Secure Gateway appliance decompresses the content if

transformation is to be applied, even if the compression is not enabled.

You can use server-side or client-side controls to manage compression through policy, as
described in the following table.

Table 8-3. Compression Properties

Compression Properties Description

http.allow_compression(yes | no) Allow the Advanced Secure Gateway appliance

to compress content on demand if needed.

http.allow_decompression(yes | no) Allow the Advanced Secure Gateway appliance

to decompress content on demand if needed.

http.compression_level(low | medium | Set the compression level to be low (1), medium

high) (6), or high (9). Low is the default.

http.server.accept_encoding(client) Turn on only client encodings

http.server.accept_encoding(identity) Turn off all encodings

http.server.accept_encoding(all) Turn on all supported encodings, including the

client’s encodings.

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

deflate)

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

client)

http.server.accept_encoding.gzip(yes | Add/remove an encoding

no)

173
Advanced Secure Gateway Administration Guide

Table 8-3. Compression Properties (Continued)

Compression Properties Description

http.server.accept_encoding[gzip, Add/remove a list of encodings

deflate, identity](yes | no)

http.server.accept_encoding.allow Allow/disallow unknown encodings.

_unknown (yes | no)

http.client.allow_encoding(identity); Allow no encodings (send uncompressed).

http.client.allow_encoding(client); Allow all client encodings. This is the default.

http.client.allow_encoding(gzip, Allow fixed set of encodings.

deflate);

http.client.allow_encoding(gzip, Allow fixed set of encodings.

client);

http.client.allow_encoding.gzip(yes | Add/remove one encoding

no);

http.client.allow_encoding[gzip, Add/remove list of encodings

deflate, identity](yes | no);

Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms, except for
unknown encodings. If compression is not enabled, the default overrides any configured
CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the
compression related policy settings shown in Table 8-3. The Accept-Encoding header
modification can continue to be used if no compression policies are applied, or if
compression is not enabled. Otherwise, the compression-related policies override any
Accept-Encoding header modification, even if the Accept-Encoding header
modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client originally listed
that encoding in its Accept-Encoding header. If so, these encodings are added to the list
of candidates to be delivered to the client. The first cache object with an Accept-Encoding
match to the client-side list is the one that is delivered.

Suggested Settings for Compression

❐ If client-side bandwidth is expensive in your environment, use the following policy:
<proxy>
http.client.allow_encoding(client)
http.allow_compression(yes)
❐ If server-side bandwidth is expensive in your environment, compared to client-side
bandwidth and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)
❐ If CPU is expensive in your environment, compared to server-side and client-side
bandwidth:

174
 http.server.accept_encoding(client);If no content transformation
policy is configured
http.server.accept_encoding(identity);If some content transformation
policy is configured
http.allow_compression(no); default
http.allow_decompression(no); default

Notes
❐ Policy-based content transformations are not stored as variant objects. If content
transformation is configured, it is applied on all cache-hits, and objects might be
compressed all the time at the end of such transformation if they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a
compression choice with a higher qvalue. For example, if a client requests Accept-
encoding: gzip;q=1, deflate;q=0.1, and only a deflate-compressed object is
available in the cache, the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS. To
change this, write policy to disallow compression or decompression if Cache-
Control: no-transform response header is present.

❐ The Advanced Secure Gateway appliance treats multiple content encoding (gzip,
deflate or gzip, gzip) as an unknown encoding. (These strings indicate the content has
been compressed twice.)
❐ The gzip and deflate formats are treated as completely separate and are not converted
from one to the other.
❐ Blue Coat recommends using gzip encoding (or allowing both gzip and deflate)
when using the HTTP compression feature.
❐ If the Advanced Secure Gateway appliance receives unknown content encoding and if
content transformation is configured (such as popup blocking), an error results.
❐ If the origin server provides compressed content with a different compression level
then that specified in policy, the content is not re-compressed.
❐ If the Advanced Secure Gateway appliance compressed and cached content at a
different compression level than the level specified in a later transaction, the content is
not re-compressed.
❐ Parsing of container HTML pages occurs on the server side, so pipelining
(prefetching) does not work when the server provides compressed content.
❐ Compressing a zip file breaks some browser versions, and compressing images does
not provide added performance.
❐ All responses from the server can be compressed, but requests to the server, such as
POST requests, cannot.
❐ Only 200 OK responses can be compressed.

175
Advanced Secure Gateway Administration Guide

Section 1 About the HTTP Object Caching Policy Global Defaults

The Advanced Secure Gateway offers multiple configuration options that allow
you to treat cached objects in a way that best suits your business model.
The following table lists the options that you can configure.
Table 8–1 Settings for Configuring the Object Caching Policy

Settings to Configure Notes

Object Caching

Setting the maximum Determines the maximum object size to store in the Advanced Secure
object cache size Gateway. All objects retrieved that are greater than the maximum size are
delivered to the client but are not stored in the Advanced Secure Gateway.
Default: 1024 MB

Setting the TTL for Determines the number of minutes the SGOS stores negative responses
negative responses in for requests that could not be served to the client.
cache The OCS might send a client error code (4xx response) or a server error
code (5xx response) as a response to some requests. If you configure the
Advanced Secure Gateway to cache negative responses for a specified
number of minutes, it returns the negative response in subsequent
requests for the same page or image for the specified length of time. The
Advanced Secure Gateway will not attempt to fetch the request from the
OCS. Therefore, while server-side bandwidth is saved, you could receive
negative responses to requests that might otherwise have been served by
accessing the OCS.
By default, the Advanced Secure Gateway does not cache negative
responses. It always attempts to retrieve the object from the OCS, if it is
not already in cache.
Default: 0 minutes

Forcing freshness Verifies that each object is fresh upon access. Enabling this setting has a
validation before serving significant impact on performance because the HTTP proxy revalidates
an object from cache requested cached objects with the OCS before serving them to the client.
This results in a negative impact on bandwidth gain. Therefore, do not
enable this configuration unless absolutely required.
For enabling, select the Always check with source before serving object
check box.
Default: Disabled

176
 Settings to Configure Notes
Object Caching

Parsing HTTP meta tag Determines how HTTP meta tag headers are parsed in the HTML
headers documents. The meta tags that can be enabled for parsing are:
• Cache-control meta tag
The sub-headers that are parsed when this check box is selected are:
private, no-store, no-cache, max-age, s-maxage, must-re-
validate, proxy-revalidate
• Expires meta tag
This directive parses for the date and time after which the document
should be considered expired.
• Pragma-no-cache meta tag
This directive indicates that cached information should not be used
and instead requests should be forwarded to the OCS.
Default: Disabled

Allocating bandwidth on Allows you to specify a limit to the amount of bandwidth the Advanced
the HTTP proxy for Secure Gateway uses to achieve the desired freshness. For more
maintaining freshness of information see, "Allocating Bandwidth to Refresh Objects in Cache" on
the objects in cache page 195.
Default: Disable refreshing

The above settings serve as defaults on the proxy. If you want a more granular
caching policy, for example— setting the TTL for an object, use Blue Coat Content
Policy Language (CPL). You can also use the VPM or CPL to bypass the cache or
to prohibit caching for a specific domain or server. Refer to the Content Policy
Language Guide for more information.

About Clientless Requests Limits

When certain HTTP proxy configurations are enabled, the Advanced Secure
Gateway employs various server-side connections to the OCS that are essential to
caching and optimizing HTTP traffic. The Advanced Secure Gateway
automatically sends requests, called clientless requests, over these connections.
Performance and poor user experience might occur, however, when an unlimited
number of clientless requests are allowed. As clientless requests increase and
overwhelm the OCS, users might experience slow downloads in their Web
browsers. Furthermore, these excessive requests might trigger the defensive
measures because the corporate firewall determines that the Advanced Secure
Gateway is a security threat.
The following sub-sections describe the HTTP proxy functionality involved.

HTTP Content Pre-population

Configuration: Blue Coat Director distributes content management commands;
Advanced Secure Gateway connects to the OCS.

177
Advanced Secure Gateway Administration Guide

Symptom: The OCS becomes overwhelmed.

Figure 8–2 No Clientless Request Limits and HTTP Content Pre-population

The OCS becomes overwhelmed from content requests and content management
commands. In this deployment, a global limit is not sufficient; a per-server limit is
required.

Caching/Optimization (Pipelining)
Configuration: Blue Coat Advanced Secure Gateway pipelining options enabled
(Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed; users report slow access times in
their Web browsers.

Figure 8–3 No Clientless Request Limits and Pipelining Enabled

Responses to clients might contain embedded links that the Advanced Secure
Gateway converts to pipeline requests. As each link request results in a request to
the OCS, performance might be impacted; if the firewall in front of the OCS
determines that the request storm from the Advanced Secure Gateway represents
a threat, requests are not allowed through. In this scenario, a per-page limit
prevents the problem.

Bandwidth Gain
Configuration: Blue Coat Advanced Secure Gateway Enable Bandwidth Gain Mode
option enabled (Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed.

Figure 8–4 No Clientless Request Limits and Bandwidth Gain is Enabled

178
 The Advanced Secure Gateway determines that objects in the cache require
refreshing. This operation itself is not costly, but the additional requests to the
OCS adds load to the WAN link. A global and per-server limit prevents the
problem.
For new installations (or following a restoration to factory defaults), clientless
limits are enforced by default; the Advanced Secure Gateway capacity per model
determines the upper default limit.
Continue with "Setting the HTTP Default Object Caching Policy" on page 180.

Preventing Exception Pages From Upstream Connection Errors

The Advanced Secure Gateway provides an option that prevents the Advanced
Secure Gateway from returning TCP error exception pages to clients when
upstream connection errors or connection time outs occur.
These types of connection issues might be common when enterprises employ
custom applications. Though the connections issues are related to the server,
administrators might mistakenly conclude that the Advanced Secure Gateway is
the source of the problem because of the issues exception page from the proxy.
When the option is enabled, the Advanced Secure Gateway essentially closes
connections to clients upon a server connection error or timeout. To the user, the
experience is a lost connection, but not an indication that something between
(such as a proxy) is at fault.
This feature is enabled (send exceptions on error) by default:
❐ After upgrading to SGOS 6.x from previous versions that have an
Acceleration License
❐ On systems that have the acceleration profile selected during initial
configuration (see Section D: "Selecting an HTTP Proxy Acceleration Profile"
on page 182).
This option can only be enabled/disabled through the CLI:
#(config) http exception-on-network-error
#(config) http no exception-on-network-error

179
Advanced Secure Gateway Administration Guide

Section 2 Setting the HTTP Default Object Caching Policy

This section describes how to set the HTTP default object caching policy. For more
information, see "HTTP Optimization" on page 166.

To set HTTP default object caching policy:

1. Verify that the Advanced Secure Gateway is intercepting HTTP traffic
(Configuration > Proxy Services; Standard service group (by default)).
2. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Policies.

3. Configure default proxy policies (HTTP Proxy Policy area; see "About the HTTP
Object Caching Policy Global Defaults" on page 176):
a. In the Do not cache objects larger than field, enter the maximum object
size to cache. The default is 4096 MB for new installations of SGOS.
b. In the Cache negative responses for field, enter the number of minutes
that SGOS stores negative responses. The default is 0.
c. Force freshness validation. To always verify that each object is fresh
upon access, select the Always check with source before serving object
option. Enabling this setting has a significant impact on performance,
do not enable this configuration unless absolutely required.
d. Disable meta-tag parsing. The default is to parse HTTP meta tag
headers in HTML documents if the MIME type of the object is text/
html.
To disable meta-tag parsing, clear the option for:
• Parse cache-control meta tag
The following sub-headers are parsed when this check box is selected:
private, no-store, no-cache, max-age, s-maxage, must-
revalidate, proxy-revalidate.

180
 • Parse expires meta tag
This directive parses for the date and time after which the document
should be considered expired.
• Parse pragma-no-cache meta tag
This directive indicates that cached information should not be used
and instead requests should be forwarded to the OCS.
4. Configure Clientless Request Limits (see "About Clientless Requests Limits" on
page 177):
a. Global Limit—Limits the number of concurrent clientless connections
from the Advanced Secure Gateway to any OCS. Strongly
recommended if Pipeline options or the Enable Bandwidth Gain Mode
option is enabled on the Configuration > Proxy Settings > HTTP Proxy >
Acceleration Profile tab.

b. Per-server Limit—Limits the number of concurrent clientless

connections from the Advanced Secure Gateway to a specific OCS, as
determined by the hostname of the OCS. Strongly recommended if
Pipeline options or the Enable Bandwidth Gain Mode option is enabled on
the Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile tab.
c. Per-page Limit—Limits the number of requests that are created as a
result of embedded objects.
5. Click OK; click Apply.

See Also
❐ "Customizing the HTTP Object Caching Policy" on page 166.
❐ "Clearing the Object Cache" on page 1461
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 182.

181
Advanced Secure Gateway Administration Guide

Section D: Selecting an HTTP Proxy Acceleration Profile

This section discusses caching, pipelining behavior, and bandwidth gain.

Acceleration Profile Tasks

A proxy profile offers a collection of attributes that determine object caching and
object pipelining behavior. The attributes are pre-selected to meet a specific
objective — reduce response time for clients, reduce load on the OCS, reduce
server-side bandwidth usage.
Based on your needs, you can select any of the three profiles offered or you can
create a customized profile by selecting or clearing the options available within a
profile.
The available proxy profile are:
❐ Normal (the default setting) acts as a client accelerator, and is used for
enterprise deployments.
❐ Portal acts as a server accelerator (reverse proxy), and is used for Web hosting.
❐ Bandwidth Gain is used for Internet Service Provider (ISP) deployments.

Topic Links
❐ "About the Normal Profile"
❐ "About the Portal Profile"
❐ "About the Bandwidth Gain Profile" on page 183
❐ "About HTTP Proxy Profile Configuration Components" on page 183

About the Normal Profile

Normal is the default profile and can be used wherever the Advanced Secure
Gateway is used as a normal forward proxy. This profile is typically used in
enterprise environments, where the freshness of objects is more important than
controlling the use of server-side bandwidth. The Normal profile is the profile
that most follows the HTTP standards concerning object revalidation and
staleness. Additionally, pre-fetching (pipelining) of embedded objects and
redirects is enabled, which reduces response time for clients.

About the Portal Profile

When configured as a server accelerator or reverse proxy, the Advanced Secure
Gateway improves object response time to client requests, scalability of the origin
content server (OCS) site, and overall Web performance at the OCS. A server
accelerator services requests meant for an OCS, as if it is the OCS itself.

182
About the Bandwidth Gain Profile
The Bandwidth Gain profile is useful wherever server-side bandwidth is an
important resource. This profile is typically used in Internet Service Provider (ISP)
deployments. In such deployments, minimizing server-side bandwidth is most
important. Therefore, maintaining the freshness of an object in cache is less
important than controlling the use of server-side bandwidth. The Bandwidth-
Gain profile enables various HTTP configurations that can increase page response
times and the likelihood that stale objects are served, but it reduces the amount of
server-side bandwidth required.

About HTTP Proxy Profile Configuration Components

The following table describes each HTTP proxy acceleration profile option
(Management Console and CLI).

Table 8–2 Description of Profile Configuration Components

Management Console CLI (config) Definition

Check box Field Command
Pipeline embedded objects http [no] pipeline This configuration item applies only to HTML
in client request client requests responses. When this setting is enabled, and the
object associated with an embedded object
reference in the HTML is not already cached,
HTTP proxy acquires the object’s content before
the client requests the object. This improves
response time dramatically.
If this setting is disabled, HTTP proxy does not
acquire embedded objects until the client
requests them.
Pipeline redirects for client http [no] pipeline When this setting is enabled, and the response
request client redirects of a client request is one of the redirection
responses (such as 301, 302, or 307 HTTP
response code), then HTTP proxy pipelines the
object specified by the Location header of that
response, provided that the redirection location
is an HTML object. This feature improves
response time for redirected URLs.
If this setting is disabled, HTTP proxy does not
pipeline redirect responses resulting from client
requests.

183
Advanced Secure Gateway Administration Guide

Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Pipeline embedded objects http [no] pipeline This configuration item applies only to HTML
in prefetch request prefetch requests responses resulting from pipelined objects.
When this setting is enabled, and a pipelined
object’s content is also an HTML object, and that
HTML object has embedded objects, then HTTP
proxy also pipelines those embedded objects.
This nested pipelining behavior can occur three
levels deep at most.
If this setting is disabled, the HTTP proxy does
not perform nested pipelining.
Pipeline redirects for http [no] pipeline When this setting is enabled, HTTP proxy
prefetch request prefetch pipelines the object specified by a redirect
redirects location returned by a pipelined response.
If this setting is disabled, HTTP proxy does not
try to pipeline redirect locations resulting from
a pipelined response.
Substitute Get for IMS http [no] If the time specified by the If-Modified-
substitute if- Since: header in the client’s conditional
modified-since request is greater than the last modified time of
the object in the cache, it indicates that the copy
in cache is stale. If so, HTTP proxy does a
conditional GET to the OCS, based on the last
modified time of the cached object.
To change this aspect of the If-Modified-
Since: header on the Advanced Secure
Gateway, enable the Substitute Get for IMS
setting.
When this setting is enabled, a client time
condition greater than the last modified time of
the object in the cache does not trigger
revalidation of the object.
Note: All objects do not have a last-modified
time specified by the OCS.

184
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Substitute Get for HTTP 1.1 http [no] HTTP 1.1 provides additional controls to the
conditionals substitute client over the behavior of caches concerning
conditional the staleness of the object. Depending on
various Cache-Control: headers, the
Advanced Secure Gateway can be forced to
consult the OCS before serving the object from
the cache. For more information about the
behavior of various Cache-Control: header
values, refer to RFC 2616.
If the Substitute Get for HTTP 1.1 Conditionals
setting is enabled, HTTP proxy ignores the
following Cache-Control: conditions from the
client request:
• "max-stale" [ "=" delta-seconds ]
• "max-age" "=" delta-seconds
• "min-fresh" "=" delta-seconds
• "must-revalidate"
• "proxy-revalidate"

Substitute Get for PNC http [no] Typically, if a client sends an HTTP GET request
substitute pragma- with a Pragma: no-cache or Cache-Control:
no-cache no-cache header (for convenience, both are
hereby referred to as PNC), a cache must
consult the OCS before serving the content. This
means that HTTP proxy always re-fetches the
entire object from the OCS, even if the cached
copy of the object is fresh. Because of this, PNC
requests can degrade proxy performance and
increase server-side bandwidth utilization.
However, if the Substitute Get for PNC setting
is enabled, then the PNC header from the client
request is ignored (HTTP proxy treats the
request as if the PNC header is not present at
all).
Substitute Get for IE reload http [no] Some versions of Internet Explorer issue the
substitute ie- Accept: */* header instead of the Pragma:
reload no-cache header when you click Refresh. When
an Accept header has only the */* value, HTTP
proxy treats it as a PNC header if it is a type-N
object. You can control this behavior of HTTP
proxy with the Substitute GET for IE Reload
setting. When this setting is enabled, the HTTP
proxy ignores the PNC interpretation of the
Accept: */* header.

185
Advanced Secure Gateway Administration Guide

Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Never refresh before http [no] strict- Applies only to cached type-T objects. For
expiration expiration refresh information on HTTP object types, see "About
HTTP Object Freshness" on page 168.
When this setting is enabled, SGOS does not
asynchronously revalidate such objects before
their specified expiration time.
When this setting is disabled, such objects, if
they have sufficient relative popularity, can be
asynchronously revalidated and can, after a
sufficient number of observations of changes,
have their estimates of expiration time adjusted
accordingly.
Never serve after expiration http [no] strict- Applies only to cached type-T objects.
expiration serve
If this setting is enabled, an object is
synchronously revalidated before being served
to a client, if the client accesses the object after
its expiration time.
If this setting is disabled, the object is served to
the client and, depending on its relative
popularity, may be asynchronously revalidated
before it is accessed again.
Cache expired objects http [no] cache Applies only to type-T objects.
expired
When this setting is enabled, type-T objects that
are already expired at the time of acquisition is
cached (if all other conditions make the object
cacheable).
When this setting is disabled, already expired
type-T objects become non-cacheable at the time
of acquisition.

186
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Enable Bandwidth Gain bandwidth-gain This setting controls both HTTP-object
Mode {disable | enable} acquisition after client-side abandonment and
AAR (asynchronous adaptive refresh)
revalidation frequency.
• HTTP-Object Acquisition
When Bandwidth Gain mode is enabled, if a
client requesting a given object abandons its
request, then HTTP proxy immediately
abandons the acquisition of the object from
the OCS, if such an acquisition is still in
progress. When bandwidth gain mode is
disabled, the HTTP proxy continues to ac-
quire the object from the OCS for possible
future requests for that object.
• AAR Revalidation Frequency
Under enabled bandwidth gain mode, ob-
jects that are asynchronously refreshable are
revalidated at most twice during their esti-
mated time of freshness. With bandwidth
gain mode disabled, they are revalidated at
most three times. Not all asynchronously re-
freshable objects are guaranteed to be reval-
idated.

When a Advanced Secure Gateway is first manufactured, it is set to a Normal

profile. Depending on your needs, you can use the Bandwidth Gain profile or the
Portal profile. You can also combine elements of all three profiles, as needed for
your environment.
The following table provides the default configuration for each profile.

Table 8–3 Normal, Portal, and Bandwidth Gain Profiles

Configuration Normal Portal Bandwidth

Profile Profile Gain
Pipeline embedded objects in client requests Enabled Disabled Disabled
Pipeline embedded objects in prefetch requests Enabled Disabled Disabled
Pipeline redirects for client requests Enabled Disabled Disabled
Pipeline redirects for prefetch requests Enabled Disabled Disabled
Cache expired objects Enabled Disabled Enabled
Bandwidth Gain Mode Disabled Disabled Enabled
Substitute GET for IMS (if modified since) Disabled Enabled Enabled

187
Advanced Secure Gateway Administration Guide

Table 8–3 Normal, Portal, and Bandwidth Gain Profiles (Continued)

Configuration Normal Portal Bandwidth

Profile Profile Gain
Substitute GET for PNC (Pragma no cache) Disabled Enabled Disabled
Substitute GET for HTTP 1.1 conditionals Disabled Enabled Enabled
Substitute GET for IE (Internet Explorer) reload Disabled Enabled Disabled
Never refresh before expiration Disabled Enabled Enabled
Never serve after expiration Enabled Enabled Disabled

188
Section 3 Configuring the HTTP Proxy Profile
Configure the profile by selecting any of the components discussed in "About
HTTP Proxy Profile Configuration Components" on page 183.

To configure the HTTP proxy profile:

1. Review the description of the components for each profile, see Table 8–2 on
page 183.
2. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Acceleration Profile.

Text displays at the bottom of this tab indicating which profile is selected.
Normal is the default profile. If you have a customized profile, this text does
not display.

Important: If you have a customized profile and you click one of the Use
Profile buttons, no record of your customized settings remains. However,
after the Advanced Secure Gateway is set to a specific profile, the profile is
maintained in the event the Advanced Secure Gateway is upgraded.
Also, if you select any Pipeline option or the Enable Bandwidth Gain Mode
option, Blue Coat strongly recommends limiting clientless requests. See
"About Clientless Requests Limits" on page 177.

3. To select a profile, click one of the three profile buttons (Use Normal Profile, Use
Bandwidth Gain Profile, or Use Portal Profile).

The text at the bottom of the Acceleration Profile tab changes to reflect the new
profile.

Note: You can customize the settings, no matter which profile button you
select.

4. (Optional) To customize the profile settings, select or clear any of the check
boxes (see Table 8–2, "Description of Profile Configuration Components" on
page 183 for information about each setting).

189
Advanced Secure Gateway Administration Guide

5. Click OK; click Apply.

See Also
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 182.
❐ "About HTTP Proxy Profile Configuration Components" on page 183.
❐ "About HTTP Object Freshness" on page 168.
❐ "Using a Caching Service" on page 191.

190
Section E: Using a Caching Service
CachePulse is a caching service that provides you with optimal bandwidth gains
for popular or high-bandwidth websites. Utilizing highly effective Web caching
technology, CachePulse saves bandwidth on expensive international links and
backhaul traffic, thereby improving Web experience for users.
CachePulse accelerates the delivery of rich Web 2.0 content, video, and large files
such as:
• YouTube videos
• Netflix streaming media
• Microsoft Windows updates
Subscribing to the CachePulse service eliminates the need to maintain caching
policy; when you first enable the service, it downloads the latest version of the
caching policy database. CachePulse periodically updates the database as long as
the service is enabled and an Internet connection exists.

Prerequisite for Using CachePulse

Before you can use CachePulse, you must have a valid license for the feature.
Refer to your Blue Coat Sales point of contact for more information.
If you do not have a valid license, the Management Console might display Health
Monitoring errors. The event log might also contain error messages about the
subscription.

191
Advanced Secure Gateway Administration Guide

Section 4 Enabling CachePulse

To enable CachePulse:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. In the CachePulse section, select Enable.
3. Click Apply.
The appliance attempts to download the database.

What if the Initial Download is Not Successful?

If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the CachePulse database download might
have failed. Check your network configuration and make sure that the appliance
can connect to the Internet. Because the appliance attempts to communicate with
the Blue Coat server over a secured connection on port 443, you might also have
to allow outbound connections from the appliance on port 443 in the firewall.
To check if there was a download problem, select Statistics > Health Monitoring >
Status and look for the status “CachePulse failed
on initial download” for
Subscription Communication Status.

See Also
❐ "Downloading the CachePulse Database"
❐ "Notifications for Status Metrics" on page 1401

Downloading the CachePulse Database

You can download the CachePulse database at any time if the feature is enabled. If
the initial download failed, and you resolved the issue that caused the failure, you
can use this method to download database updates.
To download the CachePulse database:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. In the CachePulse section, click Download Now.

192
The License and Download Status field shows statistics about the previous
successful and unsuccessful downloads. If the last download was
unsuccessful, the field contains an error.

If you receive a download error, check your network configuration and make
sure that the appliance can connect to the Internet.

193
Advanced Secure Gateway Administration Guide

Section F: Fine-Tuning Bandwidth Gain

In addition to the components related to top-level profiles, other configurable
items affect bandwidth gain. You can set the top-level profile (see "Selecting an
HTTP Proxy Acceleration Profile" on page 182) and adjust the following
configuration items to fine tune the Advanced Secure Gateway for your
environment:
❐ Allocating bandwidth to refresh objects in cache
❐ Using Byte-range support
❐ Enabling the Revalidate pragma-no-cache (PNC)

194
Section 5 Allocating Bandwidth to Refresh Objects in Cache
The Refresh bandwidth options control the server-side bandwidth used for all forms
of asynchronous adaptive refresh activity. On systems with increased object store
capacity, the value of asynchronous adaptive refresh has diminished markedly,
and can in many instances actually increase latency due to system load. Therefore,
this feature is disabled by default. You can select from the following options:
❐ Disable refreshing—Disables adaptive refresh. This setting is recommended on
systems that use an increased object capacity disk model. This is the default
setting for fresh installations of SGOS 6.2.6 and later.
❐ Let the SG appliance manage refresh bandwidth—The appliance will automatically
use whatever bandwidth is available in its efforts to maintain 99.9% estimated
freshness of the next access. You can also enable this from the CLI using the
#(config caching) refresh bandwidth automatic command. This setting is
recommended only on systems that are not using the increased object capacity
disk model (that is, systems that were manufactured with an SGOS version
prior to 6.2).
❐ Limit refresh bandwidth to x kilobits/sec—If you want to use adaptive refresh but
you want to limit the amount of bandwidth used, select this option and
specify a limit to the amount of bandwidth the Advanced Secure Gateway
uses to achieve the desired freshness. Before making adjustments, review the
logged statistics and examine the current bandwidth used as displayed in the
Refresh bandwidth field. It is not unusual for bandwidth usage to spike
occasionally, depending on access patterns at the time. Entering a value of
zero disables adaptive refresh.

195
Advanced Secure Gateway Administration Guide

To set refresh bandwidth:

1. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Freshness.

The Refresh bandwidth field displays the refresh bandwidth options. The
default setting is to Disable refreshing.

Important: Blue Coat strongly recommends that you not change the setting
from the default if you have a system with an increased object store capacity.

2. To enable adaptive refresh, select one of the following options:

• Select Limit refresh bandwidth to and enter a bandwidth limit to use in the
kilobits/sec field.

• To allow the appliance to automatically determine the amount of

bandwidth to use for adaptive refresh, select Let the SG Appliance manage
refresh bandwidth (recommended).

3. Click OK; click Apply.

Using Byte-Range Support

Byte-range support is an HTTP feature that allows a client to use the Range: HTTP
header for requesting a portion of an object rather than the whole object. The
HTTP proxy supports byte-range support and it is enabled by default.

When Byte-Range Support is Disabled

If byte-range support is disabled, HTTP treats all byte-range requests as non-
cacheable. Such requests are never served from the cache, even if the object exists
in the cache. The client’s request is sent unaltered to the OCS and the response is
not cached. Thus, a byte-range request has no effect on the cache if byte-range
support is disabled.

196
When Byte-Range Support is Enabled
If the object is already in cache, the Advanced Secure Gateway serves the byte-
range request from the cache itself. However, if the client’s request contains a
PNC header, the Advanced Secure Gateway always bypasses the cache and serves
the request from the OCS.
If the object is not in cache, the Advanced Secure Gateway always attempts to
minimize delay for the client.
❐ If the byte-range requested is near the beginning of the object, that is the start
byte of the request is within 0 to 14336 bytes, then the Advanced Secure
Gateway fetches the entire object from the OCS and caches it. However, the
client is served the requested byte-range only.
❐ If the byte-range requested is not near the beginning of the object, that is the
start byte of the request is greater than 14336 bytes, then the Advanced Secure
Gateway fetches only the requested byte-range from the OCS, and serves it to
the client. The response is not cached.

Note: The HTTP proxy never caches partial objects, even if byte-range
support is enabled.

Since the Advanced Secure Gateway never caches partial objects, bandwidth gain
is significantly affected when byte-range requests are used heavily. If, for
example, several clients request an object where the start byte offset is greater
than 14336 bytes, the object is never cached. The Advanced Secure Gateway
fetches the same object from the OCS for each client, thereby causing negative
bandwidth gain.
Further, download managers like NetAnts® typically use byte-range requests
with PNC headers. To improve bandwidth gain by serving such requests from
cache, enable the revalidate pragma-no-cache option along with byte-range support.
See "Enabling Revalidate Pragma-No-Cache" on page 198.

197
Advanced Secure Gateway Administration Guide

To configure byte-range support:

Note: Enabling or disabling byte-range support can only be configured through

the CLI.

To enable or disable byte-range support, enter one of the following commands at

the (config) command prompt:
#(config) http byte-ranges
-or-
#(config) http no byte-ranges

Enabling Revalidate Pragma-No-Cache

The pragma-no-cache (PNC) header in a client’s request causes the HTTP proxy to
re-fetch the entire object from the OCS, even if the cached copy of the object is
fresh. This roundtrip for PNC requests can degrade proxy performance and
increase server-side bandwidth utilization.
While the Substitute Get for PNC configuration completely ignores PNC in client
requests and potentially serves stale content, the revalidate-pragma-no-cache
setting allows you to selectively implement PNC.
When the revalidate-pragma-no-cache setting is enabled, a client’s non-
conditional PNC-GET request results in a conditional GET request sent to the
OCS if the object is already in cache. The revalidate-pragma-no-cache request
allows the OCS to return the 304 Not Modified response, if the content in cache is
still fresh. Thereby, the server-side bandwidth consumed is lesser as the full
content is not retrieved again from the OCS.
By default, the revalidate PNC configuration is disabled and is not affected by
changes in the top-level profile. When the Substitute Get for PNC configuration is
enabled (see Table 8–2, "Description of Profile Configuration Components" on
page 183 for details), the revalidate PNC configuration has no effect.

To configure the revalidate PNC setting:

Note: The revalidate pragma-no-cache setting can only be configured through

the CLI.

To enable or disable the revalidate PNC setting, enter one of the following
commands at the (config) command prompt:
#(config) http revalidate-pragma-no-cache
-or-
#(config) http no revalidate-pragma-no-cache

Interpreting Negative Bandwidth Gain Statistics

Bandwidth gain represents the overall bandwidth benefit achieved by object and
byte caching, compression, protocol optimization, and object caching.
Occasionally, you might notice negative bandwidth gain when using the
bandwidth gain profile. This negative bandwidth gain is observed because the

198
client-side cumulative bytes of traffic is lower than the server-side cumulative
bytes of traffic for a given period of time. It is represented as a unit-less
multiplication factor and is computed by the ratio:
client bytes / server bytes
Some factors that contribute to negative bandwidth gain are:
❐ Abandoned downloads (delete_on_abandonment (no))
When a client cancels a download, the Advanced Secure Gateway continues
to download the requested file to cache it for future requests. Since the client
has cancelled the download, server-side traffic persists while the client-side
traffic is halted. This continued flow of traffic on the server-side causes
negative bandwidth gain.
Further with (delete_on_abandonment (yes)), when a client cancels a
download, the Advanced Secure Gateway terminates the connection and
stops sending traffic to the client. However, the server may have sent
additional traffic to the Advanced Secure Gateway before it received the TCP
RESET from the Advanced Secure Gateway. This surplus also causes negative
bandwidth gain.
❐ Refreshing of the cache
Bandwidth used to refresh contents in the cache contributes to server-side
traffic. Since this traffic is not sent to the client until requested, it might cause
negative bandwidth gain.
❐ Byte-range downloads
When download managers use an open-ended byte-range, such as Range:
bytes 10000-, and reset the connection after downloading the requested byte-
range. The packets received by the Advanced Secure Gateway from the server
are greater than those served to the client, causing negative bandwidth gain.
❐ Download of uncompressed content
If the Advanced Secure Gateway downloads uncompressed content, but
compresses it before serving the content to the client, server-side traffic will be
greater than client-side traffic. This scenario is typical in a reverse proxy
deployment, where the server offloads the task of gzipping the content to the
Advanced Secure Gateway.
❐ Reduced client-side throughput
In the short term, you will notice negative bandwidth gain if the client-side
throughput is lower than the server-side throughput. If, for example, the
Advanced Secure Gateway takes five minutes to download a 100 Mb file and
takes 10 minutes to serve the file to the client. The Advanced Secure Gateway
reflects negative bandwidth gain for the first five minutes.
To view bandwidth usage and bandwidth gain statistics on the HTTP proxy, click
Statistics > Traffic History tab. Select the HTTP proxy service to view statistics over
the last hour, day, week, month, and year. See Chapter 31: "Statistics" on page 733
for information on the graphs.

199
Advanced Secure Gateway Administration Guide

Compression
Compression is disabled by default. If compression is enabled, the HTTP proxy
forwards the supported compression algorithm (either deflate or gzip) from the
client’s request (Accept-Encoding: request header) to the server as is, and
attempts to send compressed content to client whenever possible. This allows
SGOS to send the response as is when the server sends compressed data,
including non-cacheable responses. Any unsolicited encoded response is
forwarded as is to the client.
For more information on compression, see "Understanding HTTP Compression"
on page 205.

Related CLI Syntax to Configure HTTP

The following commands allow you to manage settings for an HTTP proxy.
Use the command below to enter the configuration mode.
# conf t
The following subcommands are available:
#(config) http [no] add-header client-ip
#(config) http [no] add-header front-end-https
#(config) http [no] add-header via
#(config) http [no] add-header x-forwarded-for
#(config) http [no] byte-ranges
#(config) http [no] cache authenticated-data
#(config) http [no] cache expired
#(config) http [no] cache personal-pages
#(config) http [no] force-ntlm
#(config) http ftp-proxy-url root-dir
#(config) http ftp-proxy-url user-dir
#(config) http [no] parse meta-tag {cache-control | expires | pragma-
no-cache}
#(config) http [no] persistent client
#(config) http [no] persistent server
#(config) http [no] persistent-timeout client num_seconds
#(config) http [no] persistent-timeout server num_seconds
#(config) http [no] pipeline client {requests | redirects}
#(config) http [no] pipeline prefetch {requests | redirects}
#(config) http [no] proprietary-headers bluecoat
#(config) http receive-timeout client num_seconds
#(config) http receive-timeout refresh num_seconds
#(config) http receive-timeout server num_seconds
#(config) http [no] revalidate-pragma-no-cache
#(config) http [no] strict-expiration refresh
#(config) http [no] strict-expiration serve
#(config) http [no] strip-from-header
#(config) http [no] substitute conditional
#(config) http [no] substitute ie-reload
#(config) http [no] substitute if-modified-since
#(config) http [no] substitute pragma-no-cache
#(config) http [no] tolerant-request-parsing

200
 #(config) http upload-with-pasv disable
#(config) http upload-with-pasv enable
#(config) http version {1.0 | 1.1}
#(config) http [no] www-redirect
#(config) http [no] xp-rewrite-redirect

Note: For detailed information about using these commands, refer to the
Command Line Interface Reference.

201
Advanced Secure Gateway Administration Guide

Section G: Caching Authenticated Data (CAD) and

Caching Proxy Authenticated Data (CPAD)
This section describes how the Advanced Secure Gateway caches authenticated
content over HTTP. Authentication over HTTP allows a user to prove their
identity to a server or an upstream proxy to gain access to a resource.
The Advanced Secure Gateway uses CAD and CPAD to facilitate object caching at
the edge and to help validate user credentials. Object caching in the Advanced
Secure Gateway allows for lesser bandwidth usage and faster response times
between the client and the server or proxy.
The deployment of the Advanced Secure Gateway determines whether it
performs CAD or CPAD:
❐ When the Origin Content Server (OCS) performs authentication, the
Advanced Secure Gateway performs CAD.
❐ When the upstream HTTP Proxy performs authentication, the downstream
HTTP proxy or Advanced Secure Gateway executes CPAD.

About Caching Authenticated Data (CAD)

In the CAD scenario, when a user requests a resource that needs authentication,
the OCS sends an HTTP 401 error response to the user. The HTTP 401 response also
contains information on the authentication schemes that the OCS supports. To
prove their identity to the OCS, the user resubmits the initial request along with
the authentication details.

Figure 8–5 CAD: 200 response from the Origin Content Server.
The OCS then sends back one of the following responses:
❐ HTTP 200 response status, authentication is accepted. The user receives the
requested resource.

202
 ❐ HTTP 403 response status, user is not allowed to view the requested resource.
The user is authenticated but is not authorized to receive the content, hence
the user receives an error message.
When another user accesses the same URL, the Advanced Secure Gateway
authenticates the user with the OCS and verifies the freshness of the content using
the Get If Modified Since request. If the user is authorized and the content has
not been modified, the OCS returns an HTTP 304 response message to the
Advanced Secure Gateway. The Advanced Secure Gateway then serves the
content from cache.
If the content has been modified, the OCS returns the HTTP 200 response along
with the modified content.

Figure 8–6 CAD: 403 and 304 response codes from the OCS

Note: CAD is applicable only for pure HTTP authentication — the Advanced
Secure Gateway caches authenticated data only when the OCS includes the www-
Authenticate response code in the 401 response header. If, for example, the client
accesses an OCS that uses forms-based authentication, the Advanced Secure
Gateway does not perform CAD.

About Caching Proxy Authenticated Data (CPAD)

The CPAD deployment uses two Advanced Secure Gateway appliances — a local
proxy and a gateway proxy. Figure 8–7 on page 204 below depicts the Advanced
Secure Gateway appliances in a CPAD deployment.
When the user requests a resource, Advanced Secure Gateway1 forwards the
request to Advanced Secure Gateway2. Advanced Secure Gateway2 issues the
authentication challenge back to the user (a 407 response instead of the 401
response that the OCS serves). Upon successful authentication, Advanced Secure
Gateway2 forwards the request to the OCS and the resource is served to the user.

203
Advanced Secure Gateway Administration Guide

Figure 8–7 CPAD: 200 response from Advanced Secure

Gateway 2
In Figure 8–8, Advanced Secure Gateway1 caches proxy authenticated data and
Advanced Secure Gateway2 performs authentication (instead of the OCS).

Figure 8–8 CPAD: 407 and 304 responses in a CPAD deployment

For subsequent users who access the same URL, see Figure 8-4, Advanced Secure
Gateway1 forwards all requests to Advanced Secure Gateway2 with the Get If
Modified Since request.
Advanced Secure Gateway2 issues the authentication challenge and provides one
of the following responses:
❐ HTTP 200 response status, the user is allowed access to the requested resource
but the content has changed.
❐ HTTP 304 response status, the user is authorized and the content can be served
from the cache.
❐ HTTP 403 response status, the user is not authorized to view the requested
resource.
❐ HTTP 407 response status, the user provided invalid credentials.

204
Understanding HTTP Compression
Compression reduces a file size but does not lose any data. Whether you should
use compression depends upon three resources: server-side bandwidth, client-
side bandwidth, and Advanced Secure Gateway CPU. If server-side bandwidth is
more expensive in your environment than CPU, always request compressed
content from the origin content server (OCS). However, if CPU is comparatively
expensive, the Advanced Secure Gateway appliance should instead be configured
to ask the OCS for the same compressions that the client asked for and to forward
whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is
not the case, you can change the Advanced Secure Gateway appliance behavior.

Note: Decompression, content transformation, and recompression increases

response time by a small amount because of the CPU overhead. (The overhead is
negligible in most cases.) RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because
compression results in a smaller file being served to the client than was retrieved
by the Advanced Secure Gateway appliance from the origin content server,
bandwidth gain statistics reflect such requests/responses as negative bandwidth
gain.

Compression is disabled by default. If compression is enabled, the HTTP proxy

forwards the supported compression algorithm (gzip and deflate) from the
client’s request (Accept-Encoding: request header) to the server as is, and
attempts to send compressed content to client whenever possible. This allows the
Advanced Secure Gateway appliance to send the response as is when the server
sends compressed data, including non-cacheable responses. Any unsolicited
encoded response is forwarded to the client as is.

Note: If compression is not enabled, the Advanced Secure Gateway appliance

does not compress the content if the server sends uncompressed content.
However, the appliance continues to uncompress content if necessary to apply
transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/
FTP History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page
213.

Understand Compression Behavior

The Advanced Secure Gateway compression behavior is detailed in the tables
below. Compression increases the overall percentage of cacheable content,
increasing the hit rate in terms of number of objects served from the cache.

205
Advanced Secure Gateway Administration Guide

Note:A variant is the available form of the object in the cache—compressed or

uncompressed. The Content-Encoding: header Identity refers to the
uncompressed form of the content.

For cache-hit compression behavior, see Table 8-3 below. For cache-miss
compression behavior, see Table 8-4.
.

Table 8–4 Cache-Hit Compression Behavior

Accept- Variant Available when Variant Stored as a Content-Encoding in

Encoding: in the Request Arrived Result of the Request Advanced Secure
client request Gateway response

Identity Uncompressed object None Identity

Identity No uncompressed object Uncompressed Identity

gzip compressed

gzip, deflate Uncompressed object gzip compressed gzip

gzip, deflate Uncompressed object None gzip

gzip compressed

gzip, deflate Uncompressed object None deflate

deflate compressed

deflate No uncompressed deflate compressed deflate

object (This is effectively a
gzip compressed cache-miss. The
Advanced Secure
Gateway appliance does
not convert from gzip to
deflate.)

Table 8–5 Cache-Miss Compression Behavior

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request Advanced in Advanced
Secure Secure Gateway
Gateway response
request

Identity Identity Identity uncompressed Identity

object

gzip, deflate gzip, deflate Identity uncompressed gzip

object
gzip-compressed

gzip, deflate gzip, deflate gzip No uncompressed gzip

object
gzip-compressed

206
Table 8–5 Cache-Miss Compression Behavior (Continued)

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request Advanced in Advanced
Secure Secure Gateway
Gateway response
request

gzip, deflate, gzip, deflate gzip No uncompressed gzip

compress object
gzip-compressed

gzip, deflate gzip, deflate compress (illegal compress compress

response)

Compression Exceptions
❐ The Advanced Secure Gateway appliance issues a transformation_error
exception (HTTP response code 403), when the server sends an unknown
encoding and the appliance is configured to do content transformation.
❐ The Advanced Secure Gateway appliance issues an unsupported_encoding
exception (HTTP response code 415 - Unsupported Media Type) when the
appliance is unable to deliver content due to configured policy.
The messages in the exception pages can be customized. For information on using
exception pages, The messages in the exception pages can be customized. For
information on using exception pages, refer to the Advanced Policy Tasks chapter, Section
E, of the Visual Policy Manager Reference.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior

Three objects can be used to configure compression and compression levels
through VPM:
❐ Client HTTP compression object: Allows you to determine the behavior when
the client wants the content in a different form than is in the cache.
❐ Server HTTP compression object: Allows you to enable or disable
compression and to set options.
❐ HTTP compression level object: Allows you to set a compression level of low,
medium, or high.
Complete the following steps to manage server and client HTTP compression and
compression levels.

To add or edit client compression:

1. Create a Web Access Layer:

207
Advanced Secure Gateway Administration Guide

a. From the Management Console, select Configuration > Policy > Visual
Policy Manager; click Launch.

b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Client
HTTP Compression.

2c

2d

c. Select the compression options you want to use; click OK.

d. Click OK again; close the VPM window and click Yes in the dialog to
save your changes.

To add or edit server compression:

1. Create a Web Access Layer:
a. From the Management Console, select Configuration > Policy > Visual
Policy Manager; click Launch.

b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Server
HTTP Compression.

c. Select compression options; click OK.

208
 d. Click OK again; close the VPM window and click Yes in the dialog to
save your changes.

Using VPM to Set HTTP Compression Levels

You can control the compression level based on any transaction condition (such as
the client IP address, the hostname, request/response headers, and the like).

To set compression levels:

1. Create a Web Access Layer:
• From the Management Console, select Configuration > Policy > Visual Policy
Manager; click Launch.

• Select Policy > Add Web Access Layer from the menu of the Blue Coat VPM
window that appears.
• Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
• Right click on the item in the Action column; select Set.
• Click New in the Set Action Object dialog that appears; select Set HTTP
Compression Level.

• Select the compression level needed; click OK.

• Click OK again; close the VPM window and click Yes in the dialog to save your
changes.

Using Policy to Configure Compression Behavior

Compression and decompression are allowed if compression is enabled. If
compression is not enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the Advanced
Secure Gateway appliance. If compression is turned off, uncompressed content is
served to the client if a compressed variant is not available. If decompression is
disabled, an uncompressed version is fetched from the OCS if the variant does not
exist and the client requested uncompressed content.

Note: The Advanced Secure Gateway appliance decompresses the content if

transformation is to be applied, even if the compression is not enabled.

You can use server-side or client-side controls to manage compression through

policy, as described in the following table.

Table 8–6 Compression Properties

Compression Properties Description

http.allow_compression(yes | no) Allow the Advanced Secure Gateway
appliance to compress content on demand if
needed.

209
Advanced Secure Gateway Administration Guide

Table 8–6 Compression Properties (Continued)

Compression Properties Description

http.allow_decompression(yes | no) Allow the Advanced Secure Gateway
appliance to decompress content on
demand if needed.
http.compression_level(low | medium | Set the compression level to be low (1),
high) medium (6), or high (9). Low is the default.
http.server.accept_encoding(client) Turn on only client encodings
http.server.accept_encoding(identity) Turn off all encodings
http.server.accept_encoding(all) Turn on all supported encodings, including
the client’s encodings.
http.server.accept_encoding(gzip, Send specific encodings (order sensitive)
deflate)

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

client)

http.server.accept_encoding.gzip(yes | Add/remove an encoding

no)

http.server.accept_encoding[gzip, Add/remove a list of encodings

deflate, identity](yes | no)

http.server.accept_encoding.allow Allow/disallow unknown encodings.

_unknown (yes | no)

http.client.allow_encoding(identity); Allow no encodings (send uncompressed).

http.client.allow_encoding(client); Allow all client encodings. This is the
default.
http.client.allow_encoding(gzip, Allow fixed set of encodings.
deflate);

http.client.allow_encoding(gzip, Allow fixed set of encodings.

client);

http.client.allow_encoding.gzip(yes | Add/remove one encoding

no);

http.client.allow_encoding[gzip, Add/remove list of encodings

deflate, identity](yes | no);

Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms,
except for unknown encodings. If compression is not enabled, the default
overrides any configured CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the
compression related policy settings shown in Table 8-5. The Accept-Encoding
header modification can continue to be used if no compression policies are

210
 applied, or if compression is not enabled. Otherwise, the compression-related
policies override any Accept-Encoding header modification, even if the Accept-
Encoding header modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client
originally listed that encoding in its Accept-Encoding header. If so, these
encodings are added to the list of candidates to be delivered to the client. The first
cache object with an Accept-Encoding match to the client-side list is the one that is
delivered.

Suggested Settings for Compression

❐ If client-side bandwidth is expensive in your environment, use the following
policy:
<proxy>
http.client.allow_encoding(client)
http.allow_compression(yes)

❐ If server-side bandwidth is expensive in your environment, compared to

client-side bandwidth and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)

❐ If CPU is expensive in your environment, compared to server-side and client-

side bandwidth:
http.server.accept_encoding(client);If no content transformation
policy is configured
http.server.accept_encoding(identity);If some content transformation
policy is configured
http.allow_compression(no); default
http.allow_decompression(no); default

Notes
❐ Policy-based content transformations are not stored as variant objects. If
content transformation is configured, it is applied on all cache-hits, and
objects might be compressed all the time at the end of such transformation if
they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a
compression choice with a higher qvalue. For example, if a client requests
Accept-encoding: gzip;q=1, deflate;q=0.1, and only a deflate-compressed
object is available in the cache, the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS.
To change this, write policy to disallow compression or decompression if
Cache-Control: no-transform response header is present.

❐ The Advanced Secure Gateway appliance treats multiple content encoding

(gzip, deflate or gzip, gzip) as an unknown encoding. (These strings indicate
the content has been compressed twice.)

211
Advanced Secure Gateway Administration Guide

❐ The gzip and deflate formats are treated as completely separate and are not
converted from one to the other.
❐ Blue Coat recommends using gzip encoding (or allowing both gzip and
deflate) when using the HTTP compression feature.

❐ If the Advanced Secure Gateway appliance receives unknown content

encoding and if content transformation is configured (such as popup
blocking), an error results.
❐ If the origin server provides compressed content with a different compression
level then that specified in policy, the content is not re-compressed.
❐ If the Advanced Secure Gateway appliance compressed and cached content at
a different compression level than the level specified in a later transaction, the
content is not re-compressed.
❐ Parsing of container HTML pages occurs on the server side, so pipelining
(prefetching) does not work when the server provides compressed content.
❐ Compressing a zip file breaks some browser versions, and compressing
images does not provide added performance. For a current list of content
types that are not compressed, refer to the Release Notes.
❐ All responses from the server can be compressed, but requests to the server,
such as POST requests, cannot.
❐ Only 200 OK responses can be compressed.

212
Section H: Viewing HTTP/FTP Statistics
This section discusses the following topics:
❐ "HTTP/FTP History Statistics"
❐ "Viewing the Number of HTTP/HTTPS/FTP Objects Served"
❐ "Viewing the Number of HTTP/HTTPS/FTP Bytes Served" on page 215
❐ "Viewing Active Client Connections" on page 216
❐ "Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics"
on page 217
❐ "Disabling the Proxy-Support Header" on page 219

HTTP/FTP History Statistics

The HTTP/FTP History tabs display bar graphs that illustrate the last 60 minutes, 24
hours, and 30 days for the number of objects served, bytes served, active clients,
and client and server compression gain statistics associated with the HTTP,
HTTPS, and FTP protocols. The overall client and server compression-gain
statistics are displayed under System Usage.

Note: You can view current HTTP statistics through the CLI using the show http-
stats command.

213
Advanced Secure Gateway Administration Guide

Section 1 Viewing the Number of HTTP/HTTPS/FTP Objects Served

The HTTP/HTTPS/FTP Objects tab illustrates the device activity over the last 60
minutes, 24 hours, and 30 days. These charts illustrate the total number of objects
served from either the cache or from the Web.
The maximum number of objects that can be stored on a Advanced Secure
Gateway is affected by a number of factors, including the SGOS version it is
running and the hardware platform series.

To view the number of HTTP/HTTPS/FTP objects served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Objects.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

214
Section 2 Viewing the Number of HTTP/HTTPS/FTP Bytes Served
The HTTP/HTTPS/FTP Bytes tab shows the sum total of the number of bytes served
from the device over the last 60 minutes, 24 hours, and 30 days. The chart shows
the total number of bytes for objects served by the device, including both cache
hits and cache misses.

To view the number of HTTP/HTTPS/FTP bytes served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Bytes.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

215
Advanced Secure Gateway Administration Guide

Section 3 Viewing Active Client Connections

The HTTP/HTTPS/FTP Clients tab shows the maximum number of clients with
requests processed over the last 60 minutes, 24 hours, and 30 days. This does not
include idle client connections (connections that are open but that have not made
a request). These charts allow you to monitor the maximum number of active
clients accessing the Advanced Secure Gateway at any one time. In conjunction
with the HTTP/HTTPS/FTP Objects and HTTP/HTTPS/FTP Bytes tabs, you can
determine the number of clients supported based on load, or load requirements
for your site based on a specific number of clients.

To view the number of active clients:

1. From the Management Console select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Clients.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

216
Section 4 Viewing HTTP/HTTPS/FTP Client and Server Compression
Gain Statistics
Under HTTP/FTP History, you can view HTTP/FTP client and server
compression-gain statistics for the Advanced Secure Gateway over the last 60
minutes, 24 hours, and 30 days in the Client Comp. Gain and the Server Comp.
Gain tabs. Overall client and server compression-gain statistics are displayed
under System Usage. These statistics are not available through the CLI.
The green display on the bar graph represents uncompressed data; the blue
display represents compressed data. Hover your cursor over the graph to see the
compressed gain data.
See one of the following sections for more information:
❐ "Viewing HTTP/FTP Client Compressed Gain Statistics"
❐ "Viewing HTTP/FTP Server Compressed Gain Statistics" on page 218

Viewing HTTP/FTP Client Compressed Gain Statistics

To view HTTP/FTP client compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 217

217
Advanced Secure Gateway Administration Guide

Viewing HTTP/FTP Server Compressed Gain Statistics

To view HTTP/FTP server compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > Server Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 217

218
Section I: Supporting IWA Authentication in an Explicit HTTP Proxy
Internet Explorer does not allow IWA authentication through a Advanced Secure
Gateway when explicitly proxied. To facilitate this authentication, Blue Coat
added a Proxy-Support: Session-based-authentication header. By default, when
the Advanced Secure Gateway receives a 401 authentication challenge from
upstream, it sends the Proxy-Support: Session-based-authentication header in
response.
The Proxy-Support header is not supported if:
❐ you are using an older browser (Refer to the SGOS Release Notes for supported
browser versions).
❐ both the Advanced Secure Gateway and the OCS perform IWA
authentication.
In either case, Blue Coat recommends that you disable the header and enable
Force IWA for Server Authentication. The Force IWA for Server Authentication action
converts the 401-type server authentication challenge to a 407-type proxy
authentication challenge that Internet Explorer supports. The Advanced Secure
Gateway also converts the resulting Proxy-Authentication headers in client
requests to standard server authorization headers, which allows an IWA
authentication challenge to pass through when Internet Explorer is explicitly
proxied through the appliance.

Disabling the Proxy-Support Header

The Proxy-Support header is sent by default when an explicitly configured
Advanced Secure Gateway receives a 401 authentication challenge from
upstream.
The header modification policy allows you to suppress or modify the Proxy-
Support custom header, and prevents the Advanced Secure Gateway from
sending this default header. Use either the Visual Policy Manager (VPM) or CPL
to disable the header through policy. For complete information on using VPM,
refer to Visual Policy Manager Reference.

Note: To suppress the Proxy-Support header globally, use the http force-ntlm
command to change the option. To suppress the header only in certain situations,
continue with the procedures below.

To suppress the proxy-support header through the VPM:

1. In a Web Access Layer, right click in the Action field and select Set. The Set
Action dialog displays.
2. Click New to see the drop-down list; select Control Response Header.

219
Advanced Secure Gateway Administration Guide

3a

3b
3c
3d

3. Fill in the fields as follows:

a. Name: Enter a meaningful name.
b. Show: Select Custom from the drop-down list.
c. Header Name: Enter Proxy-Support.
d. Verify Suppress is selected.
4. Click OK.
5. Click Apply.

To suppress the proxy-support header through CPL:

Use CPL to define the Proxy-Support custom header object and to specify what
action to take. The example below uses Proxy-Support as the action name, but
you can choose any name meaningful to you. The result of this action is to
suppress the Proxy-Support header.
<Proxy>
action.Proxy-Support(yes)

define action Proxy-Support

delete(response.x_header.Proxy-Support)
end action Proxy-Support

220
Section J: Supporting Authentication on an Upstream Explicit Proxy
Proxy chaining may cause issues in HTTPS configurations. When an upstream
proxy requires Proxy-Authentication, a timeout may occur because by the time
the proxy authentication challenge occurs in the HTTP CONNECT request, the
client has already established a non-authorized connection to the downstream
proxy (which may or may not be a Advanced Secure Gateway).
To avoid this issue, use (command) (am I in the interface too?) when
protocol_detect is enabled. The HTTP proxy will challenge the client on any
CONNECT request for Proxy-Authentication. When the upstream proxy returns
the 200 OK message on receiving the Proxy-Authentication header to authorize
the request, but sends the credentials request on to the server.
Encrypted tap ( linky) works with this gesture...

Deployment Scenarios
Use this configuration when the Advanced Secure Gateway is inserted between a
client and an explicit proxy configured to use authentication. It can also be helpful
in transparent deployments.
• Explicit downstream: The Advanced Secure Gateway supports
authentication to the client for SSL/HTTPS traffic, with an upstream
proxy performing the authentication. The upstream proxy is not in your
(control)
• Transparent downstream: The Advanced Secure Gateway, deployed
transparently, supports authentication to the client for SSL/HTTPS traffic,
with an upstream proxy performing the authentication. For example, in a
chain where two proxies are configured transparently as accelerators and
a third further upstream functions explicitly, authentication requests may
not reach their destinations.

221
Advanced Secure Gateway Administration Guide

Section K: Detect and Handle WebSocket Traffic

The Internet Engineering Task Force (IETF) standardized the WebSocket protocol
in 2011. WebSocket provides simultaneous two-way communications channels
over a single TCP connection by detecting the presence of a proxy server and
tunneling communications through the proxy.
To upgrade an HTTP connection to a newer HTTP version or use another protocol
such as WebSocket, a client sends a request with Upgrade, Connection, and other
relevant headers. Previous versions of SGOS did not allow WebSocket
handshakes to complete, but supported versions allow the handshake to complete
successfully. This version also detects WebSocket traffic and allows you to
perform specific policy actions.
When the appliance detects a WebSocket request in the HTTP/S request, the
Active Sessions tab in the Management Console indicates that the traffic is
WebSocket. Use the filter Protocol > WebSocket.
To differentiate WebSocket traffic in the access-log, use the TCP_WEBSOCKET value in
the s-action field. You can determine if the traffic was plain WebSocket or secure
WebSocket by looking at the scheme (HTTP or HTTPS).

222
Section 5 How the Advanced Secure Gateway Appliance Handles an
Upgrade Request
Refer to the following overviews of how the Advanced Secure Gateway appliance
handles a WebSocket upgrade request in transparent proxy and in explicit proxy.
For more information on the policy condition mentioned in the following
overviews, refer to the Content Policy Language Reference and the Visual Policy
Manager Reference.

Upgrade Request in Transparent Mode

a. The browser sends a protocol upgrade request to the proxy.
b. The HTTP proxy receives the upgrade request.
c. If the Upgrade header has a single value of websocket, the HTTP proxy
begins a WebSocket handshake by forwarding the Upgrade and
Connection headers upstream to upgrade the connection protocol.

In this case, the tunneled=yes and http.websocket=yes conditions evaluate

to true.
d. Policy runs and evaluates the request. If the request is allowed, the
proxy takes the next step depending on the response code:
• If the HTTP response code is 101 ("Switching Protocols"), the proxy
tunnels the request.
• If the HTTP response code is successful (2xx), the proxy returns a 400
Bad Request exception to indicate that the origin content server (OCS)
did not understand the upgrade request.
• In all other cases, the proxy returns the standard HTTP response codes
and does not tunnel the request.

Note: The appliance evaluates all policy that applies to a transaction

during the initial upgrade request.

Upgrade Request in Explicit Mode

a. The browser sends an HTTP CONNECT request to the proxy.
b. The HTTP proxy receives the HTTP CONNECT request.

223
Advanced Secure Gateway Administration Guide

c. If Detect Protocol is enabled on the HTTP proxy, the request is

forwarded to the HTTP proxy.
If Detect Protocol is disabled on the HTTP proxy and policy does not allow
HTTP CONNECT requests, the appliance treats the request as
if force_protocol(http) were set in policy.
The request is thus forwarded to the HTTP proxy, allowing the appliance
to evaluate policy on (and possibly allow) tunneled HTTP traffic, such as
WebSocket requests, while blocking non-HTTP protocols sent over HTTP
CONNECT.
If Detect Protocol is disabled on the HTTP proxy and HTTP CONNECT is
allowed in policy, the request is TCP-tunneled.
d. (If the protocol is secure WebSocket) If Detect Protocol for SSL is
disabled, the request is TCP-tunneled. If Detect Protocol for SSL is
enabled, the request is forwarded to the SSL proxy.
(On the SSL proxy) If HTTPS interception is disabled, the request is SSL-
tunneled. If HTTPS interception is enabled, the request is forwarded to the
HTTPS proxy.
The proxy detects the Upgrade: websocket header and begins a WebSocket
handshake. The tunneled=yes and http.websocket=yes conditions
evaluate to true.policy that applies to a transaction during the initial
upgrade request.

224
Section 6 Feature Limitations
❐ The appliance does not perform ICAP scanning (either REQMOD or
RESPMOD) on transactions using the WebSocket protocol.
❐ You must import the appliance’s signing certificate authority (CA) certificate
into the browser to prevent a trust error from occurring when the appliance
intercepts HTTPS and detects WebSocket over HTTPS.

225
Advanced Secure Gateway Administration Guide

226
Chapter 9: Managing the SSL Proxy

This chapter discusses the Advanced Secure Gateway SSL proxy.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Intercepting HTTPS Traffic" on page 231
❐ Section B: "Configuring SSL Rules through Policy" on page 240
❐ Section C: "Viewing SSL Statistics" on page 245
❐ Section D: "Using STunnel" on page 248
❐ Section E: "Tapping Decrypted Data with Encrypted Tap" on page 254
❐ Section G: "Advanced Topics" on page 262
For information on Certificate Authority (CA) certificates, keyrings, and key
pairs, see Chapter 70: "Authenticating an Advanced Secure Gateway Appliance"
on page 1347.

About the SSL Proxy

HTTPS traffic poses a major security risk to enterprises. Because the SSL content is
encrypted, it cannot be monitored by normal means. This enables users to bring in
viruses, access forbidden sites, or leak confidential business information over the
HTTPS connection on port 443.
The SSL proxy intercepts, decrypts and re-encrypts HTTPS traffic (in explicit and
transparent modes) so that security measures such as authentication, virus
scanning, and URL filtering, and performance enhancements such as HTTP
caching can be applied to HTTPS content. Additionally, the SSL proxy validates
server certificates presented by various HTTPS sites at the gateway and offers
information about the HTTPS traffic in the access log.
The SSL proxy tunnels all HTTPS traffic by default unless there is an exception,
such as a certificate error or a policy denial. In such cases, the SSL proxy intercepts
the SSL connection and sends an error page to the user. The SSL proxy also
enables interception of HTTPS traffic for monitoring purposes.
The SSL proxy can perform the following operations while tunneling HTTPS
traffic.
❐ Validate server certificates, including revocation checks using Certificate
Revocation Lists (CRLs).
❐ Check various SSL parameters such as cipher and version.
❐ Log useful information about the HTTPS connection.
When the SSL proxy is used to intercept HTTPS traffic, it can also:
❐ Cache HTTPS content.

227
Advanced Secure Gateway Administration Guide

❐ Apply HTTP-based authentication mechanism.

❐ Send decrypted data to a configured ICAP Antivirus appliance for virus
scanning and URL filtering.
❐ Apply granular policy (such as validating mime type and filename extension).

IPv6 Support
The SSL proxy is able to communicate using either IPv4 or IPv6, either explicitly
or transparently.
In addition, for any service that uses the SSL proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.

Validating the Server Certificate

The SSL proxy can perform the following checks on server certificates:
❐ Verification of issuer signature.
❐ Verification of certificate dates.
❐ Comparison of host name in the URL and certificate (intercepted connections
only).
Host names in server certificates are important because the SSL proxy can
identify a Web site just by looking at the server certificate if the host name is in
the certificate. Most content-filtering HTTPS sites follow the guideline of
putting the name of the site as the common name in the server's certificate.
❐ Verification of revocation status.
To mimic the overrides supported by browsers, the SSL proxy can be
configured to ignore failures for the verification of issuer signatures and
certificate dates and comparison of the host name in the URL and the
certificate.
The Advanced Secure Gateway appliance trusts all root CA certificates that are
trusted by Internet Explorer and Firefox. This list is updated to be in sync with the
latest versions of IE and Firefox.

Checking CRLs
An additional check on the server certificate is done through Certificate
Revocations Lists (CRLs). CRLs show which certificates are no longer valid; the
CRLs are created and maintained by Certificate Signing Authorities that issued
the original certificates.
Only CRLs that are issued by a trusted issuer can be used by the Advanced Secure
Gateway appliance. The CRL issuer certificate must exist as CA certificate on the
Advanced Secure Gateway appliance before the CRL can be imported.
The Advanced Secure Gateway appliance allows:
❐ One local CRL per certificate issuing authority.
❐ An import of a CRL that is expired; a warning is displayed in the log.

228
 ❐ An import of a CRL that is effective in the future; a warning is displayed in the
log.

Working with SSL Traffic

The STunnel (SSL interception and tunnel) configuration intercepts all SSL traffic,
handing HTTPS traffic off to the HTTPS forward proxy for compression and
acceleration. STunnel decrypted traffic may be may be tapped and read by a third
party application such as Wireshark or Snort.
Recommendations for intercepting traffic include:
❐ Intercept non-HTTPS traffic for acceleration
❐ Intercept any SSL traffic for tap, when you don’t know the application
protocol over SSL
❐ The HTTPS information in the next section applies as well.

Determining What HTTPS Traffic to Intercept

The SSL proxy tunnels HTTPS traffic by default; it does not intercept HTTPS
traffic.
Many existing policy conditions, such as destination IP address and port number,
can be used to decide which HTTPS connections to intercept.
Additionally, the SSL proxy allows the host name in the server certificate to be
used to make the decision to intercept or tunnel the traffic. The server certificate
host name can be used as is to make intercept decisions for individual sites, or it
can be categorized using any of the various URL databases supported by Blue
Coat.
Categorization of server certificate host names can help place the intercept
decision for various sites into a single policy rule.
Recommendations for intercepting traffic include:
❐ Intercept Intranet traffic.
❐ Intercept suspicious Internet sites, particularly those that are categorized as
none in the server certificate.
Recommendations for traffic to not intercept includes sensitive information, such
as personal financial information.

Managing Decrypted Traffic

After the HTTPS connection is intercepted, you can do:
❐ Anti-virus scanning over ICAP.
❐ URL filtering.
❐ Filtering based on the server certificate host name.
❐ Caching.

229
Advanced Secure Gateway Administration Guide

HTTPS applications that require browsers to present client certificates to secure

Web servers do not work if you are intercepting traffic. To address this, you can
create a policy rule to prevent the interception of such applications, or add client
certificates to the Advanced Secure Gateway appliance, and write policy to
present the correct certificate.
If you configure the Advanced Secure Gateway appliance to intercept HTTPS
traffic, be aware that local privacy laws might require you to notify the user about
interception or obtain consent prior to interception. You can option to use the
HTML Notify User object to notify users after interception or you can use consent
certificates to obtain consent before interception. The HTML Notify User is the
easiest option; however, the Advanced Secure Gateway appliance must decrypt
the first request from the user before it can issue an HTML notification page.

230
Section A: Intercepting HTTPS Traffic
Intercepting HTTPS traffic (by decrypting SSL connections at the Advanced
Secure Gateway appliance) allows you to apply security measures like virus
scanning and URL filtering. See “Configuring STunnel” on page 248 to intercept
HTTPS using STunnel.
Configuration to intercept HTTPS traffic requires the following tasks:
❐ A Advanced Secure Gateway SSL license is required before you can make use
of the SSL proxy for interception. This can be verified in the maintenance tab >
licensing page.
❐ Determine whether you are using transparent or explicit mode. For
information on explicit versus transparent proxies, see Chapter 6: "Explicit
and Transparent Proxy" on page 111.
❐ Create an SSL service or HTTP/SOCKS services with protocol detection
enabled, depending on whether you are using transparent or explicit mode.
The Detect Protocol setting is disabled by default. For more information on
creating an SSL service, skip to "Configuring the SSL Proxy in Transparent
Proxy Mode" on page 232.
❐ Create or import an issuer keyring, which is used to sign emulated server
certificates to clients on the fly, allowing the SSL proxy to examine SSL
content. For more information on creating an issuer keyring, see "Specifying
an Issuer Keyring and CCL Lists for SSL Interception" on page 234.
❐ (Optional) Use the Notify User object or client consent certificates to notify users
that their requests are being intercepted and monitored. Whether this is
required depends on local privacy laws. The Advanced Secure Gateway
appliance has to decrypt the first request from the user to issue an HTML
notification page. If this is not desirable, use client consent certificates instead.
For more information on configuring the Notify User policy, refer to the Visual
Policy Manager Reference. For information on managing client consent
certificates, see "Using Client Consent Certificates" on page 234.
❐ Download CA certificates to desktops to avoid a security warning from the
client browsers when the Advanced Secure Gateway appliance is intercepting
HTTPS traffic. For information, see "Downloading an Issuer Certificate" on
page 235.
❐ Using policy (VPM or CPL), create rules to intercept SSL traffic and to control
validation of server certificates. By default, such traffic is tunneled and not
intercepted. You must create suitable policy before intercepting SSL traffic. For
more information on using policy to intercept SSL traffic, see Section B:
"Configuring SSL Rules through Policy" on page 240.
❐ Configure the Blue Coat AV or other third-party ICAP vendor, if you have not
already done this. For more information on ICAP-based virus scanning, see
Chapter 21: "Configuring Threat Protection" on page 453 (Blue Coat AV) and
Chapter 22: "Malicious Content Scanning Services" on page 465.

231
Advanced Secure Gateway Administration Guide

❐ Configure the Blue Coat Web Filter (BCWF) or a third-party URL-filtering

vendor, if you have not already done this. For more information on
configuring BCWF, see Chapter 18: "Filtering Web Content" on page 357.
❐ Configure Access Logging. For more information on configuring access
logging, see "Configuring Access Logging" on page 607.
❐ Customize Exception Pages: To customize exception pages (in case of server
certificate verification failure), refer to the Advanced Policy Tasks chapter, Section
E, of the Visual Policy Manager Reference.

Configuring the SSL Proxy in Transparent Proxy Mode

Proxy services are configured from the Management Console or the CLI. If using
the SSL proxy in transparent mode, continue with this section.
If you are using the SSL proxy in explicit mode, you might need an HTTP proxy
or a SOCKS proxy. For information on configuring an SSL proxy in explicit mode,
see "Configuring the SSL Proxy in Explicit Proxy Mode" on page 233.
You can use a TCP Tunnel service in transparent mode to get the same
functionality. A TCP tunnel service is useful when you have a combination of SSL
and non-SSL traffic going over port 443 and you do not want to break the non-SSL
traffic. The SSL service requires that all requests to its port be SSL.

To configure an SSL service in transparent proxy mode:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. Click New. The Edit Service dialog displays.

232
 3. In the Name field, enter a meaningful name for this SSL proxy service.
4. From the Service Group drop-down list, select to which service this
configuration applies. By default, Other is selected.
5. Select SSL from the Proxy settings drop-down list.
6. TCP/IP Settings option: The Early Intercept option cannot be changed for the SSL
proxy service.
7. Create a new listener:
a. Click New; if you edit an existing listener, click Edit.
b. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 or IPv6).
You can, however, restrict this listener to a specific IPv4/IPv6 address
or user subnet/prefix length.
c. Select a Destination address from the options. The correct selection
might depend on network configuration. For overviews of the options,
see "About Proxy Services" on page 122.
d. In the Port Range field, enter a single port number or a port range on
which this application protocol broadcasts. For a port ranges, enter a
dash between the start and end ports. For example: 8080-8085
e. In the Action area, select the default action for the service: Bypass tells
the service to ignore any traffic matching this listener. Intercept
configures the service to intercept and proxy the associated traffic.
f. Click OK to close the dialog. The new listener displays in the Listeners
area.
8. Click OK to close the Edit Service dialog.
9. Click Apply.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception"
on page 234.

Configuring the SSL Proxy in Explicit Proxy Mode

The SSL proxy can be used in explicit mode in conjunction with the HTTP Proxy
or SOCKS Proxy. You must create an HTTP Proxy service or a SOCKS Proxy
service and use it as the explicit proxy from desktop browsers. You must also
ensure that the detect-protocol attribute is enabled for these services.
When requests for HTTPS content are sent to either a SOCKS proxy or an HTTP
proxy, the proxies can detect the use of the SSL protocol on such connections and
enable SSL proxy functionality.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception"
on page 234.

233
Advanced Secure Gateway Administration Guide

Specifying an Issuer Keyring and CCL Lists for SSL Interception

The SSL proxy can emulate server certificates; that is, present a certificate that
appears to come from the origin content server. In actuality, Blue Coat has
emulated the certificate and signed it using the issuer keyring. By default only the
subjectName and the expiration date from the server certificate are copied to the
new certificate sent to the client. The Advanced Secure Gateway appliance will
emulate RSA certificates, matching the key size up to 2048 bits. DSA server
certificates are emulated with 1024 bit RSA certificates.

Note: Only keyrings with both a certificate and a keypair can be used as issuer
keyrings.

You can also change the CA Certificate Lists (CCLs) that contain the CAs to be
trusted during client and server certificate validation. The defaults are adequate
for the majority of situations. For more information about CCLs, see Chapter 70:
"Authenticating an Advanced Secure Gateway Appliance" on page 1347.

To specify the keyring and CCLs:

1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.

2. Issuer Keyring: From the drop-down menu, select the keyring to use as the
issuer keyring. Any keyring with both a certificate and a keypair in the drop-
down menu can be used.
3. CCL for Client Certificates: Choose which CAs are trusted when the SSL proxy
validates client certificates. The default is <All CA Certificates>.
4. CCL for Server Certificates: Choose which CAs are trusted when the SSL proxy
validates server certificates. The CCL for server certificates is relevant even
when SSL proxy is tunneling SSL traffic. The default is browser-trusted.
5. Click Apply.
To configure policy, see "Configuring SSL Rules through Policy" on page 240.

Using Client Consent Certificates

The SSL proxy, in forward proxy deployments, can specify whether a client
(typically a browser) certificate is required. These certificates are used for user
consent, not for user authentication. Whether they are needed depends upon local
privacy laws.

234
 With client consent certificates, each user is issued a pair of certificates with the
corresponding private keys. Both certificates have a meaningful user-readable
string in the common name field. One certificate has a string that indicates grant of
consent something like: “Yes, I agree to SSL interception”. The other certificate has
a common name indicating denial of consent, something like: “No, I do not agree
to SSL interception”.
Policy is installed on the Advanced Secure Gateway appliance to look for these
common names and to allow or deny actions. For example, when the string “Yes, I
agree to SSL interception” is seen in the client certificate common name, the
connection is allowed; otherwise, it is denied.

To configure client consent certificates:

1. Install the issuer of the client consent certificates as a CA certificate.
2. In VPM, configure the Require Client Certificate object in the SSL Layer > Action
column.
3. Configure the Client Certificate object in the Source column to match common
names.

Downloading an Issuer Certificate

When the SSL proxy intercepts an SSL connection, it presents an emulated server
certificate to the client browser. The client browser issues a security pop-up to the
end-user because the browser does not trust the issuer used by the Advanced
Secure Gateway appliance. This pop-up does not occur if the issuer certificate
used by SSL proxy is imported as a trusted root in the client browser's certificate
store.
The Advanced Secure Gateway appliance makes all configured certificates
available for download via its management console. You can ask end users to
download the issuer certificate through Internet Explorer or Firefox and install it
as a trusted CA in their browser of choice. This eliminates the certificate popup
for emulated certificates.
To download the certificate through Internet Explorer, see "To download a
certificate through Internet Explorer:" on page 235. To download a certificate
through Firefox, see "To download a certificate through Firefox:" on page 236.

To download a certificate through Internet Explorer:

Note: You can e-mail the console URL corresponding to the issuer certificate to
end users so that the he or she can install the issuer certificate as a trusted CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.
3. Click Download a Certificate as a CA Certificate; the list of certificates on the system
display.
4. Click a certificate (it need not be associated with a keyring); the File Download
Security Warning displays asking what you want to do with the file.

235
Advanced Secure Gateway Administration Guide

5. Click Save. When the Save As dialog displays, click Save; the file downloads.
6. Click Open to view the Certificate properties; the Certificate window displays.

7. Click the Install Certificate button to launch the Certificate Import Wizard.
8. Ensure the Automatically select the certificate store based on the type of certificate
radio button is enabled before completing the wizard
9. Click Finish. the wizard announces when the certificate is imported.
10. (Optional) To view the installed certificate, go to Internet Explorer, Select Tools
> Internet Options > Contents > Certificates, and open either the Intermediate
Certification Authorities tab or the Trusted Root Certification Authorities tab,
depending on the certificate you downloaded.

To download a certificate through Firefox:

Note: You can e-mail the console URL corresponding to the issuer certificate
to end users so that the end-user can install the issuer certificate as a trusted
CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.

236
3. Click Download an Advanced Secure Gateway Certificate as a CA Certificate; the list of
certificates on the system display.
4. Click a certificate (it need not be associated with a keyring); the Download
Certificate dialog displays.

5. Enable the options needed. View the certificate before trusting it for any
purpose.
6. Click OK; close the Advanced Statistics dialog.

237
Advanced Secure Gateway Administration Guide

Warn Users When Accessing Websites with Untrusted Certificates

Preserve Untrusted Certificate Issuer allows the Advanced Secure Gateway
appliance to present the browser with a certificate that is signed by its untrusted
issuer keyring. The browser displays certificate information to the user, and lets
the user accept the security risk of an untrusted certificate and proceed to the
website.
The default-untrusted keyring has been added to the Advanced Secure Gateway
appliance to use with the Preserve Untrusted Certificate Issuer feature. The
default-untrusted keyring should not be added to any trusted CA lists.

Note: This only applies to SSL forward proxy transactions with HTTPS
interception enabled.

To display a warning to users about untrusted certificates on website, you must

complete the following tasks.

Task # Reference

1 "Presenting Untrusted Certificates to a Browser" on page 238

2 "Set the Behavior when Encountering Untrusted Certificates" on page

238

Presenting Untrusted Certificates to a Browser

Configure the Advanced Secure Gateway appliance to act as a certificate
authority and present a certificate signed by a specific keyring for all traffic. The
default is the default-untrusted keyring.
1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.
2. To have the Advanced Secure Gateway appliance act as a Certificate
Authority (CA) and present the browser with an untrusted certificate, select
Preserve untrusted certificate issuer.

3. From the Untrusted Issuer Keyring drop-down, select the desired keyring from
the list of eligible keyrings which will be used to sign untrusted server
certificates presented by the Advanced Secure Gateway appliance.
4. Click Apply.

Set the Behavior when Encountering Untrusted Certificates

In the VPM or CPL, define what the Advanced Secure Gateway appliance should
do for specific traffic if the user tries to access a website with an untrusted
certificate.

238
Define Behavior in the Visual Policy Manager (VPM)
Override the Advanced Secure Gateway Management Console settings for
specific traffic, to specify whether the users should be prompted when a
certificate that has not been signed by a trusted Certificate Authority is
encountered.
In the SSL Intercept Layer, add one of the following Actions:
❐ Do not Preserve Untrusted Issuer

If an OCS presents a certificate to the Advanced Secure Gateway appliance

that is not signed by a trusted Certificate Authority (CA), the Advanced
Secure Gateway appliance either sends an error message to the browser, or
ignores the error and processes the request, based on the configuration of the
Server Certificate Validation object.
❐ Preserve Untrusted Issuer

If an OCS presents a certificate to the Advanced Secure Gateway appliance

that is not signed by a trusted Certificate Authority (CA), the appliance acts as
a CA and presents the browser with an untrusted certificate. A warning
message is displayed to the user, and they can decide to ignore the warning
and visit the website or cancel the request.
❐ Use Default Setting for Preserve Untrusted Issuer

The Preserve untrusted certificate issuer configuration setting in the Advanced

Secure Gateway Management Console is used to determine whether or not
untrusted certificate issuer should be preserved for a connection. This is the
default behavior.

Define Behavior in CPL

Include the following syntax in policy to specify the behavior of the Advanced
Secure Gateway appliance when users encounter a website with an untrusted
certificate:
ssl.forward_proxy.preserve_untrusted(auto|yes|no)
where:
• auto - Uses the Preserve untrusted certificate issuer configuration setting in
the Advanced Secure Gateway Management Console to determine
whether untrusted certificate issuer should be preserved for a connection.
This is the default.
• yes - Preserve untrusted certificate issuer is enabled for the connection.
• no - Preserve untrusted certificate issuer is disabled for the connection.
For example, to use the enable using the preserve untrusted certificate issuer, use
the following syntax:
<ssl-intercept>
ssl.forward_proxy.preserve_untrusted(yes)

239
Advanced Secure Gateway Administration Guide

Section B: Configuring SSL Rules through Policy

SSL interception and access rules, including server certificate validation, are
configured through policy—either the VPM or CPL. Use the SSL Intercept Layer to
configure SSL interception; use the SSL Access Layer to control other aspects of SSL
communication such as server certificate validation and SSL versions. To
configure SSL rules using CPL, refer to the Content Policy Language Reference. This
section covers the following topics:
❐ "Using the SSL Intercept Layer" on page 240.
❐ "Using the SSL Access Layer" on page 242
❐ "Using Client Consent Certificates" on page 234
The policy examples in this section are for in-path deployments of Advanced
Secure Gateway appliances.

Using the SSL Intercept Layer

The SSL intercept layer allows you to set intercept options:
❐ "To intercept HTTPS content through VPM:" on page 240
❐ "To intercept HTTPS requests to specific sites through the VPM:" on page 241
❐ "To customize server certificate validation through VPM:" on page 242
❐ “Configuring STunnel” on page 248

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To intercept HTTPS content through VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. Right-click Set in the Action column; the Set Action object displays.
4. Click New and select Enable HTTPS Intercept object.
The options for Issuer Keyring, Hostname, Splash Text, and Splash URL all control
various aspects for certificate emulation. Fill in the fields as follows:
a. Issuer Keyring: If you selected an issuer keyring previously, that keyring
displays. If you did not select an issuer keyring previously, the default
keyring displays. To change the keyring that is used as the issuer
keyring, choose a different keyring from the drop-down menu.
b. Hostname: The host name you put here is the host name in the
emulated certificate.
c. Splash Text: You are limited to a maximum of 200 characters. The splash
text is added to the emulated certificate as a certificate extension.

240
 d. Splash URL: The splash URL is added to the emulated certificate as a
certificate extension.
The STunnel options control various aspects of SSL interception.
a. Enable STunnel Interception: Establish a policy where configured STunnel
services (such as POP3S and SMTPS) are terminated and accelerated.
b. Enable SSL interception with automatic protocol detection: In addition to
STunnel interception as described above, discovered HTTPS is handed
off to the HTTPS proxy. Otherwise, SSL traffic continues in STunnel
mode.
5. Click OK to save the changes.
You can use the Disable SSL Intercept object to disable HTTPS Intercept.

To intercept HTTPS requests to specific sites through the VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. In the Destination column, right-click Set; the Set Destination Object displays.
4. Click New and select Server Certificate.

5a

5b

5. Fill in the fields as described below. You can only select one field:
a. Hostname: This is the host name of the server whose traffic you want to
intercept. After entering the host name, use the drop-down menu to
specify Exact Match, Contains, At Beginning, At End, Domain, or Regex.
b. Subject: This is the subject field in the server's certificate. After you
enter the subject, use the drop-down menu to specify Exact Match,
Contains, At Beginning, At End, Domain, or Regex.

6. Click Add, then Close; click OK to add the object to the rule.

To categorize host names in server certificates through VPM:

1. While still in the Destination column of the SSL Intercept layer, right-click Set; the
Set Destination object displays.

2. Click New and select the Server Certificate Category object. The Add Server
Certificate Category Object displays. You can change the name in the top field if
needed.

241
Advanced Secure Gateway Administration Guide

3. Select the categories. The categories you selected display in the right-hand
column.
4. Click OK.

Using the SSL Access Layer

For a list of the conditions, properties, and actions that can be used in the SSL
Access Layer, refer to the Content Policy Language Reference.

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To customize server certificate validation through VPM:

Note: The policy property server.certificate.validate, if set, overrides the

ssl-verify-server command for either HTTP or for forwarding hosts.

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Access Layer.
3. In the Action column, right-click Set; the Set Action object displays.
4. Click New and select Set Server Certificate Validation object.

242
 5. By default, server certificate validation is enabled; to disable it, select Disable
server certificate validation at the bottom of the dialog.

If server certificate validation is enabled, you can determine behavior by

selecting the Ignore hostname mismatch, Ignore expiration, or Ignore untrusted issuer
options. These options mimic the overrides supported by most browsers.
6. Select an option for revocation checks:
• Select an Online Certificate Status Protocol (OCSP) option. For more
information, see Section F: "Checking Certificate Revocation Status in Real
Time (OCSP)" on page 1199.
• Use only local certificate revocation check: Uses the CRL configured on the
Advanced Secure Gateway appliance to perform the revocation check for
a server certificate.
• Do not check certificate revocation: Does not check the revocation status of the
server certificate; however it still carries out the other certificate validation
checks.
7. Click OK; click OK again to add the object.

Notes

Note: Pipelining configuration for HTTP is ignored for HTTPS requests

intercepted by the SSL proxy. When the SSL proxy intercepts an HTTPS request,
and the response is an HTML page with embedded images, the embedded
images are not pre-fetched by the Advanced Secure Gateway appliance.

❐ If the Advanced Secure Gateway appliance and the origin content server
cannot agree on a common cipher suite for intercepted connections, the
connection is aborted.

243
Advanced Secure Gateway Administration Guide

❐ Server-Gated Cryptography and step-up certificates are treated just as regular

certificates; special extensions present in these certificates are not be copied
into the emulated certificate. Clients relying on SGC/step-up certificates
continue using weaker ciphers between the client and the Advanced Secure
Gateway appliance when the SSL proxy intercepts the traffic.

244
Section C: Viewing SSL Statistics
The following sections discuss how to analyze various statistics generated by SSL
transactions.

Viewing SSL History Statistics

The Statistics > Protocol details > SSL History tabs (SSL Data, SSL Clients, SSL Bytes)
provide various useful statistics for unintercepted SSL traffic.

Note: Some SSL statistics (SSL client connections and total bytes sent and
received over a period of time) can only be viewed through the Management
Console (see "Unintercepted SSL Data" on page 245 and "Unintercepted SSL
Clients" on page 246).

Unintercepted SSL Data

The SSL Data tab on the Management Console displays SSL statistics.
The following table details the statistics provided through the SSL Data tab for the
Unintercepted SSL protocol.

Table 9–1 Unintercepted SSL Data Statistics

Status Description
Current unintercepted SSL The current number of unintercepted SSL client
connections connections.
Total unintercepted SSL connections The cumulative number of unintercepted SSL
client connections since the Advanced Secure
Gateway appliance was last rebooted.
Total bytes sent The total number of unintercepted bytes sent.
Total bytes received The total number of unintercepted bytes received.

To view unintercepted SSL data statistics:

From the Management Console, select the Statistics > Protocol Details > SSL History >
SSL Data tab; make sure Unintercepted SSL is selected for the Protocol.
The default view shows all unintercepted SSL data.

245
Advanced Secure Gateway Administration Guide

Unintercepted SSL Clients

The SSL Clients tab displays dynamic graphical statistics for connections received
in the last 60-minute, 24-hour, or 30-day period.

To view SSL client unintercepted statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL
History > SSL Clients tab.

2. Make sure Unintercepted SSL is selected for the Protocol.

3. Select a time period for the graph from the Duration: drop-down list. The
default is Last Hour.
4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

Unintercepted SSL Bytes

The SSL Bytes tab displays dynamic graphical statistics for bytes received in the
last 60-minute, 24-hour, or 30-day period.

To view unintercepted SSL byte statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL
History > SSL Bytes tab.

2. Make sure Unintercepted SSL is selected for the Protocol.

246
3. Select the Duration: for the graph from the drop-down list. The default is Last
Hour.

4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

247
Advanced Secure Gateway Administration Guide

Section D: Using STunnel

Stunnel intercepts SSL traffic regardless of the application protocol over it. HTTPS
traffic may be identified and handed off to that proxy, and you may create
services to inspect and accelerate other SSL protocols, such as SMTPS. The
decrypted data may be tapped; see "Tapping Decrypted Data with Encrypted
Tap" on page 254.
STunnel integrates with secure ADN. When secure ADN is enabled, SSL traffic is
accelerated using byte-caching and/or compression. An STunnel service will
intercept traffic based on the configuration and policy. For intercepted SSL-
sessions, the STunnel proxy acts as man-in-the-middle.
The STunnel sub-proxy can perform the following actions:
❐ Intercept SSL traffic and hand off HTTPS content to the HTTPS proxy when it
is detected.
❐ Intercept non-HTTPS traffic.
❐ With ADN, accelerate intercepted SSL traffic.
If you are familiar with configuring an inline or explicit HTTPS proxy, STunnel
works the same way. STunnel is configured with the following policy rule:
ssl.forward_proxy(yes)
or
ssl.forward_proxy(stunnel)
Traffic is handled by STunnel, and tunneled through or processed as appropriate.
STunnel supports SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2.

Configuring STunnel
You can configure STunnel using the Visual Policy Manager (VPM) or the
Management Console.

Configure STunnel Policy using VPM

STunnel, which lets you intercept SSL traffic regardless of the application protocol
over it, is configured on the interception layer. To configure STunnel policy using
the VPM, follow these steps.
1. On the Configuration tab, select Policy> Visual Policy Manager, then click Launch.
2. Select Policy > Add SSL Intercept Layer.
3. Right click in the Action column
4. Choose Set > New > Enable SSL Interception.
5. On the Add SSL Interception Object window, choose one of the following:
• Enable STunnel Interception: Establish
a policy where configured STunnel
services (such as POP3S and SMTPS) are terminated and accelerated.
Make sure to configure the related services if you choose this option.

248
 • Enable SSL interception with automatic protocol detection:
In addition to
STunnel interception as described above, discovered HTTPS is handed off
to the HTTPS proxy. Otherwise, SSL traffic continues in STunnel mode.

6. Click OK. The window closes.

7. Click OK on the Set Action Object Window; it closes.
8. To examine the policy, press View.
9. Click Install policy on the VPM window.

Configure STunnel via the Management Console

Accelerate SSL Traffic
To provide acceleration to SSL using byte caching, enable a secure ADN. See
"Intercepting HTTPS Traffic" for details.
Intercept the traffic as described in "Intercept SSL Based Traffic" .
For an inline or explicit forward proxy, use the policy rule
ssl.forward_proxy(stunnel) or ssl.forwrd_proxy(yes).

Note: If an unsuccessful SSL interception occurs (the SSL handshake fails), the
traffic is tunneled.

Intercept SSL Based Traffic

Use STunnel to intercept SSL traffic, such as POP3S, SMTPS, and HTTPS.

Configure a Forward Proxy with an STunnel Service

1. Set up a Secure ADN between the concentrator and branch peer. See "Verify
Secure ADN" on page 329.

249
Advanced Secure Gateway Administration Guide

2. On the branch peer, edit or create POP3S or SMTPS services (create a new
service at Configuration > Services > Proxy Services > New Service).
3. Click Apply on the Configuration tab.

Example POP3S Setup:

POP3S is located in the Bypass-
Recommended group by default.
Name: POP3S
Service Group: Standard
Proxy Settings/Proxy: SSL
Detect Protocol: Check;identified HTTPS
traffic will be handed to the HTTPS
forward proxy for processing
TCP/IP: N/A
Application Delivery Network Settings: Click
Enable ADN; Retention priority is set to
normal.
Listeners: Set Action to Intercept.

For an SMTPS setup, follow the same configuration, except choose the
appropriate port and enter SMTPS as the Name.
Make sure your SSL policy is configured correctly for STunnel. See the next
section.

Viewing STunnel Results

Traffic and Service results are available for STunnel. See Chapter 31: "Statistics"
on page 733 for additional details on understanding the presentation of statistics.
• STunnel is part of the SSL proxy, but is broken out under STunnel in the
Proxy statistics, so you may easily find the results.
• The SSL proxy controls the tunneled (unintercepted) SSL traffic—there is
no need to look at the Bandwidth Savings report for the SSL proxy since
this traffic is not accelerated.
• For a typical setup, where you have HTTPS traffic identified and handed
off to its proxy, make sure to look at the HTTPS proxy statistics and
bandwidth savings as well as STunnel reports in order to get the best
understanding of STunnel results.

Viewing Traffic Statistics

To see traffic statistics, go to Statistics > Traffic Details. View the Traffic Mix and Traffic
History tab statistics. STunnel sessions are listed under Active and Errored sessions,
as well.

250
Traffic Mix
On the Traffic Mix > Service tab, view traffic distribution and bandwidth statistics
for SSL service traffic running through the Advanced Secure Gateway appliance.

Traffic History
STunnel sessions are listed under Traffic Mix and Traffic History:
1. Select the Statistics > Traffic Details> Traffic Mix/Traffic History.
2. On the Traffic Mix tab, select Proxy.
• The BW Usage and BW Gain tabs are available.
• The pie chart visually represents the bandwidth percentage for each proxy,
including STunnel.
• Scroll down in the table to view the STunnel (and HTTPS) information.
3. On the Traffic History tab, select Proxy.
• View STunnel on the BW Usage, BW Gain, Client Bytes and Server Bytes tabs.

251
Advanced Secure Gateway Administration Guide

Application Mix
The Advanced Secure Gateway appliance can classify SSL-tunneled traffic
without full HTTPS interception. The Statistics > Application Details > Application Mix
and Statistics > Application Details > Application History reports display the
applications detected in SSL-tunneled traffic. In the Proxy Type column in
Application Mix report, look for STunnel.

Viewing Session Statistics

To see STunnel accelerated session statistics such as duration and caching for
current active and historical errored sessions, view the Sessions statistics on the
Statistics tab.

1. On the Concentrator peer, log in to the Management Console.

2. Select the Statistics > Sessions > Active Sessions/Errored Sessions > Proxied Sessions
tab.
3. From the Filter drop-down list, select Protocol.
4. Select STunnel from the corresponding drop down list.
5. Press Show.

252
 See "Active Sessions—Viewing Per-Connection Statistics" on page 759 for details
on using these windows.

Viewing Protocol Details

Go to Protocol Details > SSL Data tab to view client connection and data transfer
bytes information for STunnel.
At Protocol, select STunnel.

Access Logging
View the SSL log to see the STunnel sessions; the cs-protocol value is set to stunnel.

253
Advanced Secure Gateway Administration Guide

Section E: Tapping Decrypted Data with Encrypted Tap

Encrypted tap streams decrypted data from intercepted HTTPS or STunnel SSL
transactions on client connections. The tap is performed simultaneously and on
the same Advanced Secure Gateway appliance which is performing the Secure
Web Gateway function. The data is presented in a format that can be understood
by common network traffic analysis tools like Wireshark, common network
intrusion detection systems such as Snort, and so on.
• Encrypted Tap does not support VLAN.
• MTU is fixed at 1500 bytes.
• SSL protocol headers/records/details are not preserved.
• Encrypted Tap is supported for forward proxy for STunnel and HTTPS,
and for reverse proxy for HTTPS.
• Encrypted tap also taps WebSocket.

Before you start

• Ensure your SGOS license is up to date and includes a valid Encrypted
Tap component
• Configure HTTPS (see “Intercepting HTTPS Traffic” on page 231) or
STunnel (see “Using STunnel” on page 248) interception on the Advanced
Secure Gateway appliance.
• Ensure the Advanced Secure Gateway has at least one open Ethernet port.
• Have a computer with a spare, unused/assigned Ethernet interface and a
third party analysis application installed available to receive the tapped
data.

Follow these steps

On the Advanced Secure Gateway appliance:
1. Enable Proxy Services for HTTPS/HTTP:
a. From the Management Console, select Configuration tab > Services >
Proxy-Services.

b. On the Proxy Services tab, select Predefined Service Group >Standard >
HTTPS, and press Edit Service.

c. On the Edit Service pop up, under Listeners, set Action=Intercept.

d. Press OK. The Edit Service pop up closes.
2. On the Configuration tab > Proxy Settings > General > General tab, check
Reflect Client IP to reflect the client IP.
3. From the Management Console, select Configuration tab > Policy > Policy Options >
Default Proxy Policy: Allow to set the Default Policy to Allow.

4. Create the Encrypted Tap policy.

254
 a. From the Management Console, on the Configuration tab, select Policy >
Visual Policy Manager > Launch. The Visual Policy Manager window pops
up.
b. On the VPM, from Policy, select Add SSL Access Layer, and provide a
name as required.
c. Highlight the added row, right click on Action, and choose Set.
d. On the Set Action Object window, click New..., and choose Enable
encrypted tap.

e. On the Add Encrypted Tap Object window, set the name, verify Enable
encrypted tap is selected, and choose the tap Interface to use from the
drop down.
f. Click Ok. The window closes.
g. Click Ok. The Set Action Object window closes.
5. Install the Encrypted Tap policy.
a. Click Install Policy. You will see a confirmation when the new policy has
been installed.

Note: Make sure the tapped interface is not the same as any client/server/
management interface in use, in order to avoid dumping tapped or decrypted
traffic onto real servers. Furthermore, to avoid dropping traffic at the L2
device (resultant of how L2 forwarding works), ensure there are no Layer 2
bridging devices between the Advanced Secure Gateway appliance and the
sniffer tools used on the tapped interface.

255
Advanced Secure Gateway Administration Guide

On another computer:
1. Connect the PC to the selected Ethernet interface.
2. Open the third-party application (such as Wireshark), and configure it to
monitor the network traffic on the selected Ethernet interface. The intercepted
HTTPS traffic should now be viewable by this application.

Viewing Encrypted Tap Results

❐ Tapping the Traffic
Traffic is accessed at the specified interface. It has a TCP-like format which
networking monitoring tools such as Wireshark and Snort can easily interpret.
Here are the output details:
• TCP-SYN/ACK for connection setup
• TCP-FIN/ACK or TCP-RST for connection tear downs.
• Original source and destination IP and ports of the connection
• TCP sequence numbers, acknowledgements, and checksums, updated
accordingly for data output
• TTL set to 1
• MAC addresses selected to avoid any potential conflicts. The Source MAC
is the original source MAC address. If the Destination MAC address
belongs to the original Advanced Secure Gateway appliance, it may be
translated, but will otherwise be preserved.
❐ View the ssl log to see HTTPS or STunnel sessions; tapped transactions have
the x-cs-connection-encrypted-tap x-cs-connection-encrypted-tap value set
to TAPPED.

Troubleshooting
This section describes troubleshooting tips and solutions for Encrypted Tap.
❐ View access logs for Encrypted Tap. See ‘Viewing Access-Log Statistics.’
❐ View the Encrypted Tap debug log and statistics.
❐ Perform a packet capture at the hardware interface on the Advanced Secure
Gateway appliance. Go to Maintenance > Service Information > Packet Captures to
access packet captures. The capture provides details on the data transmitted
by the Advanced Secure Gateway appliance; compare this to the received tap
data.
❐ Perform policy tracing; refer to the Blue Coat Knowledge Base for articles on
how to perform an SSL policy trace.

256
Section F: Working with an HSM Appliance
A Hardware Security Module (HSM) provides additional security for storing
cryptographic keys and certificates, which is required in some highly regulated
industries. The Advanced Secure Gateway appliance is able to use a network-
attached HSM appliance to store resigning CA keys, and to perform digital
signature operations. The Advanced Secure Gateway appliance exchanges
signing requests and responses with the attached HSM appliance, over mutually
authenticated HTTPS requests. The Advanced Secure Gateway appliance sends
certificate data to the HSM.

The Advanced Secure Gateway appliance can work with multiple HSM
appliances, and multiple appliances can work with the same HSM. In the event
that a policy rule using an HSM to sign cannot work due to lack of response from
the HSM, the attempt is logged, and the applicable policy action configured for
HSM failure (cut through, drop, reject) occurs. In addition to the resigning
certificates, a mutually authenticated connection (communication pipeline) must
be set up by verified certificates. Configure the Advanced Secure Gateway
appliance with CLI, CPL, or the VPM.

Working with the SafeNet Java HSM

The SafeNet Java HSM must be configured separately. Additionally, Blue Coat
provides an agent to install on the SafeNet Java HSM, which will be used to
interact with Blue Coat appliances. A certificate to authorize the agent is included.
The Blue Coat HSM Agent operates on top of a secure session. It communicates to
the external Blue Coat entity (Advanced Secure Gateway appliance), and is used
remotely.

Before You Begin

In order for the Advanced Secure Gateway to trust the HSM, you must import the
server certificate for the HSM, and put it in to a CA Certificate List. Go to
Configuration > SSL > CA Certificates, and Import the certificate. Name the certificate
and paste the .PEM data in to the appropriate field. For further information, see “
Importing CA Certificates” on page 1188.

257
Advanced Secure Gateway Administration Guide

An HSM requires a linked Device Profile (go to SSL > Device Profiles). Click New,
and create a FIPS compliant or non-compliant profile as required, then enter the
HSM credentials into the Create SSL Device Profile window. For more information,
see "Specifying an Issuer Keyring and CCL Lists for SSL Interception" for more
information.

Add an HSM
HSM appears in the Configuration > SSL menu. The new page contains three tabs.
Click Create on the HSM tab to set up an HSM connection.
1. On the Configuration > SSL > HSM tab, select Create. The Create HSM window pops up.
2. Enter the HSM credentials. For the Device Profile, select the HSM profile created
earlier. Click OK to save the information and close the window.
3. Click Apply on the HSM window. The new HSM appears in the list. Referenced
will show “No” until you use the new HSM in policy.

Add an HSM Keyring

Adding an HSM keyring follows the same steps as adding any SSL keyring. HSM
keyrings are now also available in Proxy Settings > SSL Proxy > General Settings >
Issuer Keyring.

1. On the Configuration > SSL > HSM Keyrings tab, select Create. The Create HSM
Keyring window pops up.

2. Enter the HSM credentials. Use the Paste From Clipboard button to enter the
Certificate PEM file; the Key Label is the name associated with the private key
created on the SafeNet Java HSM. Click OK to save the information and close
the window..
3. Click Apply on the HSM Keyrings window. The new HSM keyring appears in the
list. Referenced will show “No” until you use the new keyring in policy.

258
 Note: A keyring which is referenced by policy can’t be deleted.

Once a keyring has been created, you can click View Certificate to see the certificate
details and PEM file data. Click Preview to see a list of actions which will occur
when the keyring is implemented.

Note: HSM keyrings also appear in the Proxy Settings > SSL Proxy list of Issuer
Keyrings.

Add an HSM Keygroup

Keygroups may be referenced in policy, instead of an individual keyring. When a
keygroup is used, the SSL connections are load balanced, either within one HSM
or across an HSM group.
Adding an HSM keygroup follows the same steps as adding any SSL keylist.
1. On the Configuration > SSL > HSM Keygroups tab, select Create. The Create HSM
Keygroup window pops up. Any preexisting keygroups appear is the Available
HSM Keyrings fields.

2. Create the new group. Move keyrings from the Available HSM Keyrings list to the
Included HSM Keyrings list with the Add>> and Remove>> buttons, to have them
included in the new group.
3. Click OK. The window closes.
4. Click Apply on the HSM Keygroups window.

259
Advanced Secure Gateway Administration Guide

Write HSM Policy

Use policy to direct the SSL proxy to use an HSM keyring or keygroup to sign an
emulated certificate from an intercepted authenticated SSL connection. See the
following graphic.
1. Launch the VPM (Policy > Visual Policy Manager > Launch).
2. On the Blue Coat Visual Policy Manager window, select Policy > Add SSL Intercept
Layer.

3. Rename the layer on the Add New Layer window if required, then click OK (not
shown in the graphic).
4. Highlight the new layer, and right click at Action; select Set. The Set Action
Object window displays.

5. On the Set Action Object window, select New. > Enable SSL Interception.
6. On the Add SSL Interception Object window, select the Issuer Keyring to use for
HSM signatures. Configured HSM keyrings and keygroups appear on the
drop down list.
7. Click OK. The window closes.
8. Click Install Policy. You will see a “Policy installation was successful” message
on completion.
9. Close the VPM and click Apply.

260
261
Advanced Secure Gateway Administration Guide

Section G: Advanced Topics

If you use OpenSSL or Active Directory, you can follow the procedures below to
manage your certificates.
For OpenSSL, see "Creating an Intermediate CA using OpenSSL" on page 262; if
using Active Directory, see "Creating an Intermediate CA using Microsoft Server
2012 (Active Directory)" on page 265.

Creating an Intermediate CA using OpenSSL

This section describes the certificate management when creating an intermediate
CA using OpenSSL.
The overall steps are:
❐ "Installing OpenSSL" on page 262
❐ "Creating a Root Certificate" on page 262
❐ "Modifying the OpenSSL.cnf File" on page 263
❐ "Signing the Advanced Secure Gateway CSR" on page 264
❐ "Importing the Certificate into the Advanced Secure Gateway Appliance" on
page 264
❐ "Testing the Configuration" on page 265
Various OpenSSL distributions can be found at http://www.openssl.org.

Installing OpenSSL
After OpenSSL is installed, you must edit the openssl.cnf file and ensure the
path names are correct. By default root certificates are located under ./PEM/DemoCA;
generated certificates are located under /certs.

Creating a Root Certificate

In order to create a root Certificate Authority (CA) certificate, complete the
following steps.

Note: The key and certificate in this example is located at ./bin/PEM/demoCA/

private/.

1. In command prompt, enter:

openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\
cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem

where the root directory for openssl is: \resources\ssl\openssl

262
 openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....................................+++++
................................................+++++
writing new private key to
'c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem'
Enter PEM pass phrase:

2. Type any string more than four characters for the PEM pass phrase.
3. Enter the certificate parameters, such as country name, common name that are
required for a Certificate Signing Request (CSR).
The private key and root CA are now located under the directory ./PEM/
DemoCA/private

4. Create a keyring.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Click Create; fill in the fields as appropriate.
c. Click OK.
5. Create a CSR on the Advanced Secure Gateway appliance.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Highlight the keyring you just created; click Edit/View.
c. In the Certificate Signing Request pane, click Create and fill in the fields
as appropriate.

Note: Detailed instructions on creating a keyring and a CSR are in

Chapter 70: "Authenticating an Advanced Secure Gateway Appliance" on
page 1347. They can also be found in the online help.

6. Paste the contents of the CSR into a text file called new.pem located in the ./bin
directory.

Modifying the OpenSSL.cnf File

Modify the openssl.cnf file to import the openSSL root CA into your browser. If
you do not do this step, you must import he Advanced Secure Gateway certificate
into the browser.
1. In the openssl.cnf file, look for the string basicConstraints=CA, and set it to
TRUE.
basicConstraints=CA:TRUE

2. Save the openSSL.cnf file.

263
Advanced Secure Gateway Administration Guide

Signing the Advanced Secure Gateway CSR

Open a Windows command prompt window and enter:
openssl ca -policy policy_anything -out newcert.pem -in new.pem
The output is:
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'Paris'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'BlueCoat'
organizationalUnitName:PRINTABLE:'Security Team'
commonName :PRINTABLE:'Proxy.bluecoat.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 27 13:29:09 2006 GMT (365
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This signs the certificate; it can then be imported into the Advanced Secure
Gateway appliance.

Importing the Certificate into the Advanced Secure Gateway

Appliance
1. Open the file newcert.pem in a text editor.
2. Select Management Console > Configuration > SSL > SSL Keyrings.
3. Selecting the keyring used for SSL interception; click Edit/View.
4. Paste in the contents of the newcert.pem file.
5. Import the contents of the newcert.pem file into the CA Certificates list.
a. From the Management Console, select Configuration > SSL > CA
Certificates.

b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.

264
 Testing the Configuration
Import the root CA into your browser and construct an SSL interception policy.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 240.

You should not be prompted for any certificate warning.

Creating an Intermediate CA using Microsoft Server 2012 (Active Directory)

This section describes certificate management when creating an intermediate CA
using Active Directory.
Before you begin:
❐ Verify the Windows 2012 system is an Active Directory server.
❐ Make sure IIS is installed on the server.
❐ Install the "Certificate Services" through the Server Manager. Enable Active
Directory Certificate Services and select the Certificate Authority mode
as Enterprise
root CA on the AD CS (Active Directory Certificate Services).

All certificate management is done through the browser using the following URL:
http://@ip_server/CertSrv
For information on the following tasks, see:
❐ "Install the root CA onto the browser:" on page 265
❐ "Create an appliance keyring and certificate signing request:" on page 265
❐ "Sign the appliance CSR:" on page 266
❐ "Import the subordinate CA certificate onto the appliance:" on page 266
❐ "Test the configuration:" on page 267

Install the root CA onto the browser:

1. Connect to http://@ip_server/certsrv.
2. Click Download a CA Certificate, certificate chain, or CRL.
3. Click Install this CA Certificate.
This installs the root CA onto the browser.

Create an appliance keyring and certificate signing request:

1. From the Management Console, select the Configuration > SSL > Keyrings tab.
2. Create a new keyring. For detailed instructions on creating a new keyring, see
"Creating a Keyring" on page 1163.
3. Create a Certificate Signing Request (CSR). For detailed instructions on
creating a CSR, see "Creating a Keyring" on page 1163.
4. To capture the CSR information, edit the keyring containing the CSR, and
copy the Certificate Signing Request field content.

265
Advanced Secure Gateway Administration Guide

5. Click Close.

Sign the appliance CSR:

1. Connect to http://@ip_server/certsrv.
2. Select Request a certificate.
3. Select submit an advanced certificate request.
4. On the next screen (Submit a Certificate Request or Renewal Request) paste the
contents of the CSR into the Base-64-encoded certificate request field.
5. Select the Certificate Template Subordinate Certification Authority.
If this template does not exist, connect to the certificate manager tool on the
Active Directory server and add the template.
6. Click Submit.
7. Download the certificate (not the chain) as Base 64 encoded.
8. Save this file on the workstation as newcert.pem.

Import the subordinate CA certificate onto the appliance:

1. Open the file newcert.pem in a text editor and copy the contents, from the
BEGIN CERTIFICATE through END CERTIFICATE; don’t include any spaces after
the dashes.
2. In the Management Console, select the Configuration > SSL > SSL Keyrings tab.
3. Select the keyring that has the CSR created; click Edit.

Note: Ensure this keyring is used as the issuer keyring for emulated
certificates. Use policy or the SSL intercept setting in the Management
Console or the CLI.

4. Click Import to paste the contents of the newcert.pem file. This imported the
appliance’s subordinate CA certificate into the keyring.
5. To ensure the appliance trusts the newly -added certificate, import the
contents of the newcert.pem file into the CA Certificates list.
a. From the Management Console, select Configuration > SSL > CA
Certificates.

b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.
e. Click Apply.

266
Test the configuration:
Import the root CA into your browser and construct an SSL interception policy.
You should not be prompted for any certificate warning.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 240.

267
Advanced Secure Gateway Administration Guide

268
Chapter 10: Managing the WebEx Proxy

This chapter describes how to use the Advanced Secure Gateway appliance
WebEx proxy to control WebEx sessions.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About Controlling the WebEx Application and File Sharing" on page 270
❐ "Enable HTTP Handoff" on page 271
❐ "Control Access to a WebEx Site with Policy" on page 272
❐ "Control File Uploads with Policy" on page 274
❐ "Control Desktop Sharing with Policy" on page 277
❐ "WebEx Proxy Access Logging" on page 281
❐ "Review WebEx Proxy Sessions" on page 283

WebEx is a popular file and desktop sharing software application. Meeting

participants can join from all over the world. In the presenter role, a user can
share his desktop, files, or a specific application window. The WebEx proxy on
the Advanced Secure Gateway appliance provides for the inspection of WebEx
traffic, which allows fine control over desktop and file sharing operations.
This solution is designed for both explicit and transparent forward proxy
deployments. It requires the WebEx HTTP handoff be enabled. If the HTTP
handoff is not enabled, the WebEx proxy policy is not applied, though other
policy pertaining to HTTP traffic is.
The solution requires an active, licensed Blue Coat Web Filter (BCWF) database
(see "Filtering Web Content" ). The BCWF detects WebEx HTTPS connections.
When HTTP handoff is enabled, WebEx connections are handed to the WebEx
Proxy, where it can be inspected and subject to policy actions. If desktop or file
sharing is configured to blocked when detected by the WebEx proxy, the HTTP
connection does not continue to the server.

IPv6 Support
The Webex proxy is able to communicate using either IPv4 or IPv6, either
explicitly or transparently.

269
Advanced Secure Gateway Administration Guide

Section 1 About Controlling the WebEx Application and File Sharing

The WebEx Proxy can control WebEx desktop and file sharing with using a deny
(block)/allow option. The proxy can be configured to allow a user to attend a
meeting, but restrict the user from sharing a file, hosting a meeting, or sharing the
desktop.

Before You Begin

❐ Make sure the appliance has a valid license installed.
❐ Make sure the BCWF is licensed and active.
❐ Go to Configuration > Application Classification > General, and click Enable Blue Coat
Application Classification on this device.

270
Section 2 Enable HTTP Handoff
1. Go to Configuration > Proxy Settings > WebEx Proxy.
2. Verify Enable HTTP handoff has been checked; it is checked by default.

271
Advanced Secure Gateway Administration Guide

Section 3 Control Access to a WebEx Site with Policy

This procedure applies to connections to a specific WebEx server. You will likely
want to write policy which contains both a reference to a specific site (whether to
deny or allow access to that site) as well as an action such as deny file uploads.
1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer.
3. Name the layer appropriately, such as “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the WebEx Site from the list. The system displays theAdd
WebEx Site Object window.

6. Name the WebEx Site Object, then enter the site name in the detail you select at
the drop down. For example, enter “company1“ for an Exact Match, then click
OK. The Add WebEx Site Object window closes. The Site Name may only contain
alphanumeric characters.

7. Choose an Action of Allow or Deny, as required.

8. Alternately, you can add a Webex site and another object to a Combined
Destination Object, to allow or deny a specific action for a particular site. For
example, add a ShareApplication object to deny application sharing for a
specific site.
See "Control File Uploads with Policy" next for more details on creating
Combined Destination Objects.

272
9. Install the policy.

273
Advanced Secure Gateway Administration Guide

Section 4 Control File Uploads with Policy

Use a combined object to deny file uploading through WebEx.
Before You Begin
❐ Make sure the BCWF is licensed and active.
❐ Make sure the WebEx HTTP Handoff has been enabled before enacting policy.
❐ Go to Configuration > Application Classification > General, and click Enable Blue Coat
Application Classification on this device. This works with the Blue Coat Web Filter
to identify applications.

Follow this procedure:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New,
and select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the
left side list, and click OK.

274
 • If the Advanced Secure Gateway appliance is unable to connect to the
BCWF, you will see a “Problem connecting” message.
8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control
window.
a. Name the object (for example, “WebExOperation-UploadFiles”).
b. Select Upload Files from the left side list, and click OK.

Note: Other WebEx operations include Host Meeting, Join Meeting, and Login.

9. To set up policy where both objects are required for the action to occur, set up
an AND situation.
a. Highlight the first new object (“WebExApplication”), and click Add to
move it to the top right object field.
b. Highlight the second new object (“WebExOperation-UploadFiles”),
and click Add to move it to the lower object field.
c. Click OK. The window closes.
d. Click OK on the Set Destination Object window.

275
Advanced Secure Gateway Administration Guide

10. On the VPM window, right click Action on the current layer, and choose Allow or
Deny.

11. Install the policy.

276
Section 5 Control Desktop Sharing with Policy
Use a combined object to deny local desktop sharing through WebEx. Desktop
sharing is controlled by the Share Application function; the process is otherwise
the same as "Control File Uploads with Policy" .
Before You Begin
❐ Make sure the BCWF is licensed and active.
❐ Make sure the WebEx HTTP Handoff has been enabled before enacting policy.
❐ Go to Configuration > Application Classification > General, and click Enable Blue Coat
Application Classification on this device. This works with the Blue Coat Web Filter
to identify applications.

Follow this procedure:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New,
and select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the
left side list, and click OK.

277
Advanced Secure Gateway Administration Guide

• If the Advanced Secure Gateway appliance is unable to connect to the

BCWF, you will see a “Problem connecting” message.
8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control
window.
• Name the object (for example, “WebExOperation-ShareApplication”).
• Select Share Application from the left side list, and click OK.

278
9. To set up policy where both objects are required for the action to occur, set up
an AND situation.

a. Highlight the first new object (“WebExApplication”), and click Add to

move it to the top right object field.
b. Highlight the second new object (“WebExOperation-
ShareApplication”), and click Add to move it to the lower object field.
c. Click OK. The window closes.

279
Advanced Secure Gateway Administration Guide

d. Click OK on the Set Destination Object window.

10. On the VPM window, right click Action on the current layer, and choose Deny or
Allow.

11. Install the policy.

280
Section 6 WebEx Proxy Access Logging
WebEx actions are reported under the Collaboration proxy access log by default.
Actions include:
• a user joining a meeting
• a user leaving a meeting
• a user connection is dropped abruptly
• a file or application sharing session starting
• a file or application finishing
• a file or application being blocked
To verify Access Logging is enabled, go to Configuration > Access Logging > General,
and click Enable Access Logging on the Default Logging tab. Verify the Collaboration
log appears on the Configuration > Access Logging > Logs tab.
For information about access log customization, refer to the "Creating Custom
Access Log Formats" . To view the Collaboration log, go to Statistics > Access
Logging, and select collaboration in the Log field.
Each individual WebEx meeting has a designated nine digit Meeting ID. This
Meeting ID is recorded in the access logs. Follow the Show Log Collaboration link.
The following table provides the log decode.

Field Name Field description Possible values

date Date of event

time Time of event

c-ip Client IP

r-dns Remote hostname

duration Duration of the session in Applicable only to

seconds STOP_FILE_UPLOAD,
STOP_APPLICATION_SHAR
ING, and LEAVE_MEETING

x-collaboration-method Description of method JOIN_MEETING,

LEAVE_MEETING,
HOST_MEETING,
DISCONNECT,
START_FILE_UPLOAD,
STOP_FILE_UPLOAD,
START_APPLICATION_SHA
RING,
STOP_APPLICATION_SHAR
ING

s-action Whether a sharing session ALLOWED, DENIED,

was allowed or blocked (if FAILED, SUCCESS
applicable)

281
Advanced Secure Gateway Administration Guide

The following table provides the log decode.

Field Name Field description Possible values

x-collaboration-user-id WebEx user ID

x-collaboration-meeting- WebEx 9 digit meeting

id number

x-webex-site WebEx site name on

which this meeting is
hosted (for example,
"bluecoat" for
bluecoat.webex.com)

282
Section 7 Review WebEx Proxy Sessions
After WebEx traffic begins to flow through the Advanced Secure Gateway
appliance, you can review the statistics page and monitor results in various
WebEx categories. The presented statistics are representative of the client
perspective.

To review WebEx statistics:

1. From the Management Console, select Statistics > Sessions > Active Sessions.
2. On the Proxied Sessions tab, set the following:
a. At Filter, select Protocol.
b. Select WebEx from the drop down menu.
c. Click Show.

283
Advanced Secure Gateway Administration Guide

284
Chapter 11: Managing the File Transport Protocol (FTP) Proxy

This chapter discusses the Blue Coat implementation of proxy support for File
Transport Protocol (FTP).

Topics in this Chapter

This chapter includes information about the following topics:
❐ "How Do I...?"
❐ "About FTP" on page 285
❐ "Configuring the Advanced Secure Gateway Appliance for Native FTP
Proxy" on page 290
❐ "Configuring FTP Connection Welcome Banners" on page 292
❐ "Viewing FTP Statistics" on page 293

How Do I...?
To use this chapter, identify the task and click the link:

How do I... See...

Understand how the Advanced Secure "About FTP" on page 285

Gateway appliance manages IP
addresses?

Configure IP addresses? "Configuring IP Addresses for FTP

Control and Data Connections" on page
287

Configure native FTP? "Configuring the Advanced Secure

Gateway Appliance for Native FTP
Proxy" on page 290

Configure Web FTP? "About Web FTP" on page 164

Customize the welcome banner for the FTP "Configuring FTP Connection Welcome
proxy? Banners" on page 292

View FTP statistics? "Viewing FTP Statistics" on page 293

About FTP
The Advanced Secure Gateway appliance supports two FTP modes:
❐ Native FTP, where the client connects through the FTP proxy, either
explicitly or transparently; the Advanced Secure Gateway appliance then
connects upstream through FTP (if necessary).

285
Advanced Secure Gateway Administration Guide

❐ Web FTP, where the client uses an explicit HTTP connection. Web FTP is used
when a client connects in explicit mode using HTTP and accesses an ftp://
URL. The Advanced Secure Gateway appliance translates the HTTP request
into an FTP request for the origin content server (OCS), if the content is not
already cached, and then translates the FTP response with the file contents
into an HTTP response for the client.
Native FTP uses two parallel TCP connections to transfer a file, a control connection
and a data connection.
❐ Control connections: Used for sending commands and control information,
such as user identification and password, between two hosts.
❐ Data connections: Used to send the file contents between two hosts. By
default, the Advanced Secure Gateway appliance allows both active and
passive data connections.
• Active mode data connections: Data connections initiated by an FTP
server to an FTP client at the port and IP address requested by the FTP
client. This type of connection method is useful when the FTP server can
connect directly to the FTP client. The FTP command for active mode is
PORT (for IPv4) or EPRT (for IPv6). When an IPv4 FTP client is
communicating with an IPv6 FTP server, the Advanced Secure Gateway
appliance will perform the required conversion (PORT to EPRT); the
clients and servers will be unaware that this conversion has taken place.
• Passive mode data connections: Data connections initiated by an FTP
client to an FTP server at the port and IP address requested by the FTP
server. This type of connection is useful in situations where an FTP server
is unable to make a direct connection to an FTP client because the client is
located behind a firewall or other similar device where outbound
connections from the client are allowed, but inbound connections to the
client are blocked. The FTP command for passive mode is PASV (for IPv4)
or EPSV (for IPv6). When an IPv4 FTP client is communicating with an
IPv6 FTP server, the Advanced Secure Gateway appliance will perform
the required conversion (PASV to EPSV); the clients and servers will be
unaware that this conversion has taken place.
When using the FTP in active mode, the FTP data connection is formed from the
server (OCS) to the client, which is opposite from the direction of the FTP control
connection.

This section discusses:

❐ "Configuring IP Addresses for FTP Control and Data Connections" on page
287
❐ "Client-Side Data Connections Mode" on page 288
❐ "FTP Server Notes" on page 288

286
Configuring IP Addresses for FTP Control and Data Connections
The FTP client determines whether the client-side data connection is active or
passive from the client to the Advanced Secure Gateway appliance. The
Advanced Secure Gateway appliance determines the server-side connections.
By default, the Advanced Secure Gateway appliance allows both active and
passive data mode connections. FTP connections are divided into client-side
control and data connections and server-side control and data connections.
❐ Client-side control connection: The proxy always uses the client’s IP address
to respond to the client. No configuration is necessary here.
❐ Client-side data connection: The proxy's behavior depends on the
ftp.match_client_data_ip(yes | no) property that is set via policy using
CPL. If this property is enabled (the default), the proxy uses the same IP
address for the data connection as it uses for the client-side control
connection. If the property is disabled, the proxy uses its own IP address,
choosing the address associated with the interface used to connect back to the
client.
When an FTP client uses different protocols for control and data connections
(for example, IPv4 for control and IPv6 for data), the
ftp.match_client_data_ip property must be set to no so that the Advanced
Secure Gateway appliance’s address is used for the data connection. Because
each Advanced Secure Gateway interface is configured with an IPv4 and an
IPv6 address in a mixed Internet protocol environment, the Advanced Secure
Gateway appliance will use the appropriate IP address for the type of FTP
server. For example, for transferring data to an IPv6 FTP server, the appliance
will set up with the data connection using its IPv6 address.
When the client-side data and control connections are over IPv4 and the
server-side control and data connections are over IPv6, the
ftp.match_client_data_ip property can be set to yes.

❐ Server-side control connection: The proxy uses the IP address selected by the
reflect_ip(auto | no | client | vip | ip_address) property. By default, this
is the local proxy IP address associated with the interface used to connect to
the server.
Client IP reflection is set globally from the Configuration > Proxy Settings >
General tab. By default, the CPL reflect_ip( ) setting is auto, which uses this
global configuration value.
Client IP reflection will automatically be disabled when the client is IPv4 and
the server is IPv6.

Note: Setting client IP address reflection for FTP affects the source address
that is used when making the outgoing control connection to the origin
server. It might also affect which address is used by the proxy for data
connections.

287
Advanced Secure Gateway Administration Guide

❐ Server-side data connection: The proxy's behavior depends on the

ftp.match_server_data_ip(yes | no) property. If this property is enabled
(the default), the proxy uses the same IP address for the data connection as it
used for the server-side control connection. If the property is disabled, the
proxy uses its own IP address to communicate with the server, choosing the
address associated with the interface used to connect to the server.

Note: Either the reflect_ip( ) property or the reflect-client-ip

configuration must be set for the ftp.match_server_data_ip(yes) property
to be meaningful.

For information on creating and modifying policy through VPM, refer to the
Visual Policy Manager Reference. For information on creating and modifying policy
through CPL, refer to the <Emphasis>Blue Coat Content Policy Language Guide.
The ftp.match_server_data_ip( ) and ftp.match_client_data_ip( )
properties can only be set through CPL.

Client-Side Data Connections Mode

Administrators determine how the Advanced Secure Gateway appliance
responds to a request from an FTP client for a passive mode data connection.
By default, some FTP clients do not open a passive mode data connection to an IP
address that is different from the IP address used for the control connection.
When passive mode is disabled, some FTP clients try a PORT (IPv4) or EPRT
(IPv6) command automatically, which allows requests to be received when the
client doesn't allow passive connections to a different IP address.

Note: Some clients might display an error when passive mode is disabled on the
Advanced Secure Gateway appliance, requiring you to manually request active
mode using the PORT/EPRT FTP commands.

The FTP client software controls any messages displayed to the end user as a
result of this response from the Advanced Secure Gateway appliance.

Server-Side Data Connections Mode

The ftp.server_data(auto | passive | port) property controls the type of
server-side data connection that the Advanced Secure Gateway appliance opens
to the server. The default of auto means to try a passive connection first and then
fall back to an active connection if that fails.

FTP Server Notes

IIS and WS_FTP servers do not support:
❐ Passive data connections with a source IP address that is different from the
source IP address of the control connection.
❐ Active data connections with a destination IP address that differs from the
source IP address of the control connection.

288
The ftp.match_server_data_ip(no) property most likely will not work correctly
with these servers.

Notes
❐ Internet Explorer does not support proxy authentication for native FTP.
❐ The FTP proxy does not support customized exception text; that is, you can
use policy to deny requests, but you can't control the text sent in the error
message.

289
Advanced Secure Gateway Administration Guide

Section 1 Configuring the Advanced Secure Gateway Appliance for Native

FTP Proxy
This section discusses:
❐ "Modifying the FTP Proxy Service"
❐ "Configuring the FTP Proxy" on page 291
❐ "Configuring FTP Clients for Explicit Proxy" on page 292

Modifying the FTP Proxy Service

To use the capabilities of the FTP proxy, you need to make sure the FTP service is
set to intercept traffic. The following procedure describes how to verify this
setting, and explains other attributes within the service.

Note: Web FTP requires an HTTP service, not an FTP service. For information on
configuring an HTTP proxy service, see Chapter 8: "Intercepting and Optimizing
HTTP Traffic" on page 161.

To modify the FTP proxy service:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Intercept FTP traffic:

a. Scroll the list of service groups and click Standard to expand the
services list and locate the FTP service.
b. Is the FTP service set to Bypass or Intercept? If necessary, select Intercept
from the drop-down list.
3. Click Apply.
Now that you have verified that the Advanced Secure Gateway appliance is
intercepting FTP traffic, configure the FTP proxy options. Proceed to "Configuring
the FTP Proxy" on page 291.

290
Configuring the FTP Proxy
The FTP proxy has several configurable settings related to caching of FTP objects
and whether passive mode is allowed.

To configure the FTP proxy:

1. Select Configuration > Proxy Settings > FTP Proxy.

2a
2b
2c
2d

2e

2. Configure the FTP proxy settings:

a. Select Allow caching of FTP objects. The default is enabled.
b. Determine how long the object will be cached, in relation to when it
was last modified. This setting assumes the object’s last-modified
date/time is available from the server. (The next setting, in step c
below, applies to situations when the last-modified date is unknown.)
The default is 10%. The amount of time that the object will be cached is
calculated as follows:
percentage * (current_time - last_modified_time)

where current_time is the time when the object was requested by the
client. So, if it’s been 10 days since the object was modified, and the setting
is 10%, the object will be cached for one day.
c. Enter an amount, in hours, that the object remains in the cache before
becoming eligible for deletion. This setting applies to objects for which
the last-modified date is unknown. The default is 24 hours.
d. Select Allow use of passive mode to clients. The default is enabled, allowing
data connections to be initiated by an FTP client to an FTP server at the
port and IP address requested by the FTP server. (Active mode
connections are always allowed, regardless of whether the passive
mode setting is enabled or disabled.)
e. (Optional) See "Configuring FTP Connection Welcome Banners" on
page 292.
3. Click Apply.

291
Advanced Secure Gateway Administration Guide

Note: Neither proxy authentication for transparent FTP nor proxy chaining are
supported with the Checkpoint syntax. When native FTP traffic from an FTP
client (such as WSFtp) is being authenticated by the Advanced Secure Gateway
appliance using the Raptor syntax, the recommended authentication mode is auto
or proxy.

Configuring FTP Clients for Explicit Proxy

To explicitly proxy to the Advanced Secure Gateway appliance, each FTP client
must be configured with the IP address of the Advanced Secure Gateway
appliance. In addition, the client may need additional configuration. The example
below describes how to configure the WSFtp client; you will want to use
equivalent steps for other FTP clients.
❐ Enable firewall.
❐ Select USER with no logon unless you are doing proxy authentication. In that
case, select USER remoteID@remoteHost fireID and specify a proxy username and
password.

Figure 11–1 Example WSFTtp Client Configuration

Configuring FTP Connection Welcome Banners

You can customize banners that usually describe the policies and content of the
FTP server displayed to FTP clients. Without modification, the Advanced Secure
Gateway appliance sends a default banner to newly-connected FTP clients:
Welcome to Blue Coat FTP. However, you might not want users to know that a
Advanced Secure Gateway appliance exists on the network. A default banner can
be defined in the Management Console or the CLI, but other banners defined for
specific groups can be created in policy layers.

Note: Configurable banners are only displayed when FTP is explicitly proxied
through the Advanced Secure Gateway appliance. In transparent deployments,
the banner is sent to the client when proxy authentication is required; otherwise,
the FTP server sends the banner.

To define the default FTP banner:

1. Select Configuration > Services > FTP Proxy.

292
 2. In the Welcome Banner field, enter a line of text that is displayed on FTP clients
upon connection. If the message length spans multiple lines, the Advanced
Secure Gateway appliance automatically formats the string for multiline
capability.

The welcome banner text is overridden by the policy property

ftp.welcome_banner(). This is required for explicit proxy requests, when
doing proxy authentication, and also when the policy property
ftp.server_connection(deferred|immediate) is set to defer the connection.

3. Click Apply.

Viewing FTP Statistics

See "HTTP/FTP History Statistics" on page 213 for information about viewing the
FTP statistics.

293
Advanced Secure Gateway Administration Guide

294
Chapter 12: Managing the Domain Name Service (DNS)
Proxy

This chapter discusses managing Domain Name Service (DNS) traffic through
the DNS proxy on the Advanced Secure Gateway appliance (to configure the
Advanced Secure Gateway connections to DNS servers, see "Adding DNS
Servers to the Primary or Alternate Group" on page 829).

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About the DNS Proxy"
❐ "Intercepting the DNS Proxy Service" on page 296
❐ "Creating a Resolving Name List" on page 296

About the DNS Proxy

The Advanced Secure Gateway appliance is not a DNS server. It does not
perform zone transfers, and it forwards recursive queries to other name
servers. When a DNS proxy service is enabled (intercepted), it listens on port 53
for both explicit and transparent DNS domain query requests. By default, the
service is created but not enabled.
The DNS proxy performs a lookup of the DNS cache on the Advanced Secure
Gateway appliance to determine if requests can be answered locally. If yes, the
Advanced Secure Gateway appliance responds to the DNS request. If not, the
DNS proxy forwards the request to the DNS server list configured on the
Advanced Secure Gateway appliance.
Through policy, you can configure a list of resolved domain names (the
resolving name list) the DNS uses. The domain name in each query received by
the Advanced Secure Gateway appliance is compared against the resolving
name list. Upon a match, the Advanced Secure Gateway appliance checks the
resolving list. If a domain name match is found but no IP address was
configured for the domain, the Advanced Secure Gateway appliance sends a
DNS query response containing its own IP address. If a domain name match is
found with a corresponding IP address, that IP address is returned in a DNS
query response. All unmatched queries are sent to the name servers configured
on the Advanced Secure Gateway appliance.

IPv6 Support
The DNS proxy is able to communicate using IPv4 or IPv6, either explicitly or
transparently.
The resolving name list can contain entries for IPv4 and IPv6 addresses. An
entry can contain either IPv4 or IPv6 addresses, although you cannot combine
IPv4 and IPv6 addresses in a single entry.

295
Advanced Secure Gateway Administration Guide

Intercepting the DNS Proxy Service

By default (upon upgrade and on new systems), the Advanced Secure Gateway
appliance has an DNS proxy service configured on port 53. The service is
configured to listen to all IP addresses, but is set to Bypass mode.
The following procedure describes how to change the service to Intercept mode.

To configure the DNS proxy to intercept traffic:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Intercept DNS traffic:

a. Expand the Standard service group, and select DNS.
b. If the DNS service is currently set to Bypass, select Intercept.
3. Click Apply.

Creating a Resolving Name List

You can create the resolving name list that the DNS proxy uses to resolve domain
names. This procedure can only be done through policy. (For a discussion on
using the <DNS-Proxy> layer, refer to the <Emphasis>Blue Coat Content Policy
Language Guide.)
Each entry in the list contains a domain-name matching pattern. The matching
rules are:
❐ test.com matches only test.com and nothing else.
❐ .test.com matches test.com, www.test.com and so on.
❐ “.” matches all domain names.
An optional IP address can be added, which allows the DNS proxy to return any
IP address if the DNS request's name matches the domain name suffix string
(domain.name). Either IPv4 or IPv6 addresses can be specified.
To create a resolving name list, create a policy, using the <DNS-Proxy> layer, that
contains text similar to the following:

296
 <DNS-Proxy>
dns.request.name=www.example.com dns.respond.a(vip)
-or-
<DNS-Proxy>
dns.request.name=.example.com dns.respond.a(vip)
-or-
<DNS-Proxy>
dns.request.name=www.example.com dns.respond.a(10.1.2.3)
-or-
<DNS-Proxy>
dns.request.name=www.google.com dns.respond.aaaa(2001::1)
An entry can contain either IPv4 or IPv6 addresses, although you cannot combine
IPv4 and IPv6 addresses in a single entry. Use the dns.respond.a property for IPv4
hosts and dns.respond.aaaa for IPv6 hosts. If you specify vip instead of a specific
IP address, the response will contain the Advanced Secure Gateway IP address
(the IPv6 address for dns.respond.aaaa or the IPv4 address for dns.respond.a).

Note: You can also create a resolving name list using the Visual Policy Manager
(VPM). For more information about the DNS Access Layer in the VPM, refer to the
Visual Policy Manager Reference.

297
Advanced Secure Gateway Administration Guide

298
Chapter 13: Managing a SOCKS Proxy

This chapter discusses the Advanced Secure Gateway SOCKS proxy.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About SOCKS Deployments" on page 299
❐ "Intercepting the SOCKS Proxy Service" on page 299
❐ "Configuring the SOCKS Proxy" on page 301
❐ "Using Policy to Control the SOCKS Proxy" on page 301
❐ "Viewing SOCKS History Statistics" on page 303
❐ "Viewing SOCKS History Statistics" on page 303

About SOCKS Deployments

While SOCKS servers are generally used to provide firewall protection to an
enterprise, they also can be used to provide a generic way to proxy any TCP/IP
or UDP protocols. The Advanced Secure Gateway appliance supports both
SOCKS4/4a and SOCKS5; however, because of increased username and
password authentication capabilities and compression support, Blue Coat
recommends that you use SOCKS5. Note that there is only one listener for all
SOCKS connections (SOCKS 4 and 5).

IPv6 Support
The SOCKS proxy includes basic IPv6 support for CONNECT and BIND.
In addition, for any service that uses the SOCKS proxy, you can create listeners
that bypass or intercept connections for IPv6 sources or destinations.

Intercepting the SOCKS Proxy Service

By default, the Advanced Secure Gateway appliance includes a pre-defined
service for SOCKS that listens on port 1080, but the service is set to Bypass. To
use the SOCKS proxy, you need to set this service to Intercept. To configure the
SOCKS proxy to intercept traffic:
1. In the Management Console, select Configuration > Services > Proxy Services.

299
Advanced Secure Gateway Administration Guide

2a

2b

2. Change the SOCKS service to intercept

a. Scroll the list of service groups, click Standard, and select SOCKS.
b. If the action for the default service (port 1080) is set to Bypass, select
Intercept from the drop-down list.

3. Click Apply.

300
Section 1 Configuring the SOCKS Proxy
Complete the following steps to create a SOCKS proxy and to configure SOCKS-
proxy connection and timeout values. For more information, see "About SOCKS
Deployments" on page 299.

To create a SOCKS proxy server:

1. Select Configuration > Services > SOCKS Proxy.

2. The displayed defaults should be sufficient for most purposes. The following
table discusses the options.
Table 13–1 SOCKS Proxy Options

Option Suboption Description

Max-Connections connections Set maximum allowed SOCKS client
connections. The default of 0 indicates an
infinite number of connections are allowed.
Connection seconds Set maximum time to wait on an outbound
timeout CONNECT.

Bind timeout on seconds Set maximum time to wait on an inbound BIND.

accept

Minimum idle seconds Specifies the minimum timeout after which

timeout SOCKS can consider the connection for
termination when the maximum connections
are reached.
Maximum idle seconds Specifies the max idle timeout value after which
timeout SOCKS terminates the connection.

Using Policy to Control the SOCKS Proxy

After setting basic configuration for the SOCKS proxy, you can define policy to
control the SOCKS proxy.
❐ To use SOCKS5, which allows you to use a SOCKS username/password, you
must set the version through policy.
• If using the VPM, go to a Forwarding Layer, select Source > Set Source Object >
New > SOCKS Version.

• If using CPL, enter the following:

301
Advanced Secure Gateway Administration Guide

<proxy> client.protocol=socks
ALLOW socks.version=5
DENY

❐ If browsers and FTP clients are configured to use SOCKS encapsulation and a
rule in policy is matched that denies a transaction, a page cannot be displayed
message displays instead of an exception page.
This is expected behavior, as a deny action abruptly closes the client's TCP
connection, yet the client is expecting a SOCKS-style closure of the connection.
You can avoid this, and return an exception page, by applying the following
policy:
• If using the VPM, go to a Web Access Layer, create two rules. For the first
rule, select Service > New > Client Protocol > SOCKS > TCP Tunneling over SOCKS;
for the second, select Service > New > Client Protocol > SOCKS > All SOCKS.
• If using CPL, enter the following:
<Proxy>
DENY socks=yes tunneled=yes
DENY socks=yes

❐ (Introduced in version 6.6.4) SOCKS5 supports Kerberos authentication. You

can use Kerberos authentication over SOCKS5 when an application that uses
SOCKS—for example, SSH or FTP—does not support Kerberos authentication
or proxy servers. To acquire a Kerberos ticket, the SOCKS client must be able
to access the appliance using the hostname.
Use the socks.authenticate() property to authenticate SOCKS5 connections
using Kerberos credentials.

302
Section 2 Viewing SOCKS History Statistics
The SOCKS History tabs (SOCKS Clients, SOCKS Connections, and SOCKS client
and server compression) display client data, Connect, Bind, and UPD Associate
requests, client and server UDP, TCP and compression requests.

Note: The SOCKS history statistics are available only through the Management
Console.

Viewing SOCKS Clients

The SOCKS Clients tab displays SOCKS Client data.

To view SOCKS client data:

1. Select Statistics > SOCKS History > SOCKS Clients.
2. Select a time period for the graph from the Duration: drop-down list.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

Viewing SOCKS Connections

The SOCKS Connections tab displays SOCKS Connection data.

To view SOCKS connection data:

Select Statistics > SOCKS History > SOCKS Connections.

303
Advanced Secure Gateway Administration Guide

Viewing SOCKS Client and Server Compression Gain Statistics

You can view SOCKS client and server compression-gain statistics for the
Advanced Secure Gateway appliance over the last 60 minutes, 24 hours, and 30
days in the Client Comp. Gain and the Server Comp. Gain tabs. These statistics are not
available through the CLI.
The green display on the bar graph represents uncompressed data; the blue
display represents compressed data. Hover your cursor over the graph to see the
compressed gain data.
See one of the following topics:
❐ "Viewing SOCKS Client Compressed Gain Statistics"
❐ "Viewing SOCKS Server Compressed Gain Statistics"

Viewing SOCKS Client Compressed Gain Statistics

To view SOCKS client compressed gain statistics:
1. Select Statistics > SOCKS History > Client Comp. Gain.
2. Select a time period for the graph from the Duration: drop-down list.

304
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

Viewing SOCKS Server Compressed Gain Statistics

To view SOCKS Server compressed gain statistics:
1. Select Statistics > SOCKS History > Server Comp. Gain.
2. Select a time period from the Duration: drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

305
Advanced Secure Gateway Administration Guide

306
Chapter 14: Managing Shell Proxies

This chapter discusses how to configure the Telnet shell proxy. Shell proxies
provide shells which allow a client to connect to the Advanced Secure Gateway
appliance. In this version, only a Telnet shell proxy is supported.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About Shell Proxies" on page 307
❐ "Customizing Policy Settings for Shell Proxies" on page 308
❐ "About Telnet Shell Proxies" on page 308
❐ "Configuring the Telnet Shell Proxy Service Options" on page 310
❐ "Viewing Shell History Statistics" on page 312

About Shell Proxies

Using a shell proxy, you can:
❐ terminate a Telnet protocol connection either transparently or explicitly.
❐ authenticate users either transparently or explicitly.
❐ view the access log.
❐ enforce policies specified by CPL.
❐ communicate though an upstream SOCKS gateway and HTTP proxy using
the CONNECT method.
Within the shell, you can configure the prompt and various banners using CPL
$substitutions. You can also use hard-coded text instead of CPL substitutions
(available substitutions are listed in the table below). The syntax for a CPL
substitution is:
$(CPL_property)

Table 14–1 CPL Substitutions for Shell Proxies

Substitution Description

proxy.name or Configured name of the Advanced Secure

appliance.name Gateway appliance.
proxy.address IP address of the appliance on which this
connection is accepted. You can specify either an
IPv4 or an IPv6 address.
proxy.card Adapter number of the appliance on which this
connection is accepted.

307
Advanced Secure Gateway Administration Guide

Table 14–1 CPL Substitutions for Shell Proxies

Substitution Description
client.protocol This is telnet.
client.address IP address of the client. IPv4 and IPv6 addresses
are accepted.

proxy.primary_address or Primary address of the proxy, not where the user

appliance.primary_address is connected. You can specify either an IPv4 or an
IPv6 address.
release.id SGOS version.

Customizing Policy Settings for Shell Proxies

For information on using CPL to manage shell proxies, refer to <Emphasis>Blue
Coat Content Policy Language Guide.

Boundary Conditions for Shell Proxies

❐ A hardcoded timeout of five minutes is enforced from the acceptance of a new
connection until destination information is provided using the Telnet
command.
❐ If proxy authentication is enabled, users have three chances to provide correct
credentials.
❐ Users are not authenticated until destination information is provided.
❐ Users can only enter up to an accumulated 2048 characters while providing
the destination information. (Previous attempts count against the total
number of characters.)
❐ Connection to an upstream HTTP proxy is not encouraged.
❐ If connections from untrustworthy IP address or subnet are not desired, then a
client IP/subnet-based deny policy must be written.

About Telnet Shell Proxies

The Telnet shell proxy allows you to manage a Telnet protocol connection to the
Advanced Secure Gateway appliance. Using the Telnet shell proxy, the Advanced
Secure Gateway appliance performs:
❐ Explicit termination without proxy authentication, where you explicitly
connect through Telnet to the Advanced Secure Gateway host name or IP
address. In this case, the Advanced Secure Gateway appliance provides a
shell.

308
❐ Explicit termination with proxy authentication, where after obtaining the
destination host and port information from the user, the Advanced Secure
Gateway appliance challenges for proxy credentials. After the correct proxy
credentials are provided and authenticated, the appliance makes an upstream
connection and goes into tunnel mode. In this case, the appliance provides a
shell.
❐ Transparent termination without proxy authentication, where the Advanced
Secure Gateway appliance intercepts Telnet traffic through an L4 switch,
software bridge, or any other transparent redirection mechanism. From the
destination address of TCP socket, the Advanced Secure Gateway appliance
obtains OCS contact information and makes the appropriate upstream
connection, either directly or through any configured proxy. For more
information on configuring a transparent proxy, see Chapter 6: "Explicit and
Transparent Proxy" on page 111.
❐ Transparent termination with proxy authentication, where, after intercepting
the transparent connection, the Advanced Secure Gateway appliance
challenges for proxy credentials. After the correct proxy credentials are
provided and authenticated, the Advanced Secure Gateway appliance makes
an upstream connection and goes into tunnel mode.
After in the shell, the following commands are available:
❐ help: Displays available commands and their effects.
❐ telnet server[:port]: Makes an outgoing Telnet connection to the specified
server. The colon (:) between server and port can be replaced with a space, if
preferred. The server can be an IPv4 or an IPv6 host.
❐ exit: Terminates the shell session.

309
Advanced Secure Gateway Administration Guide

Section 1 Configuring the Telnet Shell Proxy Service Options

This section describes how to change the default service options and add new
services.

Changing the Telnet Shell Proxy Service to Intercept All IP Addresses

on Port 23
The service is configured to listen to all IP addresses, but is set in Bypass mode.
The following procedure describes how to change the service to Intercept mode.
Default settings are:
❐ Proxy Edition–a Telnet proxy service is configured but disabled on port 23 on
a new system.
❐ Proxy Edition– a Telnet proxy service is not created on an upgrade.
❐ MACH5 Edition–a transparent TCP tunnel connection listening on port 23 is
created in place of the default Telnet proxy service.

To configure the Telnet Shell proxy to intercept traffic:

1. From the Management Console, select Configuration > Services > Proxy Services.

Bypass Recommended
service group (by default)

2. Scroll to the Bypass Recommended service group and click it to expand the list.
3. Select Telnet.
4. From the drop-down list, select Intercept.
5. Click Apply.

Customizing Welcome and Realm Banners and Prompt Settings

You can configure banners for the Telnet shell and the realm and set the prompt
that users see when entering the shell.

To customize Telnet shell proxy settings:

1. Select Configuration > Proxy Settings > Shell Proxies > Telnet Proxy Settings.

310
 2

2. To set the maximum concurrent connections, select Limit Max Connections. Enter
the number of maximum concurrent connections allowed for this service.
Allowed values are between 1 and 65535.
3. (Optional) Change the default banner settings.
• Welcome banner—Users see this when they enter the shell. The default
string is: Blue Coat $(module_name) proxy.
• Realm banner—Users see this help message just before they see the
Username prompt for proxy authentication. The default string is:
Enter credentials for realm $(realm).

• Prompt—The command prompt. The default string is:

$(module_name)-proxy>.

For a list of available substitutions, see "Customizing Policy Settings for

Shell Proxies" on page 308.
Click View/Edit to display the respective banner dialog. Change the string.
Click OK.
4. Click Apply.

Notes for Telnet Shell Proxies

❐ Telnet credential exchange is in plaintext.
❐ A Telnet proxy cannot be used to communicate with non-Telnet servers (such
as Webservers on port 80) because Telnet proxies negotiate Telnet options with
the client before a server connection can be established.

311
Advanced Secure Gateway Administration Guide

Section 2 Viewing Shell History Statistics

The Shell History tab displays client connections over the last 60-minute, 24-hour,
and 30-day period.

Note: The Shell history statistics are available only through the Management
Console.

To view Shell history statistics:

1. Select Statistics > Protocol Details > Shell History.

2. Select a time- period for the graph from the Duration: drop-down list. The
default setting is last hour.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

312
Chapter 15: Configuring and Managing an HTTPS Reverse
Proxy

This section describes how to use the Blue Coat HTTPS Reverse Proxy solution.
It includes the following topics:
❐ Section A: "About the HTTPS Reverse Proxy" on page 313
❐ Section B: "Configuring the HTTPS Reverse Proxy" on page 314
❐ Section C: "Configuring HTTP or HTTPS Origination to the Origin Content
Server" on page 321

Section A: About the HTTPS Reverse Proxy

The Blue Coat HTTPS Reverse Proxy implementation:
❐ Combines hardware-based SSL acceleration with full caching functionality.
❐ Establishes and services incoming SSL sessions.
❐ Provides TLS v1.2, TLS v1.1, TLSv1, SSL v3.0, SSL v2.0 and protocol
support.
❐ Supports IPv6 connections.

313
Advanced Secure Gateway Administration Guide

Section B: Configuring the HTTPS Reverse Proxy

This section describes how to enable the HTTPS reverse proxy.

Note: One common scenario in using HTTPS reverse proxy, which connects the
client to the Advanced Secure Gateway appliance, is in conjunction with HTTPS
origination, which is used to connect to the origin content server (OCS). For more
information on this option, see Section C: "Configuring HTTP or HTTPS
Origination to the Origin Content Server" on page 321.

Prerequisite Tasks
Before creating an HTTP reverse proxy service, you must:
❐ Create or import a keyring (Configuration > SSL > Keyrings > SSL Keyrings).
❐ (If necessary) Create a Certificate Signing Request (CSR) that can be sent to a
Certificate Signing Authority (CA). After the CSR has been signed and the
certificate has been created, import the certificate to the keyring you created or
imported in the previous step. (Select Configuration > SSL > Keyrings. Select the
keyring you created or imported, and then click Edit. In the Certificate Signing
Request section, click Import, paste the CSR, and click OK. Click Close > Apply).
-or-
❐ Create a certificate for internal use and associate it with the keyring.
❐ (Optional, if using server certificates from CAs) Import Certificate Revocation
Lists (CRLs) so the Advanced Secure Gateway appliance can verify that
certificates are still valid.
When these steps are complete, you can configure the HTTPS reverse proxy
service.

314
Creating an HTTPS Reverse Proxy Service
Unlike other services, the Advanced Secure Gateway appliance does not create an
HTTPS Reverse Proxy service by default. (The Advanced Secure Gateway
appliance has an HTTPS proxy service configured on port 443.) Therefore, you
must create a new service.

To create an HTTPS reverse proxy service:

1. Select Configuration > Services > Proxy Services.

2. Click New Service.

315
Advanced Secure Gateway Administration Guide

3
4

3. In the Name field, enter a name to identify the service.

4. From the Service Group drop-down list, select which group displays the service
on the main page. You can add the service to a default group or any already
created custom groups.
5. Configure Proxy Settings options:
a. Select HTTPS Reverse Proxy from the Proxy settings drop-down list.
b. In the Keyring drop-down list, select any already created keyring that is
on the system. The system ships with a default keyring that is reusable
for each HTTPS service.

Note: The configuration-passwords-key keyring that shipped with the

Advanced Secure Gateway appliance does not contain a certificate.
The appliance-key keyring does contain a certificate if you have Internet
connectivity, but it cannot be used for purposes other than appliance
authentication. For information about appliance authentication, see the
Authentication topics.

c. CA Cert List: Use the drop-down list to select any already created list
that is on the system.
d. SSL Versions: Select the version(s) to use for this service from the list.
The default is TLS v1, TLS v1.1, and TLS v1.2.

316
 e. Verify Client: Select this option to enable mutual SSL authentication. See
"About Mutual SSL Authentication" on page 319 for information.
Selecting this option makes the Forward Client Certificate option available.
f. Forward Client Cert: (Available if Verify Client is selected)
Select this option
to put the extracted client certificate information into the Client-Cert
header that is included in the request when it is forwarded to the
origin content server. The header contains the certificate serial number,
subject, validity dates, and issuer (all as name=value pairs). The actual
certificate itself is not forwarded.
6. Create a listener for the IP address(es) and ports that this application protocol
uses. In the Listeners area, click New. The New Listener dialog displays.

8a

8b

8c

8d

7. Configure the new listener attributes:

a. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 or IPv6).
You can, however, restrict this listener to a specific IPv4/IPv6 address
or user subnet/prefix length.
b. Select a Destination address from the options. The correct selection
might depend on network configuration. For descriptions of the
options, see Chapter 7: "Managing Proxy Services" on page 121.
c. In the Port Range field, the default port is 443. Only change this if your
network uses another port for SSL.
d. In the Action area, select Intercept.

317
Advanced Secure Gateway Administration Guide

e. Click OK to close the dialog.

8. Click Ok to add the new service to the selected service group.
9. Click Apply.

318
About Mutual SSL Authentication
During an SSL handshake, the client and server negotiate the mode of operation,
the type of authentication required by both parties, the cryptographic and
hashing algorithms to use for providing confidentiality and integrity, and the
compression algorithm to use for the session.
SSL authentication can use the following modes of operation:
❐ Typical SSL authentication: This mode provides confidentiality and integrity
of the data sent between the client and the server, and requires the server to
authenticate to the client using an X.509 certificate.
❐ Mutual SSL authentication: In this mode, the server authenticates to the client
using an X.509 certificate and the client must authenticate to the server with a
separate X.509 certificate.
When a Common Access Card (CAC) is used, the certificate identifies the user
who owns the CAC. For information on CAC authentication, refer to the
Common Access Card Solutions Guide.
In mutual SSL authentication, an SSL connection between a client and a server is
established only if the client and server validate each other’s identity during the
SSL handshake. Both the server and the client must have their own valid
certificate and the associated private key in order to authenticate.

Note: TLS is supported based on the server and client in use. For brevity, this
section refers only to SSL; however, SSL can be used interchangeably with TLS.

Typical SSL Authentication

In this scenario, the user logs in to the Advanced Secure Gateway appliance
(server) using a browser (client). During this process, the client (browser)
validates the server (Advanced Secure Gateway appliance) certificate. This
includes the following checks:
❐ The certificate subject must match the server’s hostname.

319
Advanced Secure Gateway Administration Guide

❐ The certificate must be issued by a CA listed in the browser’s Trusted Root

Certificate store.
❐ The client confirms that the server has the certificate's private key by
challenging the server to sign random data. The client validates the signature
using the server's certificate.

Mutual SSL Authentication

In this scenario, the user logs in to the Advanced Secure Gateway appliance using
mutual SSL authentication. During this process:
1. The client (browser) validates the server (Advanced Secure Gateway
appliance) certificate. This includes the following checks:
• The certificate subject must match the server’s hostname.
• The certificate must be issued by a CA listed in the browser’s Trusted Root
Certificate store.
• The client confirms that the server has the certificate's private key by
challenging the server to sign random data. The client validates the
signature using the server's certificate.
2. The server (Advanced Secure Gateway appliance) validates the client
certificate that the browser presents. This includes the following checks:
• The certificate must be issued by a CA in the CCL for the Advanced Secure
Gateway appliance service that is performing the validation.
• The server confirms that the client has the certificate's private key by
challenging the client to sign random data. The server validates the
signature using the client's certificate.
• The certificate must be valid; it must have a valid signature and not be
expired.
• (If using a CRL) The certificate must not have been revoked.

320
Section C: Configuring HTTP or HTTPS Origination to the Origin
Content Server
In previous procedures, you configured HTTPS Reverse Proxy to the Advanced
Secure Gateway appliance. In two common termination scenarios, you must also
configure HTTPS origination to the Origin Content Server (OCS).
The first two scenarios are used to provide a secure connection between the proxy
and server, if, for example, the proxy is in a branch office and is not co-located
with the server.
Table 15–1 Scenario 1: HTTPS Reverse Proxy with HTTPS Origination

HTTPS Reverse Proxy HTTPS Origination

Client > HTTPS > Advanced Secure Advanced Secure

Gateway Gateway > HTTPS > Origin Content Server

Steps Steps
• Configure a keyring. • (Optional) Add a forwarding host.
• Configure the SSL client. • (Optional) Set an HTTPS port.
• Configure the HTTPS service. • (Optional) Enable server certificate
Table 15–2 Scenario 2: HTTP Termination with HTTPS Origination

HTTPS Reverse Proxy HTTPS Origination

Client > HTTPS > Advanced Secure Advanced Secure

Gateway Gateway > HTTPS > Origin Content Server

Steps Steps
• Client is explicitly proxied. • Server URL rewrite.
-or-
• Add a forwarding host
• Set an HTTPS port.
• (Optional) Enable server certificate
verification

Using server URL rewrite is the preferred method. For information on rewriting
the server URL, refer to the <Emphasis>Blue Coat Content Policy Language Guide.

To configure HTTPS origination:

At the (config) command prompt, enter the following commands:
#(config forwarding) create host_alias hostname https[=port_number]
server ssl-verify-server=yes
where:

Table 15–3 HTTPS Origination Commands

Option Parameters Description

host_alias alias_name Specifies the alias name of the OCS.

321
Advanced Secure Gateway Administration Guide

Table 15–3 HTTPS Origination Commands (Continued)

Option Parameters Description

host_name Specifies the host name or IPv4/IPv6 address of
the OCS, such as www.bluecoat.com.
https [=port_number] Specifies the port number on which the OCS is
listening.
server Specifies to use the relative path for URLs in the
HTTP header because the next hop is a Web
server, not a proxy server. Proxy is the default.
ssl-verify- yes | no Specifies whether the upstream server certificate
server= should be verified. You can only enable this
command if the upstream host is a server, not a
proxy.

The next scenario is useful when the Advanced Secure Gateway appliance is
deployed as a reverse proxy. This scenario is used when it is not necessary for a
secure connection between the proxy and server. For information on using the
Advanced Secure Gateway appliance as a reverse proxy, see Section D: "Selecting
an HTTP Proxy Acceleration Profile" on page 182.
Table 15–4 Scenario 2: HTTP Reverse Proxy with HTTPS Origination

HTTPS Reverse Proxy HTTPS Origination

Client > HTTPS > Advanced Secure Advanced Secure

Gateway Gateway > HTTPS > Origin Content Server

Steps Steps
• Configure a keyring • Server URL rewrite
• Configure the SSL client -or-
• Configure the HTTPS service • Add a forwarding host
• Set an HTTP port

Using server URL rewrite is the preferred method. For information on rewriting
the server URL, refer to the Content Policy Language Reference.

To configure HTTP origination:

At the (config) command prompt, enter the following commands:
#(config forwarding) create host_alias host_name http[=port_number]
server
where:

Table 15–5 HTTP Origination Commands

host_alias alias_name Specifies the alias name of the OCS.

host_name Specifies the host name or IPv4/IPv6 address
of the OCS, such as www.bluecoat.com.

322
 Table 15–5 HTTP Origination Commands (Continued)

http [=port_number] Specifies the port number on the OCS in which

HTTP is listening.
server server specifies to use the relative path for
URLs in the HTTP header because the next hop
is a Web server, not a proxy server. Proxy is the
default.

Creating Policy for HTTP and HTTPS Origination

Forwarding hosts must be already created on the Advanced Secure Gateway
appliance before forwarding policy can be created.

To create a policy using CPL:

<forward>
url.host=host_name forward(host_alias)

To create a policy using VPM:

1. In the VPM, create a Forwarding Layer.
2. Set the Destination to be the URL of the OCS.
3. Set the Action to forward to the forwarding host and configure parameters to
control forwarding behavior.

323
Advanced Secure Gateway Administration Guide

324
Chapter 16: Using the Advanced Secure Gateway Appliance
in an IPv6 Environment

This section describes how a Advanced Secure Gateway can be configured to

work in an IPv6 environment and explains the secure Web gateway features
that support IPv6. It is assumed that you understand the underlying IPv6
technology.

Topics in this Section

This section includes information about the following topics:
❐ "Using a Advanced Secure Gateway as an IPv6 Secure Web Gateway"
❐ "IPv6 Support on the Advanced Secure Gateway" on page 330
❐ "Configuring the Advanced Secure Gatewayto Work in an IPv6
Environment" on page 337
❐ "Optimizing ISATAP Traffic" on page 341
❐ "Configuring IPv6 Global Settings" on page 342
❐ "IPv6 Policies" on page 342

Using a Advanced Secure Gateway as an IPv6 Secure Web Gateway

The Advanced Secure Gateway’s secure Web gateway functionality operates in
both IPv4 or IPv6 networks. It provides visibility and control of all Web user
communications — through authentication, authorization, logging, reporting,
and policy enforcement — to create a productive, safe Web environment. The
Advanced Secure Gateway has proxy support for multiple protocols and can
control encrypted traffic for all users and applications inside and outside the
enterprise. In addition, the Advanced Secure Gateway has built-in Web content
filtering and content controls to prevent users from accessing inappropriate
content using company resources.
In addition to its security and caching capabilities, the Advanced Secure
Gateway offers functionality as an IPv4-to-IPv6 transition device. When an
IPv6-enabled Advanced Secure Gateway is deployed between IPv4 and IPv6
networks, IPv4 clients will be able to access resources and services that are
available only in the IPv6 domain. Likewise, IPv6 clients can access IPv4
resources when an IPv6-enabled Advanced Secure Gateway is part of the
deployment. The Advanced Secure Gateway understands both IPv4 and IPv6
addresses, handles the DNS resolution of IPv4 and IPv6, and provides multiple
proxy services that work in an IPv6 environment.

325
Advanced Secure Gateway Administration Guide

Transparent Load Balancing

The Advanced Secure Gateway appliance can intercept IPv4 or IPv6 connections
and load balance either type of connection in a connection forwarding cluster. The
cluster can contain both IPv4 and IPv6 addresses. The connection forward IP can
be of the same type (for example, IPv6 for IPv6, IPv4 for IPv4) or a different type
(IPv6 for IPv4 or vice versa) as the incoming connection. All Advanced Secure
Gateway appliances in the forwarding cluster must be able to handle the address
type of the connection.

Explicit Load Balancing

When using explicit tunnels, you can load balance for IPv4 and IPv6. When
configuring load balancing with server subnets, multiple Concentrator peers can
front an IPv4/IPv6 subnet. If multiple Concentrator peers are configured as
Internet gateways, Branch peers will choose only those Concentrator peers that
contain at least one address of the same family as the destination address.
When using an external load balancer, you can configure an IPv4 or IPv6 external
virtual IP (VIP) address. The VIP address type (IPv4 vs. IPv6) must be reachable
from all Branch peers.

326
Section 1 Using the Advanced Secure Gateway Appliance in an ISATAP
Network
One way to transition a network from IPv4 to IPv6 is with the Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP). ISATAP uses a tunneling
approach to transport IPv6 traffic across an existing IPv4 infrastructure by
encapsulating IPv6 packets with an IPv4 header. ISATAP-based connectivity can
immediately be used to deliver IPv6 services while the IPv4-only infrastructure is
gradually migrated to integrate native IPv6 capabilities. The tunneling of IPv6
traffic through the use of IPv4 encapsulation is called 6-in-4.

In this example of an ISATAP topology, remote IPv6 clients need to access IPv6
servers over the enterprise IPv4 network. To accomplish this, IPv6 traffic from the
client is encapsulated by the ISATAP router before traversing the IPv4 network.
For example, IPv6 packets destined for IPv6 Server 1 in the data center are
encapsulated with the IPv4 tunnel address of ISATAP Tunnel 1. IPv6 packets
destined for the Internet are encapsulated with the IPv4 tunnel address of ISATAP
Tunnel 2.

How Does the Advanced Secure GatewayHandle ISATAP Traffic?

After the Advanced Secure Gateway identifies ISATAP traffic, it identifies the
service inside the encapsulated packet, then uses the appropriate proxy to
optimize the traffic. For example, the HTTP proxy optimizes web traffic with
object caching, byte caching, compression, TCP optimization, and protocol
optimization (assuming an ADN peer is found). For non-TCP, non-UDP, and
services that are not intercepted (such as ICMPv6), the Advanced Secure Gateway
uses the ISATAP proxy; this proxy optimizes the IPv6 packet and payload using

327
Advanced Secure Gateway Administration Guide

byte caching and compression over an ADN tunnel (assuming a peer is found).
The following flow diagram describes how the Advanced Secure Gateway
processes ISATAP traffic.

Notes:
❐ If the requested object is in cache or if the security policy determines that the
request should not be allowed, the response is sent back to the client
immediately over the encapsulated client-side connection.
❐ ISATAP is disabled by default.
❐ Reflect Client IP settings do not apply to the outer encapsulation header (the
IPv4 address). Reflect Client IP settings are honored only for inner IPv6 source
addresses for connections intercepted by application proxies, not the ISATAP
proxy.

Feature Requirements
❐ The routers must support ISATAP.
❐ The Advanced Secure Gateway appliances must be inline between the
ISATAP-capable routers.
❐ ISATAP must be enabled. See "Optimizing ISATAP Traffic" on page 341.

Feature Limitations
❐ Features that modify the destination address, such as URL rewrites and
advanced forwarding, can cause issues with ISATAP processing because the
IP encapsulation information must be preserved. If the destination address
gets modified, users will see TCP connection errors because the server cannot
be found.

328
❐ Only explicit ADN deployments are supported for ISATAP encapsulated
traffic. The Advanced Secure Gateway uses the destination address in the
encapsulation header to perform the route lookup for establishing the explicit
ADN tunnel.
❐ In a virtually inline (WCCP) deployment, the appliance is able to handle the
ISATAP traffic and optimize the services for which application proxies are
available, but the ISATAP proxy is not able to optimize the remaining ISATAP
traffic, as it can in an inline deployment. This limitation occurs because the
remaining traffic will likely not be redirected to the applianceAdvanced
Secure Gateway.

329
Advanced Secure Gateway Administration Guide

Section 2 IPv6 Support on the Advanced Secure Gateway

The Advanced Secure Gateway offers extensive support for IPv6, although there
are some limitations. For details, see the following sections:
❐ "IPv6 Proxies" on page 330
❐ "ISATAP Proxy" on page 330
❐ "Advanced Secure Gateway Management Access over an IPv6 Network" on
page 331
❐ "Features that Support IPv6" on page 333
❐ "IPv6 Limitations" on page 336
❐ "Related CLI Syntax for IPv6 Configuration" on page 337

IPv6 Proxies
The following proxies have underlying protocols that support IPv6 and can
communicate using either IPv4 or IPv6:
Table 16–1

Proxy For More Information

DNS Chapter 12: "Managing the Domain Name Service

(DNS) Proxy" on page 295

FTP Chapter 11: "Managing the File Transport Protocol

(FTP) Proxy" on page 285

HTTP Chapter 8: "Intercepting and Optimizing HTTP

Traffic" on page 161

HTTPS Chapter 15: "Configuring and Managing an HTTPS

Reverse Proxy" on page 313

SOCKS Chapter 13: "Managing a SOCKS Proxy" on page 299

SSL Chapter 9: "Managing the SSL Proxy" on page 227

RTSP Chapter 24: "Managing Streaming Media" on page 535

TCP Tunnel

Telnet Shell Chapter 14: "Managing Shell Proxies" on page 307

ISATAP Proxy
When the Advanced Secure Gateway encounters Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP) traffic, it decides whether to process the 6-in-4
packets with the ISATAP proxy or one of the traditional application proxies
(HTTP, FTP, CIFS, etc.). To make the decision on which proxy to use, the
Advanced Secure Gateway identifies the service inside the encapsulated packet. If
the Advanced Secure Gateway is intercepting this service, the traffic is processed
by one of the traditional application proxies. If the service is not intercepted, the
Advanced Secure Gateway uses the ISATAP proxy to optimize the IPv6 packet

330
 and payload over an ADN tunnel, assuming an ADN peer is found. Note that this
proxy processes all ISATAP traffic that is not handled by application proxies,
including ICMP, UDP, TCP, and routing protocols. If an ADN peer is not found,
the packet cannot be optimized; it is simply sent to its destination.

The ISATAP proxy uses the following techniques to optimize the IPv6 packets:
❐ Byte caching
❐ Compression
The ISATAP proxy works differently than the application proxies: it processes
individual packets instead of entire streams. It does not inspect the contents of the
payload; it optimizes the entire packet.
Traffic that is processed by the ISATAP proxy appears in Active Sessions as the
ISATAP_tunnel service and the ISATAP proxy type. The Active Sessions report
lists the IPv4 tunnel address (not the IPv6 destination) as the server address since
the ISATAP proxy has no insight into the payload of the packet.
The ISATAP proxy is not enabled by default. Until you enable ISATAP, 6-in-4
packets will be bypassed. See "Optimizing ISATAP Traffic" on page 341.

Advanced Secure Gateway Management Access over an IPv6

Network
All management services are available over IPv6 connectivity. If you have already
defined IPv4 and IPv6 addresses for each Advanced Secure Gateway interface,
both or either of these addresses can be selected as listeners for the HTTP-
Console, HTTPS-Console, SSH-Console, and Telnet-Console services. The default
setting for the service listener, All SG IP addresses, indicates that the management
service is capable of accepting both IPv4 and IPv6 connections. When specifying
IPv6 addresses, only global (not link-local) addresses can be used.

331
Advanced Secure Gateway Administration Guide

Use the Configuration > Services > Management Services option to view or modify the
listeners for each management service.

To access the management console over a secure IPv6 connection, open a

Windows Explorer or Firefox browser and enter the following in the address line:
https://[<ipv6 address>]:8082
where <ipv6 address> is the IP address that conforms to IPv6 syntax. Note that
the square brackets must surround the IPv6 address when a port number is
specified. For example:
https://[2001:db8::1]:8082
Note that Firefox has a bug that requires a backslash after the ending square
bracket. For example:
https://[2001:db8::1]\:8082
You can also specify a host name that resolves to an IPv6 address. In this case, no
brackets are required. For example:
https://atlantis:8082
To access the Advanced Secure Gateway using SSH, specify the IPv6 address
enclosed in square brackets, for example:
[2001:db8::1]
For Telnet access, the square brackets are not required, for example:
2001:db8::1

332
 Features that Support IPv6
The SGOS software accommodates the entry of either IPv4 or IPv6 IP addresses in
applicable features. Table 16–2 lists the features that can be configured with either
IPv4 or IPv6 addresses.
Table 16–2

Feature For More Information CLI Example

Network "Configuring a Network #(config interface 0:0)ip-address

Interfaces Adapter" on page 1294 2001:db8::1428:57ab

DNS servers "Adding DNS Servers to the #(config dns forwarding)edit primary
Primary or Alternate Group" #(config dns fowarding primary)add server
on page 829 2001:db8:85a3::8a2e:370:7334

NTP servers "Synchronizing to the #(config) ntp server 2001:db8::1428:57ab

Network Time Protocol" on 8081
page 52

Default gateways "Switching to a Secondary #(config)ip-default-gateway fe80::1%0:0

Default Gateway" on page 807 primary 100

Management "Creating a Management #(config management-services)edit HTTP-

service listeners Service" on page 1325 Console
#(config HTTP-Console)add
2001:db8::1428:57ab 8081

Proxy service "Creating Custom Proxy #(config proxy-services)edit ftp

listeners Services" on page 132 #(config FTP)add all 2001::1/128 21
intercept

Static bypass "Adding Static Bypass #(config proxy-services) static-bypass

entries Entries" on page 149 #(config static-bypass) add 1000::/64 all

Restricted "About Restricted Intercept #(config proxy-services) restricted-

intercept lists Lists" on page 154 intercept
#(config restricted-intercept) add all
2001::/64

Static routes "Defining Static Routes" on #(config)inline static-route-table eof

page 811 2000::/64 fe80::1%0:0
2001::/64 fe80::2%0:1
eof

Forwarding hosts "Creating Forwarding Hosts" #(config forwarding) create host ipv6-
on page 890 proxy 2001:db8::1 http proxy
"IPv6 Forwarding" on page
335

ADN managers "Configuring the ADN #(config adn manager)primary-manager

Managers and Enabling 2001:418:9804:111::169
ADN" on page 855 #(config adn manager)backup-manager
2001:418:9804:111::168

333
Advanced Secure Gateway Administration Guide

Table 16–2

Feature For More Information CLI Example

ADN server "Advertising Server Subnets" #(config adn routing server-subnets)add

subnets on page 859 2001:418:9804:111::/64

ADN exempt "Configuring an ADN Node # (config adn advertise-internet-

subnets as an Internet Gateway" on gateway)exempt-subnets add 1234::/10
page 888

SMTP servers "Enabling Event Notification" #(config smtp) server 2001:db8::1428:57ab

on page 1369

Syslog servers "Syslog Event Monitoring" on #(config event-log)syslog add

page 1370 2001:418:9804:111::168

Load Balancer "Configuring Explicit Load #(config adn load-balancing)external-vip

VIP Balancing Using an External 2001:418:9804:111::200
Load Balancer" on page 886

Health checks on "Creating User-Defined Host #(config health-check)create tcp ipv6-

IPv6 hosts and Composite Health host-check 2001:db8::1 8080
Checks" on page 1447

Upload archive "Creating and Uploading an #(config) archive-configuration host

configurations on Archive to a Remote Server" 2001:db8::1
IPv6 servers on page 101

Upload access "Editing Upload Clients" on #(config log log_name) ftp-client primary
logs to an IPv6 page 646 host 2001:418:9804:111::200
server

VPM objects "VPM Objects that Support n/a

IPv6" on page 336

CPL objects "CPL Objects that Support n/a

IPv6" on page 336

The IP address or hostname fields for these features accommodate the entry of
IPv4 or IPv6 addresses and, when applicable, include a field for entering the
prefix length (for IPv6 addresses) or subnet mask (for IPv4 addresses). For
example:

334
IPv6 Forwarding
To minimize WAN traffic, you can create forwarding hosts — the Advanced
Secure Gateway configured as a proxy to which certain traffic is redirected for the
purpose of leveraging object caching. (See "About the Forwarding System" on
page 881.) It is possible to create IPv4-to-IPv6 forwarding, IPv6-to-IPv4
forwarding, and IPv6-to-IPv6 forwarding.
For example, to create a policy that forwards an IPv4 destination to an IPv6
forwarding host:
1. Create an IPv4 virtual IP (VIP) address for the Advanced Secure Gateway.
2. Create a forwarding host entry using an explicit IPv6 address or a hostname
that resolves into an IPv6 address.
3. Launch the Visual Policy Manager (VPM)—Configuration > Policy > Visual Policy
Manager.

4. Create or select a Forwarding Layer.

5. In a new rule, create a destination object: Destination IP Address/Subnet and enter
the IPv4 VIP.
6. In the same rule, create an action object: Select Forwarding and select the
configured IPv6 forwarding host.
7. Install the policy.

335
Advanced Secure Gateway Administration Guide

VPM Objects that Support IPv6

The VPM objects that support IPv6 addresses are listed below.
Source Objects
• Client IP/Subnet
• Proxy IP Address/Port
• User Login Address
• RDNS Request IP/Subnet
Destination Objects
• DNS Response IP/subnet
• Destination IP/subnet
Action Objects
• Reflect IP (proxy IP)

CPL Objects that Support IPv6

The following CPL objects support IPv6 addresses:
• authenticate.credential.address()
• cache_url.address
• client.address
• dns.request.address
• dns.response.aaaa
• log_url.address
• proxy.address
• request.header.header_name.address
• request.header.referer.url.address
• request.x_header.header_name.address
• server.url.address
• url.address
• url.domain
• url.host
• user.login.address

IPv6 Limitations
IPv6 support on the Advanced Secure Gateway has the limitations described
below.
❐ The following proxies do not currently have IPv6 support:
• MMS streaming
• CIFS
• MAPI
❐ The Advanced Secure Gateway does not intercept link-local addresses in
transparent mode since this deployment isn’t practical; transparent link-local
addresses will be bypassed.

336
 ❐ IPv6 is not supported in a WCCP deployment.

Related CLI Syntax for IPv6 Configuration

The following are some CLI commands related to IPv6 configuration:
#(config) ipv6 auto-linklocal {enable | disable}
After link-local addresses are generated for the Advanced Secure Gateway
interfaces, they will stay configured until they are manually removed using
the no ip-address command or until the Advanced Secure Gateway is
rebooted. #(config interface interface_number) ipv6 auto-linklocal
{enable | disable}

Enables or disables the automatic generation of link-local addresses for this

interface. After a link-local address is generated for an interface, it remains
configured until it is manually removed using the no ip-address command or
until the Advanced Secure Gateway is rebooted.
> ping6 {IPv6_address | hostname}

Use this command to verify whether an IPv6 host is reachable across a

network.
> show ndp

Shows TCP/IP Neighbor Discovery Protocol (NDP) table. NDP performs

functions for IPv6 similar to ARP for IPv4.

Configuring the Advanced Secure Gatewayto Work in an IPv6 Environment

Blue Coat’s implementation of IPv6 support requires minimal IPv6-specific
configuration. IPv6 support is enabled by default.

To configure a Advanced Secure Gateway to work in an IPv6 environment:

1. Assign IPv4 and IPv6 addresses to each interface on the Advanced Secure
Gateway appliance. You can add a link-local or global IPv6 address to any
interface. Select the Configuration > Network > Adapters tab.
2. Select an interface and click Edit. The Configure a Native VLAN dialog
displays.

337
Advanced Secure Gateway Administration Guide

3b

3a

3. Assign addresses:
a. Click Add IP. The Add IP Address dialog displays.
b. Enter the IPv6 address and prefix length.
c. Click OK twice to close each dialog.
d. Click Apply.
4. Add a DNS server for IPv6. Select the Configuration > Network > DNS > Groups tab.

5. You can place both network servers types (IPv4 and IPv6) in the same DNS
group, or separate them into different groups.
a. Click Edit or New and add a DNS server for IPv6.
b. Click Apply.
6. IPv6 requires its own gateway. Select the Configuration > Network > Routing >
Gateways tab.

338
7. Define two default gateways: one for IPv4 and one for IPv6:
a. Click New. The Add List Item dialog displays.
b. Create a gateway to be used for IPv6.
c. Click OK to close the dialog.
d. Click Apply.
e. Repeat Steps a - d to create an IPv4 gateway (if you haven’t done so
already).
8. (Optional) Create policy for IPv6 servers. See "IPv6 Policies" on page 342.

339
Advanced Secure Gateway Administration Guide

Section 3 Configuring an ADN for an IPv6 Environment

In addition to performing the steps in "Configuring the Advanced Secure
Gatewayto Work in an IPv6 Environment" on page 337, you need to configure the
ADN for IPv6. See Chapter 34: "Configuring an Application Delivery Network"
on page 839 and follow the steps for configuring the deployment applicable to
your situation.

340
Section 4 Optimizing ISATAP Traffic
The Advanced Secure Gateway can see inside a 6-in-4 encapsulated packet so that
it can identify the service and use the appropriate proxy to optimize the traffic.
For example, the Flash proxy optimizes Flash streaming traffic with object
caching, TCP optimization, and protocol optimization (assuming an ADN peer is
found). For services that are not intercepted (such as ICMPv6 and UDP), the
Advanced Secure Gateway uses the ISATAP proxy; this proxy optimizes the IPv6
packet and payload using byte caching and compression over an ADN tunnel
(assuming a peer is found).
1. Make sure your Advanced Secure Gateway appliances are inline between
ISATAP-capable routers.
2. Enable both ISATAP options in the CLI.
a. Access the Advanced Secure Gateway CLI, with enable (write) access.
b. Type conf t to go into configuration mode.
c. At the #(config) prompt, type the following CLI commands:
isatap adn-tunnel enable
isatap allow-intercept enable

3. Use the Active Sessions report to verify ISATAP traffic is being processed and
optimized by the appropriate proxy: ISATAP or the applicable application
proxy.

For Intercepted Services:

• The Service name and Proxy type listed for the session correspond to the
applicable application proxy (for example, HTTP or CIFS)
• An IPv6 address is listed for the Server.
• Colored icons should appear for the acceleration techniques that are
applicable to the proxy: Compression , Byte Caching , Object
Caching , Protocol Optimization

For Non-TCP, Non-UDP, and Bypassed Services:

• The Service name listed for the session is ISATAP_tunnel, and the Proxy
type is ISATAP.
• An IPv4 address is listed for the Server.
• Colored icons should appear for Compression and Byte Caching

341
Advanced Secure Gateway Administration Guide

Section 5 Configuring IPv6 Global Settings

For details on IPv6 support on the Advanced Secure Gateway, see "IPv6 Support
on the Advanced Secure Gateway" on page 330 and "Configuring the Advanced
Secure Gatewayto Work in an IPv6 Environment" on page 337.
IPv6 support is enabled by default, meaning that the Advanced Secure Gateway
appliance processes incoming IPv6 packets.

To change IPv6 global settings:

1. From the Management Console, select Configuration > Network > Advanced > IPV6.

2a
2b

2. Configure the IPv6 Settings:

a. To bypass all IPv6 traffic, select Enable IPv6 force-bypass. When this is
selected, all IPv6 traffic is bridged or routed.
b. To have the Advanced Secure Gateway route bypassed traffic, select
the Enable IPv6 forwarding option. When this option is disabled (as it is
by default), the Advanced Secure Gateway discards bypassed traffic
that is processed at layer-3.
3. Click Apply.

See Also
❐ "IPv6 Support on the Advanced Secure Gateway" on page 330
❐ "Configuring the Advanced Secure Gatewayto Work in an IPv6 Environment"
on page 337
❐ "Configuring an ADN for an IPv6 Environment" on page 340
❐ "IPv6 Policies" on page 342

IPv6 Policies
With the global policy for DNS lookups, the Advanced Secure Gateway appliance
first uses the configured IPv4 DNS servers for processing DNS requests. If this
lookup fails, the Advanced Secure Gateway appliance looks up the host on the
configured IPv6 DNS servers. This processing of DNS requests happens
automatically. To change the global setting for IP connection type preference, use
the following policy:
server_url.dns_lookup(dns_lookup_value)
where
dns_lookup_value = ipv4-only|ipv6-only|prefer-ipv4|prefer-ipv6

342
If you have a known list of servers that are on IPv6 networks, you can avoid
timeouts and unnecessary queries by creating policy to look up host names on
IPv6 DNS servers only. For example:
<Proxy>
url.domain=etrade.com server_url.dns_lookup(ipv6-only)
url.domain=google.com server_url.dns_lookup(ipv6-only)
This policy overrides the global policy and look up the specified hosts
(etrade.com and google.com) on the IPv6 DNS servers only.

To create DNS lookup policy in the Visual Policy Manager (VPM):

1. Launch the VPM and add or edit a Web Access Layer.
2. Create a new Destination object for an IPv6 host.
3. Create an Action object: Set Server URL DNS Lookup. The Add Server URL DNS
Lookup Object dialog displays.

4. Select Look up only IPv6 addresses.

5. Repeat steps 2-4 for each IPv6 host.
6. Click Install Policy.

343
Advanced Secure Gateway Administration Guide

344
Chapter 17: Geolocation

To comply with local regulations, assist with traffic analysis, or reduce the risk
of fraud and other security issues, you may need to know the origin of traffic in
your network, or restrict outbound connections to specific countries. SGOS
supports geolocation in both reverse proxy and forward proxy modes:
❐ Client geolocation in reverse proxy mode: You can use client geolocation to
identify the source of traffic through the Advanced Secure Gateway
appliance based on IP address (and when applicable, the effective client IP
address; refer to the Visual Policy Manager Reference for information on
effective client IP address).
❐ Geolocation in forward proxy mode: You can use geolocation to restrict by
country the outbound connections that your users make.
To use geolocation, you must download a geolocation database. This database
maps IP addresses to the countries with which they are associated and provides
the supported names and ISO codes for countries, such as “United States [US]”.
You can add conditions based on the country associated with a given IP
address; the conditions then determine policy actions, such as denying traffic to
or from a specific country.

Topics in this Chapter:

The following sections describe how to configure and use geolocation:
❐ "Prerequisite for Using Geolocation" on page 346
❐ "Enabling Geolocation" on page 348
❐ "Downloading the Geolocation Database" on page 351
❐ "Identifying a Country by IP Address" on page 352
❐ "Writing Geolocation Policy" on page 353
❐ "Troubleshooting Geolocation" on page 354
❐ "Access Log Errors" on page 355
❐ "Removing Client Geolocation Settings" on page 356

345
Advanced Secure Gateway Administration Guide

Section 1 Prerequisite for Using Geolocation

Before you can set up and use Geolocation, you must have a valid license for the
feature. Refer to your Sales Engineer for more information.
If you do not have a valid license, the Management Console may display Health
Monitoring errors. The access logs may also contain error messages about the
subscription. See "Troubleshooting Geolocation" on page 354 for more
information.

346
Section 2 Overview: Setting up, Using, and Removing Geolocation
Perform the following steps to set up, use, and remove Geolocation.
Task Reference

Enable geolocation on the appliance. "Enabling Geolocation" on page

348

Download the geolocation database. "Downloading the Geolocation

You must download the database before you can Database" on page 351
use geolocation.

Look up countries by IP address. "Identifying a Country by IP

Perform this step to identify a country by IP Address" on page 352
address. You will want to determine a country
code in order to add it to policy.

Look up the IP addresses and countries for a URL. "DNS Lookup" on page 349
Perform this step to determine the originating
countries and IP addresses for a given URL.

Add geolocation policy. "Writing Geolocation Policy" on

page 353

347
Advanced Secure Gateway Administration Guide

Section 3 Enabling Geolocation

Before you can use geolocation and look up IP addresses, you must enable the
geolocation feature on the appliance.
To enable geolocation:
1. In the Management Console, select Configuration > Geolocation > General.
2. On the General tab, select the Enable Geolocation functionality on the device check
box.
3. Click Apply.

Note: Refer to the Command Line Interface Reference for the related CLI command
for enabling geolocation.

See Also
❐ "Identifying a Country by IP Address" on page 352
❐ "Troubleshooting Geolocation" on page 354

348
Section 4 DNS Lookup
You can determine the IP addresses to which a specified domain resolves, as well
as the geographical location of each IP address.

Note: You must have configured DNS servers for the appliance for the DNS
lookup to work. In the Management Console, select Configuration > Network > DNS to
configure primary and alternate DNS servers.

To test the IP addresses and locations for a domain:

1. In the Management Console, select Configuration > Geolocation > DNS Lookup.
2. In the URL field, enter the domain for which you want to perform the DNS
lookup. The URL must be a fully-qualified domain name (FQDN).
3. Search for the locations that you want to allow or deny in policy. In the Filter
field, enter a text string. The list of countries updates as you type.
Alternatively, scroll down the list of countries to locate the ones you want.
4. To select a location, click it or mark its check box. The Selected Locations
section displays the locations you select.
To remove a location, click it or mark its checkbox in the Country list.
5. To test whether connections to the specified domain are denied based on the
selected locations, select Deny connections to these locations.
Alternatively, to test whether connections to the specified domain are allowed
based on the selected locations, select Allow connections to these locations.
6. Click Test DNS Lookup. The Results section shows the resolved IP addresses for
the URL, the geographical location of each IP address, and whether policy
would deny or allow the connection to each IP address.

349
Advanced Secure Gateway Administration Guide

Example of Using DNS Lookup

In the following example, you want to restrict access to IP addresses in China and
test the IP addresses for weibo.com.
1. In the Management Console, select Configuration > Geolocation > DNS Lookup.
2. In the URL field, type “weibo.com”.
3. In the Filter field, type “ch”. The list of countries updates as you type.
4. Select China from the list of countries. The Selected Locations section displays
your selection.
5. To test whether connections to the specified domain are denied based on the
selected locations, select Deny connections to these locations.
6. Click Test DNS Lookup. The Results section shows the resolved IP addresses for
weibo.com, the geographical location of each IP address, and whether policy
would deny or allow the connection to each IP address.
In this example, because all IP addresses resolve to China, the connection
permission for all the IP addresses is Denied.

350
Section 5 Downloading the Geolocation Database
To download the geolocation database:
1. In the Management Console, select Configuration > Geolocation > General.
2. On the Download tab, in the Download Options section, click Download Now.
When the download starts, the section displays a “Download is in progress”
message.
If you receive a download error, check your network configuration and make
sure that the appliance can connect to the Internet.
If the download is successful, the License and Download Status section
displays statistics.

You can now write policy using country name or country code as defined in
the geolocation database. You will also be able to see the supported country
names and codes:
❐ In the Management Console (Configuration > Geolocation > General > General tab).
❐ In output for the #show geolocation countries and #(config geolocation)
view countries CLI commands.

❐ When you add geolocation objects in the Visual Policy Manager (VPM).

Note: Refer to the Command Line Interface Reference for the related CLI command
for downloading the geolocation database.

351
Advanced Secure Gateway Administration Guide

Section 6 Identifying a Country by IP Address

After you download a geolocation database, you can identify the country that is
associated with a given IP address. You can then use the country code or country
name in policy.
To identify a country by IP address:
1. In the Management Console, select Configuration > Geolocation > General.
2. On the General tab, in the IP field, enter a valid IP address.
3. Click Locate.
The country associated with the IP address, as defined in the geolocation
database, displays next to the IP field.

To write policy about a specific country, use the country code specified in
square brackets beside the country name. For example, the country code for
Italy is “IT”.
If the IP address you enter is not valid, an error appears. See "Troubleshooting
Geolocation" on page 354 for more information.
4. (Optional) To view the list of countries in the geolocation database, click Show
list of countries in Geolocation database. The list opens in a separate browser
window.

352
Section 7 Writing Geolocation Policy
You can add geolocation policy through the VPM or by composing Content Policy
Language (CPL).

Client Geolocation (Reverse Proxy)

In the VPM, the Client Geolocation object is available in the Source column in policy
layers. Refer to the Visual Policy Manager Reference for information.
In CPL, the client.address.country=<"country_name"> condition returns the
country from which traffic originates, based on the client IP address. For usage
information, refer to the Content Policy Language Reference.

Geolocation (Forward Proxy)

In the VPM, the Set Geolocation Restriction and Resolved Country objects are available
in the Destination column in policy layers. Refer to the Visual Policy Manager
Reference for information.
For detailed usage information on the policy gestures, refer to the Content Policy
Language Reference.

353
Advanced Secure Gateway Administration Guide

Section 8 Troubleshooting Geolocation

You may encounter errors under Geolocation Lookup in the Management
Console (Configuration > Geolocation > General > General tab). Refer to the following
for troubleshooting steps.

Note: This is not a valid IP

Cause: You have entered an invalid IP address in the IP field.
Fix: Correct the IP address and look it up again.

Note: The geolocation database is currently unavailable

Cause: No geolocation database is installed.
Fix: Download the database. See "Downloading the Geolocation Database" on
page 351.

This device does not have a valid geolocation license

Cause: The appliance does not have a valid geolocation license.
Fix: Ensure that the following are true:
• Each Advanced Secure Gateway appliance in your deployment has its
own license.
• The licensing status for your appliance is in good health.

Warning: The geolocation database is not installed

This error displays in the browser window that opens when you click Show list of
countries in Geolocation database under Geolocation Lookup.It also displays in the
CLI.
Cause: No geolocation database is installed.
Fix: Download the database. See "Downloading the Geolocation Database" on
page 351.

354
Section 9 Access Log Errors
The following access log errors may appear in the access log if there is a problem
with your subscription.
❐ The Geolocation subscription file is out of date
❐ Failed trying to get the subscription settings from the Geolocation
subscription file
❐ Failed trying to download the Geolocation subscription file
❐ Failed trying to extract and activate the Geolocation payload file

Note: If you receive other errors while setting up or using geolocation, refer to
the Blue Coat Knowledge Base.

355
Advanced Secure Gateway Administration Guide

Section 10 Removing Client Geolocation Settings

To remove geolocation settings, purge the geolocation database and remove
policy.

Removing the Database

To remove the database:
1. Disable geolocation.
a. In the Management Console, select Configuration > Geolocation > General.
b. On the General tab, select the Enable Geolocation functionality on the device
check box.
c. Click Apply.
2. Log in to the CLI and enter the following command:
#(config geolocation)purge

The CLI returns to the #(config geolocation) node.

You can issue the view countries command to verify that the geolocation
database has been removed. The output should show no list of countries and
warn that the database is not installed:
#(config geolocation)purge
#(config geolocation)view countries
Countries defined by system:
Invalid
None
Unavailable
Unlicensed

Additional locations:
Countries defined by geolocation database:
Warning: The geolocation database is not installed

Removing Policy
To remove geolocation policy:
1. In the Management Console, select Configuration > Policy > Visual Policy Manager.
2. Click Launch to launch the VPM.
3. Remove any geolocation objects or rules. Refer to the Visual Policy Manager
Reference for instructions.
4. Click Install Policy.

356
Chapter 18: Filtering Web Content

Content Filtering allows you to categorize and analyze Web content. With
policy controls, content filtering can support your organization’s Web access
rules by managing or restricting access to Web content and blocking downloads
from suspicious and unrated Web sites, thereby helping protect your network
from undesirable or malicious Web content.
The Advanced Secure Gateway appliance supports Blue Coat WebFilter and
Intelligence Services as well as other third-party databases. This chapter
describes how to configure the appliance to process client Web requests and to
control and filter the type of content retrieved.
For information on integrating your local appliance content filtering policy
with Blue Coat Cloud Service policy, please see Universal Policy: Applying Global
Policy to Local and Remote Users.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Web Content Filtering Concepts"
❐ Section B: "Setting up a Web Content Filter"
❐ Section C: "Configuring Blue Coat WebFilter and WebPulse"
❐ Section D: "Configuring Intelligence Services for Content Filtering"
❐ Section E: "Using Intelligence Services to Classify Applications"
❐ Section F: "Configuring a Local Database"
❐ Section G: "Configuring Internet Watch Foundation"
❐ Section H: "Configuring a Third-Party Vendor"
❐ Section I: "About Blue Coat Categories for YouTube"
❐ Section J: "Using Quotas to Limit Internet Access"
❐ Section K: "Applying Policy"
❐ Section L: "Troubleshooting"

357
Advanced Secure Gateway Administration Guide

Section A: Web Content Filtering Concepts

Content filtering is a method for screening access to web content. It allows you to
control access to web sites based on their perceived content. On the Advanced
Secure Gateway appliance, using a content filtering database in conjunction with
policy allows you to manage employee access to web content and to restrict access
to unsuitable content. Restricting access or blocking web content helps reduce the
risk of malware infections caused by visiting questionable sites.
This section discusses content filtering databases and categories, and the content
filtering options available on the Advanced Secure Gateway appliance.

About Content Filtering Categories and Databases

Content filtering categories comprehensively classify the vast and constantly
growing number of URLs that are found on the web into a relatively small
number of groups or categories. These categories then allow you to control access
to web content through policy.
A content filtering database has a pre-defined set of categories provided by the
content filtering vendor. Individual content filter providers such as Blue Coat
WebFilter, define the content-filtering categories and their meanings. Depending
on the vendor, a URL is listed under one or more categories. Each URL can
support a maximum of 16 categories.
A content filtering database does not block any web site or category. The role of
the database is to offer additional information to the proxy server and to the
administrator about a client request. After you configure your content filter
provider and download the database, you can map the URLs to the list of
categories. You can then reference these categories in policy and limit, allow, or
block requests. Client access to a web request depends on the rules and policies
that you implement in accordance with company standards.
Some policies that you might create, for example, are as follows:
❐ Block or unblock specific sites, categories, or specific file types such as
executables.
❐ Apply different filtering policy for each site or group within your
organization, by IP address or subnet. If you wish to use password
authentication to grant or deny access to the requested content, you must have
configured authentication realms and groups on the Advanced Secure
Gateway appliance. For information about configuring authentication, see
"Controlling User Access with Identity-based Access Controls" on page 916.
❐ Allow schedule-based filtering to groups within your organization.
A valid vendor subscription or license is required to download a content filter
database. For example, Blue Coat WebFilter is licensed while some supported
third-party vendors require a subscription.

358
 If your subscription with the database vendor expires or if the available database
is not current, the category unlicensed is assigned to all URLs and no lookups
occur on the database. To ensure that the latest database version is available to
you, by default, the Advanced Secure Gateway appliance checks for database
updates once in every five minutes.

About Application Filtering

In addition to URL category filtering, you can filter content by Web application
and/or specific operations or actions done within those applications. For
example, you can create policy to:
❐ Allow users to access all social networking sites, except for Facebook.
Conversely, block access to all social networking sites except for LinkedIn.
❐ Allow users to post comments and chat in Facebook, but block uploading of
pictures and videos.
❐ Prevent the uploading of videos to YouTube, but allow all other YouTube
operations such as viewing videos others have posted. Conversely, preventing
uploading but block access to some videos according to the video’s category.
❐ Allow users to access their personal email accounts on Hotmail, AOL Mail,
and Yahoo Mail, but prevent them from sending email attachments.
This feature allows administrators to block actions in accordance with company
policy to avoid data loss accidents, prevent security threats, or increase employee
productivity.
See "Creating Policy for Controlling Web Applications" on page 422.

About the Content Filtering Exception Page

Exception pages are customized web pages (or messages) sent to users under
specific conditions defined by a company and its security policies. An exception
page is served, for example, when a category is blocked by company policy.
The Advanced Secure Gateway appliance offers multiple built-in exception pages
that can be modified to meet your enterprise needs. For content filtering, the
Advanced Secure Gateway appliance includes the content_filter_denied and
content_filter_unavailable built-in exception pages.
The content_filter_denied exception page includes the following information:
• an exception page message that includes the content filtering category
affecting the exception.
• (Only for Blue Coat WebFilter) A category review URL, where content
categorizations can be reviewed and/or disputed.
To add the link in the message, select the checkbox Enable category review
message in exceptions in Configuration > Content Filtering > General. See
"Enabling a Content Filter Provider" on page 373.

359
Advanced Secure Gateway Administration Guide

The content_filter_unavailable exception page includes a message that states

the reason for the denial and provides a probable cause— the request was denied
because an external content filtering service was not available owing to transient
network problems, or a configuration error.
See "Applying Policy" on page 410 for information on using the exception pages
in policy.
For customizing the exception page, refer to the Advanced Policy Tasks chapter,
Section E, of the Visual Policy Manager Reference.

Web Content Filtering Process Flow

The following diagram illustrates the process flow when web content filtering is
employed in the network. This diagram does not include the dynamic
categorization process, for details on dynamic categorization, see "About the
Dynamic Categorization Process" on page 365.

Legend
A: A client connected to the Advanced Secure Gateway appliance.
B: Advanced Secure Gateway appliance content filtering solution (content filter vendor
+ Blue Coat policy).
C: Web Content.
Process Flow
1: (Blue arrow) The client requests a Web page.
2: The Advanced Secure Gateway appliance checks the requested URL against the on-
box content filtering database to determine the categorization.
3: After the URL is categorized, the policy engine determines if the URL is allowable
or not.
4: (Blue arrow) The URL is allowed and the request continues to its destination.
5. (Red arrow) The policy denies the request and returns a message concerning
corporate Web compliance.

Figure 18–1 Web Content Filtering Process Flow

360
Supported Content Filter Providers
The Advanced Secure Gateway appliance supports several content filter
providers.
❐ Blue Coat WebFilter. Blue Coat WebFilter provides both an on-box content
filtering database and the WebPulse service, a cloud-based threat-protection
feature.
❐ Intelligence Services. This is a framework for the delivery of data feeds to Blue
Coat platforms. Multiple data feeds are entitled by subscription to an
Intelligence Services solution bundle. These data feeds are delivered and
made available to the Advanced Secure Gateway appliance through the
Intelligence Services framework. You can obtain a license for one or more
bundles, and also enable or disable data feeds in your solution bundle as your
requirements change.
❐ Local database. Create and upload your custom content filtering database to
the Advanced Secure Gateway appliance. This database must be in a text file
format.
❐ The Internet Watch Foundation (IWF) database. For information about the
IWF, visit their web site at: http://www.iwf.org.uk/
❐ A supported third-party content filtering vendor database— Proventia or
Optenet. You cannot use two third-party content filtering vendors at the same
time.
❐ YouTube. The appliance obtains video categories from the YouTube Data API
v3.0. After you enable Blue Coat categories for YouTube, you can reference
these categories in policy to control YouTube traffic.

Note: This feature is provided on an "as-is" basis. Blue Coat has no control of,
and is not responsible for, information and content provided (or not) by
YouTube. Customer is required to apply and use its own API key in order to
activate this feature, and therefore obligated to comply with all terms of use
regarding the foregoing (for example, see https://developers.google.com/
youtube/terms), including quotas, restrictions and limits on use that may be
imposed by YouTube. Blue Coat shall not be liable for any change,
discontinuance, availability or functionality of the features described herein.

Section 1 About Blue Coat WebFilter and the WebPulse Service

Blue Coat WebFilter, in conjunction with the WebPulse service, offers a
comprehensive URL-filtering solution. Blue Coat WebFilter provides an on-box
content filtering database and WebPulse provides an off-box dynamic
categorization service for real-time categorization of URLs that are not categorized
in the on-box database. WebPulse dynamic categorization includes both
traditional content evaluation, for categories such as pornography, as well as real-
time malware and phishing threat detection capabilities. WebPulse services are
offered to all customers using Blue Coat WebFilter.

361
Advanced Secure Gateway Administration Guide

WebPulse is a cloud service that allows inputs from multiple enterprise gateways
and clients and creates a computing grid. This grid consists of Blue Coat
WebFilter, K9, and ProxyClient customers, who provide a large sample of Web
content requests for popular and unrated sites. Based on the analysis of this large
volume of requests, the computing grid continuously updates the master
Blue Coat WebFilter database, and the Advanced Secure Gateway expediently
updates its on-box copy of the Blue Coat WebFilter database. About 95% of the
Web requests made by a typical enterprise user (for the English language) are
present in the on-box Blue Coat WebFilter database, thereby minimizing
bandwidth usage and maintaining quick response times.
By default, the WebPulse service is enabled and configured to dynamically
categorize unrated and new Web content for immediate enforcement of policy.
Typically, the response time from the dynamic categorization service is about
500 milliseconds and is subject to the response/performance of the site in
question. However, if this service is causing significant delays to your enterprise
web communications, you can run it in Background mode.
If dynamic categorization is disabled, proactive threat detection, content and
reputation ratings are also disabled.
The appliance contacts the WebPulse service using mutual endpoint
authentication over TLS. For best security, the connection is always encrypted.
If you opt to use a non-secure connection, all data is sent over the connection as
plain text. For information, see "Configuring WebPulse Services" on page 382.

About Dynamic Categorization

The dynamic categorization service analyzes and categorizes new or previously
unknown URLs, which are not in the on-box Blue Coat WebFilter database.
Dynamic categorization can be processed in two modes—immediately or in the
background.
By default, dynamic categorization is set to be performed immediately, which is in
real time. When a user requests a URL that has not already been categorized by
the Blue Coat WebFilter database (for example, a new web site), the WebPulse
dynamic categorization service queries the target Web site and retrieves the
page’s content. WebPulse analyzes the page’s content and context in search of
malicious content. If malicious content is found, an appropriate category (for
example, Spyware/Malware sources or Phishing) is returned. If no malicious
content is found, WebPulse’s dynamic real time rating service determines the
language of the page, a category for the page, and a confidence factor that the
category is correct. If the confidence factor is high, the calculated category is
returned.
In situations where the dynamic categorization service cannot categorize a URL
with enough confidence to dynamically return a category with a high confidence
level, the category rating request for the particular page is labeled none. All URLs
received by WebPulse that are not categorized in the Blue Coat WebFilter database
are logged and forwarded to Blue Coat’s centralized processing center, where
they are prioritized for rating by a series of automated URL analysis tools and/or

362
 human analysis. These ratings are then used to update the master Blue Coat
WebFilter database, and the automatic database update feature then refreshes the
local Blue Coat WebFilter database on the Advanced Secure Gateway appliance.
When dynamic categorization is performed in Background mode, the Advanced
Secure Gateway appliance continues to service the URL request without waiting
for a response from the WebPulse dynamic categorization service. The system
category pending is assigned to the request, indicating that the policy was
evaluated with potentially incomplete category information. When WebPulse
returns a category rating, the rating is stored in a dynamic categorization cache so
that the next time the URL is accessed, WebPulse will not be required to
determine its category.

Note: The dynamic service is consulted only when the installed Blue Coat
WebFilter database does not contain authoritative category information for a
requested URL. If the category returned by the WebPulse service is blocked by
policy, the offending material does not re-enter the network.

The URL is first looked up in the local Blue Coat Web Filter (BCWF) database. The
expected results are shown in the following table.

Found in Found in Rating Process Mode Result / Description

Local BCWF Cache
Database

Yes Any Any The corresponding list of categories in the

database is returned.

No Yes Any The corresponding list of categories in the

ratings cache is returned.

No No Dynamic None. No categories are available for the URL.

Categorization
disabled

363
Advanced Secure Gateway Administration Guide

Found in Found in Rating Process Mode Result / Description

Local BCWF Cache
Database

No No Dynamic Pending. The Advanced Secure Gateway

Categorization appliance continues to service the URL request
in Background without waiting for a response from WebPulse.
Mode If a response is received, it is added to the rating
cache, so future requests for that same URL will
have the appropriate list of categories returned
immediately.
Reference to the site is recorded for future
categorization in the BCWF database by
automated background URL analysis or human
analysis.
If a response is not received in a timely manner,
or the request results cannot be categorized,
nothing is added to the rating cache.
Note: It is possible that multiple requests for the
same content can result in a Pending status if
WebPulse has not completed processing the first
request before subsequent requests for the same
URL are received by the Advanced Secure
Gateway appliance.

No No Dynamic A request to categorize the URL is sent to

Categorization WebPulse and the Advanced Secure Gateway
in Real-time appliance waits for a response.
Mode and The response is added to the rating cache and
categories also used as the list of categories for the current
returned by request.
WebPulse

No No Dynamic None. Categories might not be returned because:

Categorization • The Advanced Secure Gateway appliance
in Real-time did not get a response from the WebPulse
Mode and service.
categories not
• The WebPulse service was unable to retrieve
returned by
the requested URL in a timely manner.
WebPulse
• The WebPulse service cannot categorize the
request with high confidence.
References to all URLs requested in WebPulse
are recorded for future categorization in BCWF
by automated background analysis or human
analysis.
Note: Timeout is currently set to three seconds.
Average response time for WebPulse to retrieve
the content and perform real-time analysis is
under 500 milliseconds.

364
Found in Found in Rating Process Mode Result / Description
Local BCWF Cache
Database

Any Any Any Unlicensed. A problem exists with the BCWF

license.

Any Any Any Unavailable. A problem (other than licensing)

exists with the local BCWF database or
accessing the WebPulse service.

See Also:
❐ "About the Dynamic Categorization Process" on page 365
❐ "Dynamic Categorization States" on page 366
❐ "Considerations Before Configuring WebPulse Services" on page 367
❐ "About Private Information Sent to WebPulse" on page 368

About the Dynamic Categorization Process

Dynamic analysis of content is performed through the WebPulse cloud service
and not locally on the Advanced Secure Gateway appliance. There is a small
amount of bandwidth used for the round-trip request and response, and a slight
amount of time waiting for the service to provide results. As the service is only
consulted for URLs that cannot be locally categorized using the Blue Coat
WebFilter database and WebPulse results are cached on the Advanced Secure
Gateway, the user experience is generally not affected.
To avoid per-request latency, you might want to run dynamic categorization in
background mode. For modifying the default, see "Configuring WebPulse Services"
on page 382.

Clear the WebPulse Cache

To clear the WebPulse internal cache on the appliance:
1. In the Management Console, select Configuration >Threat Protection > WebPulse.
2. Clear Enable WebPulse service and click Apply.
3. Select Enable WebPulse service again and click Apply.

365
Advanced Secure Gateway Administration Guide

The following diagram illustrates Blue Coat WebFilter’s content filtering flow
when dynamic categorization is employed.

Legend
A: A client connected into the Advanced Secure Gateway appliance.
B: Advanced Secure Gateway appliance with Blue Coat WebFilter and Dynamic
Categorization enabled.
C: WebPulse cloud server.
D: Web content.
Process Flow
1: (Blue arrow) Client 1 requests a Web page.
2: The Advanced Secure Gateway appliance checks the requested URL against the Blue
Coat WebFilter database for categorization. No match is found.
3: The WebPulse Service returns the categorization of the URL if it has already been
determined. If not, WebPulse accesses and analyzes the requested site and returns a
real-time categorization if the confidence rating is high enough. If a category cannot be
determined automatically with high confidence, the service returns a category unknown
status, but records the site for future categorization.
4: After the URL is categorized, the policy engine determines if the URL is allowable or
not. Steps 5 and 6 describe what happens if the URL is allowable. Step 7 describes
what happens if the URL is not allowable.
5: (Blue arrow) The URL is allowed and the request continues to its destination for full
retrieval.
6: (Blue arrow) The allowed content is served back to the client.
7: (Red arrow) The policy denies the request and returns a message concerning

Figure 18–2 BCWF with Dynamic Categorization Content Enabled (default)

Dynamic Categorization States

Dynamic categorization has three states:
❐ Enabled: The service attempts to categorize unrated web sites. This is the
default state.
❐ Disabled:If the service is disabled, the Advanced Secure Gateway does not
contact the WebPulse service, regardless of any policy that might be installed.

366
 ❐ Suspended: Categorization from the database continues, but the service is no
longer employed. This occurs when the installed database is over 30 days old
due to the expiration of BCWF download credentials or network problems.
After credentials are renewed or network problems are resolved, the service
returns to Enabled.

Considerations Before Configuring WebPulse Services

The WebPulse protocol regulates the communication between the dynamic
categorization client on the Advanced Secure Gateway and the WebPulse cloud
service. Before configuring WebPulse services using "Configuring WebPulse
Services" on page 382, answer the following questions:
❐ Do you use proxy chaining or SOCKS gateways?
If you use a forwarding host for forwarding dynamic categorization requests
through upstream proxies or use SOCKS gateways, see "About Proxy
Chaining Support for WebPulse Services" on page 368 for more information
on the forwarding options in WebPulse. For information on forwarding and
configuring the upstream network environment, see Chapter 42:
"Configuring the Upstream Network Environment" on page 879.
❐ Would you like to configure private networks to identify traffic relating to
your internal networks while using WebPulse for content rating accuracy?
If you specify your private networks, information pertaining to the configured
internal network is removed by the Advanced Secure Gateway appliance,
prior to sending a dynamic categorization request across to the WebPulse
service. For understanding the interaction between private networks and
dynamic categorization, see "About Private Information Sent to WebPulse" on
page 368. To configure private networks for maintaining your security needs,
see Chapter 38: "Configuring Private Networks" on page 839.
❐ Would you like to provide malware feedback notification to the WebPulse
community?
This option is applicable only if you have a Blue Coat AV configured on the
Advanced Secure Gateway, and malware scanning and BCWF are enabled.
When the Advanced Secure Gateway is integrated with the Blue Coat AV, the
Advanced Secure Gateway monitors the results of the Blue Coat AV scan and
notifies the WebPulse service when a new virus or malware is found. This
feedback helps update the malware and content ratings and protects the entire
community of WebPulse users. For more information, see "About Malware
Notifications to WebPulse" on page 371.
For information on adding a Blue Coat AV and enabling malware scanning,
see Chapter 22: "Malicious Content Scanning Services" on page 465.

367
Advanced Secure Gateway Administration Guide

About Proxy Chaining Support for WebPulse Services

Proxy chaining is a method for routing client requests through a chain of
Advanced Secure Gateway appliances until the requested information is either
found in cache or is serviced by the OCS.
The Advanced Secure Gateway allows you to forward dynamic categorization
requests through upstream proxies and SOCKS gateways.

Important: When configuring a forwarding host under Configuration > Forwarding

> Forwarding Hosts, in the Add Forwarding Host dialog select Type: Proxy. If you
attempt to configure proxy chaining using Type as Server, an error occurs.

Forwarding Hosts and Dynamic Categorization

To forward dynamic categorization requests through an upstream HTTP proxy,
configure a forwarding host that is defined as a proxy and specify the HTTP port
for the connection. You can then select that forwarding host in the WebPulse
configuration.

Note: If forwarding is configured, you cannot enable secure dynamic

categorization; if secure dynamic categorization is enabled, you cannot select a
forwarding host.

SOCKS Gateways
If you use proxy chaining for load balancing or for forwarding the dynamic
categorization request through an upstream SOCKS gateway, you must configure
the SOCKS gateway before configuring the WebPulse service.

Important: Before configuring the SOCKS gateway target for WebPulse, verify
that the SOCKS gateway is operating correctly.

When both SOCKS and forwarding are configured, the Advanced Secure
Gateway connects to the SOCKS gateway first, then to the forwarding host, and
then to the WebPulse service.

About Private Information Sent to WebPulse

A private network is an internal network that uses private subnets and domains,
for example, your intranet. On the Advanced Secure Gateway appliance, you can
configure private networks on the Configuration > Network > Private Network tab. For
information on configuring private subnets or private domains, see Chapter 38:
"Configuring Private Networks" on page 839.
By default, dynamic categorization is enabled on the Advanced Secure Gateway
appliance. When a requested URL is not in the dynamic categorization ratings
cache or categorized in the BCWF database, the request is sent to the WebPulse
cloud service for dynamic categorization. By configuring private subnets and

368
private domains within your network, you can use dynamic categorization to
ensure accuracy of content filter ratings, while preserving the security of sensitive
information relating to your private networks.
Before a request is sent for content rating to the WebPulse cloud service, the
following conditions are verified on the Advanced Secure Gateway appliance:
• Is WebPulse service and dynamic categorization enabled?
• Is dynamic categorization permitted by policy?
• Is the host specified in the private domain or private subnet list?
Any request that is determined to be part of your configured private
network is not sent to WebPulse.
The Advanced Secure Gateway appliance might send information from HTTP
and HTTPS requests to the WebPulse service if they are not directed to hosts that
are part of the configured private network.

Note: Private network domain names and IP subnets can be user-defined.

Customer information sent to the WebPulse service is controlled by user-defined

policy, although you can still use the default policy and configuration settings
provided by the Advanced Secure Gateway appliance. Overriding the default
settings with your organization’s policy definitions results in more control of the
type of information that is sent to the WebPulse service.
When WebPulse service is enabled, the default configuration settings send the
fixed customer data and the following information:
• Customer License Key (Example: QA852-KL3RA)
• Scheme (Example: HTTP, HTTPS)
• Method (Examples: GET, POST)
• URL Host
• URL Port
• URL Path
• URL query string
• Referer header
• User-Agent header
However, this additional information can be controlled by policy and/or
configuration settings:
If the service send-request-info setting is set to disable, by default, only the
customer license key, URL scheme, method, host, port, and path are sent to the
WebPulse service; URL query string, and the Referer and User-Agent headers
are not sent.

369
Advanced Secure Gateway Administration Guide

If the service send-request-info setting is set to enable, by default, referrer

and user agent information and so on can be sent to the server. Blue Coat
gathers this customer information from back-end logs and analyzes the data
to help improve its threat protection. In its analysis, Blue Coat does not
consider the source of the data; that is, customer information is anonymous.

Note: Be aware that personal information might be included in the URL

query string. If this information is sent to WebPulse, Blue Coat might use it
when accessing content from the web site to categorize it.

You can further control whether to include the URL path and query string, and
individually control whether the Referer or User-Agent headers are sent for
specific requests. Restrictions are accomplished through the use of policies that
can be defined from the Advanced Secure Gateway appliance management
console or CLI.
Table 18–1 on page 370 lists the type of information that is sent to the WebPulse
service based on default settings for all SGOS versions supporting WebPulse.

Table 18–1 Information Sent to the WebPulse Service Based on Default SGOS Settings

Information Sent to the WebPulse Service service send- service send-

request-info request-info
disable enable

Customer License Key (Example: QA852-KL3RA) Yes Yes

Scheme (Examples: HTTP, HTTPS) Yes Yes

Method (Examples: GET, POST) Yes Yes

URL Host/Port Yes Yes

URL Path1 Yes Yes2

URL Query String No Yes2

Referer Header No Yes2

User-Agent Header No Yes2

Content-Type No Yes2
Content-Length No Yes2

1. Path = URL minus any query string.

2. Can be controlled using Content Policy Language (CPL).

370
See Also
❐ "Configuring WebPulse Services" on page 382
❐ "Viewing Dynamic Categorization Status (CLI only)" on page 385
❐ Section K: "Applying Policy" on page 410
❐ Content Policy Language Reference

About Malware Notifications to WebPulse

The Blue Coat AV, when integrated with the Advanced Secure Gateway
appliance, provides in-path threat detection. The Blue Coat AV scans web content
based on the protection level in your malware scanning configuration in
Configuration > Threat Protection> Malware Scanning. Every proxied transaction is
scanned when the protection level is set at maximum security; selected
transactions are subject to a monitoring check when the protection level is set to
high performance.
By default, if Blue Coat ProxyAV or BCWF detects a malware threat, it notifies the
Advanced Secure Gateway appliance, which then issues a malware notification to
the WebPulse service.
This notification triggers an update of the BCWF database, and all members of the
WebPulse community are protected from the emerging threat. When malware
scanning is enabled, notification requests sent to the WebPulse service include the
request URL, HTTP Referer and User-Agent headers. When the service send-
malware-info setting is set to enable (it is by default), the appliance sends
customer information listed above is sent to WebPulse.
If the service send-malware-info setting is set to disable, malware notification
requests are not sent to WebPulse.

Note: Blue Coat respects your security needs. If the request URL or the Referer
header for a malware threat pertains to a private URL, no malware notification is
issued.

See Also
❐ "Configuring WebPulse Services" on page 382
❐ "Viewing Dynamic Categorization Status (CLI only)" on page 385

371
Advanced Secure Gateway Administration Guide

Section B: Setting up a Web Content Filter

This section provides the list of tasks required to configure a web content filter for
monitoring, managing, and restricting access to web content. The following topics
are discussed:
❐ "Web Content Filtering Task Overview" on page 372
❐ "Enabling a Content Filter Provider" on page 373
❐ "Downloading the Content Filter Database" on page 375
❐ "Setting the Memory Allocation" on page 379

Web Content Filtering Task Overview

Before you begin setting up content filtering, ensure that you have a valid
subscription from a content filter provider of your choice. Only the IWF, YouTube,
and the local database do not require a subscription or license.
To set up on-box Web content filtering on the Advanced Secure Gateway, perform
the following tasks:
❐ "Enabling a Content Filter Provider"
❐ "Downloading the Content Filter Database"
❐ "Applying Policy"
To review the default settings for your content filtering vendor and to make
adjustments, see the following sections:
❐ "Specifying a Blue Coat Data Source": The default settings are adequate for
most environments. This section provides information on customizing BCWF
settings to meet the needs in your network.
❐ "Configuring Intelligence Services for Content Filtering": Download a
database for content filtering and Application Classification.
❐ "Configuring a Local Database": A local database is typically used in
conjunction with a standard content filter database that has pre-defined
categories. This section provides information on creating and maintaining a
local database for your network.
❐ "Configuring Internet Watch Foundation": This section provides information
on customizing the download schedule for the IWF database that includes a
single category called IWF-Restricted.

372
Section 2 Enabling a Content Filter Provider
This is the first step in setting up a web content filter on the Advanced Secure
Gateway. This procedure assumes you have a valid account with your preferred
vendor.
Prerequisite: "Web Content Filtering Task Overview" on page 372

To enable a content filter provider:

1. Select Configuration > Content Filtering > General.

2. Select the option for your preferred provider. You can opt to enable the local
database, Internet Watch Foundation, BCWF, a third-party vendor (select your
preferred vendor from the Third-party database drop-down list), and YouTube.

Note: Before you can enable YouTube, you require a server key from
Google. See "Setting the YouTube Server Key" on page 406 for information.
If you try enabling YouTube without a server key, you receive an error
message.

3. Select the Lookup Mode option. For a web request, the look up mode determines
the databases that the Advanced Secure Gateway appliance searches for a
category match. To perform a lookup, the database must be enabled. The look
up sequence executed is policy, local database, IWF, Blue Coat WebFilter and
finally a selected third-party database.

Note: For YouTube, the Lookup mode option is hard-coded to Always. This
means that the database is always consulted for category information.

a. The default is Always, which specifies that the database is always

consulted for category information. If a URL is categorized under
more than one category in different databases, policy is checked
against each category listed.

373
Advanced Secure Gateway Administration Guide

b. Uncategorized specifies that a database lookup be skipped if the URL

match is found in policy, a Local database, or the Internet Watch
Foundation (IWF) database.
4. (Applicable for BCWF only) Select Enable category review message in exceptions.
This option adds a link to the default content filter exception page when a user
is denied a request for a web page. Typically the exception page informs the
user why a URL request is denied. When you enable this option, the user can
click the link displayed on the exception page to request a review of the
category assigned to the blocked URL. For example, when enabled the screen
displays the following users:
Your request was categorized by Blue Coat WebFilter as 'News/Media'.
If you wish to question or dispute this result, please click here.

The built in exception page can be customized, for customizing the exception
page, refer to the “Advanced Policy Tasks” chapter in the Visual Policy
Manager Reference.
5. Click Apply.

Specifying a Blue Coat Data Source

Specify the Blue Coat data source that will be used for content filtering and
Application Classification.
1. In the Management Console, select Configuration > Application Classification >
Download.

2. Click the WebFilter link. The Blue Coat tab opens (Configuration > Content Filtering
> Blue Coat).

3. In the Data Source menu, select WebFilter or Intelligence Services. Then, click
Apply.

Note: If a Blue Coat WebFilter (BCWF) username and password are configured
on the appliance, but you save a configuration archive (or Management Center
backs up the configuration) while the data source is set to Intelligence Services,
the archive does not save the BCWF username/password. To archive the BCWF
username and password, switch the data source back to Webfilter and save a
separate configuration file.

374
Section 3 Downloading the Content Filter Database
The dynamic nature of the Internet makes it impossible to categorize web content
in a static database. With the constant flow of new URLs, URLs of lesser-known
sites, and updated Web content, maintaining a current database presents a
challenge. To counter this challenge, the Advanced Secure Gateway appliance
supports frequent content filter database downloads.
For more information, see one of the following topics:
❐ "About Database Updates"
❐ "Downloading a Content Filter Database" on page 376
For more information about the Blue Coat WebFilter database, see "About Blue
Coat WebFilter and the WebPulse Service" on page 361.

About Database Updates

Blue Coat enables all customers with a valid content filtering license to schedule
automatic downloads of content filter databases. By default, automatic updates
are enabled; The Advanced Secure Gateway appliance checks for updates once in
every five minutes and downloads an incremental update when available.
After selecting your provider(s) of choice, you must enter the license information
and download the database(s) on the Advanced Secure Gateway appliance. You
can download a database on demand or schedule a periodic download using the
automatic download feature.
Typically, a complete database download occurs when you enable the provider
and add the license key for the first time. Thereafter, the Advanced Secure
Gateway appliance periodically checks the download server for updates to the
installed database. If the database is current, no download is performed.
When an update is available, it is automatically downloaded and applied. An
update provides the most current categorization of URLs and contains only the
changes between the current installed version and the latest published version of
the database, and hence is much smaller than a full copy of the database. In the
unlikely event that this conditional download fails, the Advanced Secure
Gateway appliance downloads the latest published version of the complete
database.

Note: By default, the Advanced Secure Gateway appliance checks for database
updates once in every five minutes. While you can schedule the time interval for
an automatic database update, the frequency of checks is not configurable.

Continue with "Downloading a Content Filter Database".

375
Advanced Secure Gateway Administration Guide

Downloading a Content Filter Database

This section discusses how to download the following content filter databases
through the Management Console:
❐ Blue Coat WebFilter (BCWF)
❐ Internet Watch Foundation (IWF)
❐ Proventia
❐ Optenet

Note: To download the Surfcontrol, I-Filter, or Intersafe databases, use the

Command Line Interface (CLI). Refer to the Command Line Interface Reference for a
list of commands.

For information about content filter updates, or if you are setting up the content
filter provider for the first time, see "About Database Updates" on page 375.

To download the content filter database:

1. If you are downloading the BCWF or IWF database, select the Configuration >
Content Filtering > Vendor_Name tab.
Alternatively, if you are downloading a third-party vendor database, select
the Configuration > Content Filtering >Third-Party Databases > Vendor_Name tab (this
example uses Optenet).

2. Download the database. Except for IWF, you must enter valid subscription
credentials to download the database. If the database has previously been
downloaded on a local Web server that requires authentication, you must
configure the Advanced Secure Gateway to use credentials that allow access
to the Web server, which hosts the content filter database.
a. Enter your username and password (required for BCWF, Proventia,
and Optenet).
b. (Optional) Click Change Password. The Change Password dialog
displays. Enter your password and click OK.

376
 c. The default database download location is displayed in the URL or
Server field. If you have been instructed to use a different URL, enter it
here.
d. (Optional) If you changed the URL for downloading the database, to
reset to the default location, click Set to default. The default download
location overwrites your modification.
e. Click Apply to save all your changes.
f. Click Download Now. The Download Status dialog displays.
g. Click Close to close the Download status dialog.
It may take several minutes for the database download to complete. When
the database has been downloaded, proceed to "Viewing the Status of a
Database Download".

Cancel a Database Download in Progress

(Introduced in 6.6.4) To stop any download of the content filtering database that is
currently in progress (including a download initiated from the CLI), click Cancel
Download. The console displays a “Canceling download” dialog. When the
download is canceled, the dialog message changes to “Download Canceled”.

Viewing the Status of a Database Download

When the database is downloaded, the download log includes detailed
information on the database.
If you have just configured content filtering and are downloading the database for
the first time, the Advanced Secure Gateway appliance downloads the latest
published version of the complete database. Subsequent database updates occur
incrementally.

To view the status of the download:

On the Configuration > Content Filter > Vendor_Name tab, click View Download Status. A
new browser window opens and displays the download log. For example:
Download log:
Optenet download at: 2015/09/13 17:25:52 +0000
Downloading from https://list.bluecoat.com/optenet/activity/
download/optenet.db
Warning: Unable to determine current database version; requesting
full update
Download size: 37032092
Database date: Thu, 10 Sep 2015 09:30:44 UTC
Database expires: Sat, 10 Oct 2015 09:30:44 UTC
Database version: 1629
Database format: 1.1

377
Advanced Secure Gateway Administration Guide

Expiry Date for the Database

A valid vendor subscription is required for updating your database. Each time a
database download is triggered manually or using the automatic download
feature, the validity of the database is reset.
When your license with the database vendor expires, you can no longer
download the latest version. The expiry of a database license does not have an
immediate effect on performing category lookups for the on-box categories. You
can continue to use the on-box database until the expiry of the database.
However, when the database expires, the category unlicensed is assigned to all
URLs and no lookups occur on the database.

Viewing the Available Categories or Testing the Category for a URL

For each content filter vendor whose database has been downloaded on the
Advanced Secure Gateway, you can view the list of categories available. This list
is relevant for creating policy that allows or restricts access to Web content and for
verifying the category that a URL matches against in the database.

To view the available categories for a content filter vendor:

1. Select the Configuration > Content Filtering > General tab.
2. Click View Categories. The list of categories displays in a new web page.

To verify the category assigned to a URL:

1. Select the Configuration > Content Filtering > General tab.
2. Enter the URL into URL.
3. Click Test. A new web page displays with the category that your chosen
vendor(s) has assigned to the URL. For example, the URL cnn.com is
categorized as follows:
Blue Coat: News/Media
Optenet: Press

Note: The maximum number of categories for any single URL is 16. If more than
16 categories are specified, the Advanced Secure Gateway appliance arbitrarily
matches against 16 out of the total number specified.

Testing the Application and Operation for a URL

If you are using BCWF for content filtering, you have the additional ability to
deny or allow access to certain web applications and/or operations; this is done
via policy—either using the VPM or CPL. If you want to find out the application
or operation name associated with a URL so that you can create policy to block or
allow it, you can do a URL test, as described below.

To determine the category, application, and operation associated with a URL:

1. Select the Configuration > Content Filtering > General tab.
2. Enter the URL into URL.

378
 3. Click Test. A new web page displays with the category, application, and
operation that BCWF has assigned to the URL. For example, the URL
facebook.com/video/upload_giver.php is categorized as follows:
Social Networking; Audio/Video Clips
Facebook
Upload Videos
The test results in this example indicate that the URL has two categories (Social
Networking and Audio/Video Clips), is the Facebook application, and is the
Upload Videos operation.
Note that not all URLs have applications and operations associated with them.
For URLs that BCWF has not assigned an application or operation, the test results
indicate none.
If you have a license, you can also test applications and operations using
Application Classification. See Section E: "Using Intelligence Services to Classify
Applications" on page 391 for information.

Setting the Memory Allocation

Note: The default memory allocation (normal) setting is ideal for most
deployments. This procedure is relevant only to specific deployments as detailed
below.

Content filtering databases can be very large and require significant resources to
process. It might be necessary to adjust the amount of memory allocated to the
database in the following situations:
❐ If you are not using ADN and have a high transaction rate for content filtering,
you can increase the memory allocation setting to High. This helps content
filtering run more efficiently.
❐ If you are using both ADN and content filtering but the transaction rate for
content filtering is not very high, you can reduce the memory allocation
setting to Low. This makes more resources available for ADN, allowing it to
support a larger number of concurrent connections.

To set the memory allocation for content filtering:

1. Select the Configuration > Content Filtering > General tab.
2. Select the memory allocation setting that works for your deployment: Low,
Normal, or High.

3. Click Apply.

379
Advanced Secure Gateway Administration Guide

Section C: Configuring Blue Coat WebFilter and WebPulse

This section describes how to modify the defaults for Blue Coat WebFilter,
customize your database update schedule, and modify the WebPulse service that
detects malware threats and controls real-time rating of client requests.

Important: BCWF requires a valid license. For information on licensing, see

Chapter 3: "Licensing" on page 57.

Configuring Blue Coat WebFilter

Blue Coat WebFilter is an on-box content filtering database that protects data and
users from network attacks. All Blue Coat WebFilter subscribers are a part of the
WebPulse cloud service, which continuously updates the on-box database. Blue
Coat WebFilter and WebPulse provide Dynamic Real-Time Rating, a technology
that can instantly categorize Web sites when a user attempts to access them.
The following sections describe making adjustments to the Blue Coat WebFilter
defaults:
❐ "Disabling Dynamic Categorization" on page 380
❐ "Specifying a Custom Time Period to Update Blue Coat WebFilter" on page
381
❐ "Configuring WebPulse Services" on page 382
❐ "Viewing Dynamic Categorization Status (CLI only)" on page 385

See Also
❐ "Supported Content Filter Providers" on page 361
❐ "About Private Information Sent to WebPulse" on page 368
❐ "Specifying a Blue Coat Data Source" on page 374

Disabling Dynamic Categorization

By default, when you enable and download the Blue Coat WebFilter database,
dynamic categorization in real time is available on the Advanced Secure Gateway
appliance.
To disable dynamic categorization:
1. Select Configuration > Content Filtering > Blue Coat. For information on enabling
and downloading Blue Coat WebFilter, see "Enabling a Content Filter
Provider" and "Downloading the Content Filter Database".

380
 2. Click the Real-time analysis link. The console displays the Configuration > Threat
Protection > WebPulse tab.

3. Clear Perform Dynamic Categorization. If you disable dynamic categorization,

proactive threat detection, content and reputation ratings are also disabled.
For information on dynamic categorization, see "About Dynamic
Categorization" on page 362. For information on performing dynamic
categorization in background mode, see "Configuring WebPulse Services" on
page 382.

Specifying a Custom Time Period to Update Blue Coat WebFilter

Database updates provide you with the most comprehensive and current URL
categories. The Advanced Secure Gateway appliance checks for database updates
in five minute intervals.
The automatic download setting is enabled by default, but you can disable this
feature if desired. You can customize the window of time at which the automatic
update happens, for example, you might specify automatic updates only between
the hours of 8 pm and 11 pm. The time frame is always local time. Note that the
frequency of updates within the specified time period is not configurable.

381
Advanced Secure Gateway Administration Guide

To specify a custom time period for updates:

1. Select the Configuration > Content Filtering > Blue Coat tab. The Automatically Check
for Updates option is selected by default.

2. Configure the options:

a. Select the Only between the hours of option. The time frame is local time.
b. Expand the drop-down lists, and set the time period for your update
schedule. For example, to check for updates between the hours of 7 pm
and midnight, set the first box to 19:00 and the second box to 23:59.
3. Click Apply.

Note: The update check frequency configuration is an available setting

in each of the supported content filter providers.

Configuring WebPulse Services

WebPulse is a cloud service that provides the off-box component of Blue Coat’s
complete content filtering solution. The WebPulse cloud service blocks malware
hosts, rates Web content and protects both Advanced Secure Gateway appliance
Web gateways and remote clients (ProxyClient and Unified Gateway). For more
information, see "About Blue Coat WebFilter and the WebPulse Service" on page
361. WebPulse is also used for real-time Threat Risk Level lookups; see
Chapter 20: "Analyzing the Threat Risk of a URL" on page 439.
This section describes how you can modify or disable dynamic categorization
settings and disable the malware feedback loop between the Blue Coat AV and the
Advanced Secure Gateway appliance.

382
To configure WebPulse services:
1. Select the Configuration > Threat Protection > WebPulse tab.

2. (Optional) To disable the WebPulse service, clear Enable WebPulse Service. If

you disable the WebPulse service, dynamic categorization and malware
feedback are also disabled. References to perform dynamic categorization in
policy are also disregarded. For information on the WebPulse service, see
"About Blue Coat WebFilter and the WebPulse Service" on page 361.
3. Verify that Blue Coat WebFilter is enabled as your content filter vendor and
confirm that the last download was completed within the previous 24-hour
interval.
4. (Optional) Select a forwarding host or a SOCKS gateway target. You cannot
select a forwarding host or group if you enabled secure connections in Step 4.
5. To modify the dynamic categorization mode, verify that the Perform Dynamic
Categorization option is selected and Blue Coat WebFilter is enabled. Then
choose one of the following options:

383
Advanced Secure Gateway Administration Guide

a. Immediately. This is the default categorization mode and is in real-time

— if the category of the request is not already known, the URL request
will wait for the WebPulse service to respond with the categorization
before proceeding. The advantage of real-time mode categorization is
that Blue Coat policy has access to the results, allowing policy
decisions to be made immediately after receiving all available
information.
b. In the background. In this mode when dynamic categorization is
triggered, the URL request continues to be serviced without waiting
for a response from the WebPulse service. The system category pending
is assigned to the request, indicating that the policy was evaluated
with potentially incomplete category information.
The result of the categorization response is entered into a categorization
cache. This cache ensures that any subsequent requests for the same or
similar URLs can be categorized quickly, without needing to query the
WebPulse cloud service again.

Note: If Blue Coat WebFilter license has expired and dynamic

categorization is enabled, the service enters a suspended state. For more
information, see "Dynamic Categorization States" on page 366.

c. (Optional) To disable dynamic categorization, clear the Perform Dynamic

Categorization checkbox.
If dynamic categorization is disabled, the Advanced Secure Gateway
appliance does not contact the WebPulse service when a category
match for a URL is not found in the on-box database.
However, you can use policy to enable conditional dynamic
categorization. For example, you could disable dynamic categorization
and block access to unrated sites for most users. Then, you create policy to
perform dynamic categorization of unrated sites for a specified user
group. By enabling conditional dynamic categorization, you can control
access to unrated content to a specified user group only and prevent
suspicious content from entering your network.
d. (Optional) Disable Malware Feedback. If you have an Advanced Secure
Gateway appliance integrated with the integrated Content Analysis
module for ICAP scanning and BCWF and WebPulse are enabled, and
it detects a malware threat, the appliance then issues a malware
notification to WebPulse to update the BCWF database.
When this option is disabled, the Advanced Secure Gateway appliance
does not notify WebPulse about malware URLs that Content Analysis
detects. However, you can use policy to override the default malware
feedback settings.
6. Click Apply.

384
Configuring Dynamic Categorization Requests for HTTP/HTTPS (CLI
only)
You can configure dynamic categorization requests for HTTP and HTTPS
transactions sent to WebPulse in the CLI.
To enable or disable sending HTTP header information to WebPulse, use the
following command:
SGOS#(config bluecoat) service send-request-info {enable | disable}
The setting is enabled by default. When enabled, WebPulse receives HTTP
headers with Referer, User-Agent, Content-Type, and Content-Length
information. When the setting is disabled, the Advanced Secure Gateway
appliance does not send any HTTP header information to WebPulse.
To specify the mode and amount of information sent to WebPulse for HTTPS
transactions, use the following command:
SGOS#(config bluecoat) service send-https-url {full | path | disable}
The following are parameters for the command:
• full — Send entire URL (domain, path, and query string).
• path — Send only the domain and path.
• disable — Do not send a rating request for HTTPS transactions.

Viewing Dynamic Categorization Status (CLI only)

The dynamic categorization feature has three states—enabled, disabled, and
suspended.
When enabled, the Advanced Secure Gateway appliance accesses the WebPulse
cloud service for categorizing a requested URL when it is not available in the Blue
Coat WebFilter database.
When disabled or suspended, the Advanced Secure Gateway appliance does not
access the WebPulse cloud service for categorizing a requested URL. The Blue
Coat WebFilter database is consulted for categorization and based on the policies
installed on the Advanced Secure Gateway appliance, the requested content is
served or denied.
Service suspension occurs when the installed database is over 30 days old. The
main reasons for service suspension are the expiration of Blue Coat WebFilter
download credentials or due to network problems in downloading the latest
database version. When the credentials are renewed or network problems are
resolved, the service returns to Enabled.
To view the dynamic categorization status, at the (config) prompt, enter the
following command:
# (config content-filter) view
Provider: Blue Coat
Dynamic Categorization:
Service: Enabled/Disabled/Suspended <---one state is displayed

385
Advanced Secure Gateway Administration Guide

See Also
❐ "Applying Policy to Categorized URLs"
❐ "More Policy Examples"
❐ "Defining Custom Categories in Policy"

Section D: Configuring Intelligence Services for Content Filtering

Intelligence Services is the default data source on the appliance, and aside from
Blue Coat WebFilter (BCWF), it is the only non- third-party on-box data source.
Before using Intelligence Services, make sure you have the following:
❐ A constant connection to Blue Coat servers to maintain license validity and
download regular database updates.
❐ A valid license for the Intelligence Services bundles that include the data feeds
you want to use. If you enable the feature but do not have a valid license, you
will be unable to download the Intelligence Services database.

Note: You can switch to the BCWF database; see "Specifying a Blue Coat Data
Source" on page 374. To configure BCWF, refer to "About Blue Coat WebFilter and
the WebPulse Service" on page 361.

Prerequisites for Using Intelligence Services

Before you use Intelligence Services for content filtering:
❐ If it isn’t already set, make sure that Intelligence Services is the data source
(see "Specifying a Blue Coat Data Source" on page 374). Then, the appliance
can perform categorization using the Intelligence Services database.
In addition, you can download a new version of the database when required,
and also check the feature’s health status. See the following sections for
information.
❐ Verify that your subscribed bundles are listed in the Management Console.
"Verify Subscribed Bundles" on page 387.

386
Verify Subscribed Bundles
After you verify requirements, make sure your subscribed bundles appear in the
appliance Management Console as expected. Verify that your Intelligence
Services bundles are correct and valid.
1. In the Management Console, select Maintenance > Licensing > View.
2. In the Intelligence Services Bundles section, look for the names of your
subscribed bundles and their expiration dates.

Any feeds that are part of multiple subscribed bundles are listed under each
bundle.

Configure Intelligence Services

To configure Intelligence Services for content filtering, refer to the following
sections.

Description Reference

Information about dynamic "Dynamic Categorization" on page 387

categorization.

If needed, download a new version of the "Download a New Version of the

database. Database" on page 388

Monitor the Content Filter health status. "Monitor Content Filter Health Status"
on page 388

Dynamic Categorization
By default, when you set Intelligence Services as the data source and download
the database, dynamic categorization in real time is enabled on the appliance.
To disable dynamic categorization, select Configuration > Content Filtering > Blue Coat
and click the Enabled link beside Real-time analysis. The console displays the
Configuration > Threat Protection > WebPulse tab. Then, clear the Perform Dynamic
Categorization option.
For information on the other settings on this tab, refer to"Configuring WebPulse
Services" on page 382.

387
Advanced Secure Gateway Administration Guide

Download a New Version of the Database

You can download a new version of the database when needed.
1. In the Management Console, select Configuration > Content Filtering > Blue Coat.
2. Click Download Now. The database download starts in the background; when it
is complete, the tab displays the status of the download.
You can also click View Download Status to view the status of the download.

Monitor Content Filter Health Status

You can configure the appliance to notify you when the Content Filter license is
about to expire.
❐ Critical threshold (default is 0 days before expiration)
❐ Warning threshold (default is 30 days before expiration)
When the appliance enters a Critical or Warning state, the Management Console
banner displays the status in red. When you renew the license, the status returns
to a green OK.
For errors related to Intelligence Services health, see "Troubleshoot Health
Monitoring Errors" on page 389.

View the License Status

Display the license status.
1. In the Management Console, select Statistics > Health Monitoring > Licensing.
2. In the Metric column, look for Content Filter Expiration.
If there are no errors with the license, the Value displays the number of days
left and the State is OK.

View the Subscription Status

Display the health monitoring status.
1. In the Management Console, select Statistics > Health Monitoring > Subscription.
2. In the Metric column, look for Content Filter Expiration.
If there are no errors with the server, the Value is No update errors and the State is
OK.

Note: You can set a notification method, or disable notification, for all subscribed
services at once; select Maintenance > Health Monitoring > Subscription.

Set Subscription Thresholds and Notifications

Change the default thresholds and specify how you want to receive notifications
when the license reaches each threshold.
1. In the Management Console, select Maintenance > Health Monitoring > Licensing.

388
 2. In the License column, select Content Filter Expiration. Then, click Edit. The
console displays an Edit Health Monitor Settings dialog.
3. In the dialog, specify the Critical Threshold and the Warning Threshold.
4. Specify the Notification method(s): Log, Trap, or Email.

Troubleshoot Health Monitoring Errors

The Management Console could display the following Health Monitoring errors.
Some errors could occur due to an invalid license or impending license expiration;
to check the license status, see"View the License Status" on page 388.

Note: If you have selected BCWF as the data source, the Health Monitoring >
Subscription tab displays a BlueCoat WebFilter Communication Status metric even
if you do not use BCWF as a content filter. In this case, the metric represents the
Application Classification health only, not BCWF as a content filter provider. See
Section E: "Using Intelligence Services to Classify Applications" on page 391 for
information on Application Classification.

"Content Filter failed on initial download”

The appliance’s initial attempt to download the database failed.
If you see this error, investigate possible connectivity and network issues and
check the license expiration date. The appliance also displays this error message if
you select Intelligence Services for content filtering without a valid license.

"Content Filter has x update errors"

The appliance failed to download the database the specified number of times.
If you see this error, investigate possible connectivity and network issues and
check the license expiration date.

389
Advanced Secure Gateway Administration Guide

"Content Filter Expiration"

The specified license is expiring soon (if the State is Warning) or expired (if the
State is Critical).

390
Section E: Using Intelligence Services to Classify Applications
The Application Classification service uses the Intelligence Services database.
Before you can use the feature:
❐ Make sure that Intelligence Services is set as the data source. See "Specifying a
Blue Coat Data Source" on page 374.
❐ Ensure that your license is valid. See "View the License Status" on page 388.
After enabling the feature, you can review applications and operations for web
pages. As of , you can review the attributes associated with a web application. In
addition, you can download new database versions when required, and also
check the feature’s health status. See the following sections for information.

Description Reference

Enable Application Classification. "Enable Application Classification" on

page 391

Review a web site’s application and "Review Applications and

operation. Operations" on page 392

(Introduced in ) Review a web "Review Application Attributes" on

application’s attributes. page 394

If needed, download a new version of the "Download a New Version of the

Intelligence Services database. Application Classification Database"
on page 394

Monitor Application Classification health "Monitor Application Classification

status. and Application Attributes Health
Status" on page 398

Enable Application Classification

Before you can use Intelligence Services to classify applications or related policy,
you must enable the feature on the appliance.

Note: You have the option of using either BCWF or the Intelligence Services
categorization data feed for content filtering. When content filtering is enabled
(Content Filtering > General > Blue Coat), the appliance uses whatever data source is
selected as the non-third-party on-box content filtering database for Application
Classification.

1. In the Management Console, select Configuration > Application Classification >

General > General.

391
Advanced Secure Gateway Administration Guide

2. On the General tab, select Enable Blue Coat Application Classification on this device.

3. Click Apply. The appliance attempts to download the database for the first
time.
The service will automatically check for and download updates if:
• the service is enabled
• an Internet connection exists

Note: To disable this service, make sure that Application Attributes (introduced
in version 6.6.4) is disabled. For details, see "Enable Application Attributes" on
page 395.

What if the initial download is not successful?

If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the download might have failed. To confirm if
this is the case, select Statistics > Health Monitoring > Subscription and look for the
status “App Classification failed on initial download”. See "Troubleshoot Health
Monitoring Errors" on page 389 for more information.

Note: A Critical error occurs if the initial download attempt fails. After the
database downloads successfully, the service periodically checks for a newer
version of the database. If several update checks fail to connect to Blue Coat, a
Warning error occurs in Health Monitoring until the failure is corrected.

Review Applications and Operations

Use the Application Classification feature to review the applications and
operations for a web page.

392
Look up the Application and Operation for a URL
Determine which application and operation exist for a specific web page.
1. In the Management Console, select Configuration > Application Classification >
General > General.

2. On the General tab, in the Classification Lookup section, enter a URL in the URL
field and click Lookup.
The console displays the lookup results. Refer to Table 18–2, "Classification
Lookup Results" to determine what the messages mean.

3. (Optional) View the list of supported applications and operations in the

downloaded database.
• Click the View Application List link to display the list of applications in a new
browser window.
• Click the View Operation List link to display the list of operations in a new
browser window.

Table 18–2 Classification Lookup Results

Message Text Meaning

Application: <application_name> The URL is associated with the specified
application.
(Introduced in version 6.6.4) To obtain
more detailed information about the
application, see "Review Application
Attributes" on page 394.
Application: None The URL is not associated with any
application.
Operation: <operation_name> The URL is associated with the specified
operation.
Operation: None The URL is not associated with any
operation.

393
Advanced Secure Gateway Administration Guide

Note: You can also use BCWF to review the applications and operations for a
URL. See "Testing the Application and Operation for a URL" on page 378.

Download a New Version of the Application Classification Database

You can download a new version of the database when needed.
1. In the Management Console, select Configuration > Application Classification >
General > Download.

2. Click Download Now.

When the download starts, the console displays a “Download is in progress”
message.
You can also click Refresh or Refresh Status to view the status of the download.

Cancel a Database Download in Progress

(Introduced in 6.6.4) To cancel any download of the Application Classification
database that is currently in progress (including a download initiated from the
CLI), click Cancel in the Download Options section on Configuration > Application
Classification > General > Download. The console displays a “Canceling download”
dialog. When the download is canceled, the dialog message changes to
“Download Canceled”.

Review Application Attributes

(Introduced in version 6.6.4) You can find out more information about a web
application by looking at the attributes and their values. Attributes can provide
insight into a web application and its governance, risk management, and
compliance.
To use the Application Attributes feature, you must have a valid Application
Classification subscription, included in an Intelligence Services bundle, that
includes attributes.

394
Enable Application Attributes
Before enabling Application Attributes, verify that Application Classification is
enabled. For details, see "Enable Application Classification" on page 391.
1. In the Management Console, select Configuration > Application Classification >
Attributes > Attributes.

2. On the Attributes tab, select Enable Blue Coat Application Attributes on this device.
3. Click Apply. The appliance attempts to download the database for the first
time.
The service will automatically check for and download updates if:
• the service is enabled
• an Internet connection exists

Note: You must disable Application Attributes before attempting to disable

Application Classification.

What if the initial download is not successful?

If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the download might have failed. To confirm if
this is the case, select Statistics > Health Monitoring > Subscription and look for an error
status for Application Attributes Communication Status. See "Troubleshoot
Health Monitoring Errors" on page 389 for more information.
A Critical error occurs if the initial download attempt fails. After the database
downloads successfully, the service periodically checks for a newer version of the
database. If several update checks fail to connect to Blue Coat, a Warning error
occurs in Health Monitoring until the failure is corrected.

Look up Attributes for an Application

Determine which attributes exist for a web application.
1. In the Management Console, select Configuration > Application Classification >
Attributes > Attributes.

2. On the Attributes tab, in the Attribute Lookup section, select an application from
the Application menu.
3. From the Attribute menu, select an attribute. The attributes that are available
depend on the application you selected in the previous step.
4. Click Lookup.

395
Advanced Secure Gateway Administration Guide

The console displays the lookup results. Look for details beside Value.

Note: The values 0 and 1 might represent No and Yes, respectively.

5. (Optional) To view the complete list of application attributes, click View

Attributes List. The list opens in a separate browser window.

Note: The attribute Overall Risk Level is not related to the Web Application
Firewall risk score policy or Threat Risk Levels (an Intelligence Services feed). For
details on risk score policy, refer to the Content Policy Language Reference. For
details on Threat Risk Levels, see "Analyzing the Threat Risk of a URL" on page
439.

Example of Looking up Application Attributes

In the following example, you want to find out more information about the URL
weibo.com.
1. Use the Application Classification feature to look up the applications and
operations for weibo.com. See "Review Applications and Operations" on page
392.
For weibo.com, the console displays:
Application: Weibo
Operation: none

2. Select Configuration > Application Classification > Attributes > Attributes.

3. From the Application menu, select Weibo.
4. From the Attribute menu, select an attribute and then click Lookup. The
following are examples of attributes and their values for Weibo:
• Application Description: Sina Weibo is a Chinese microblogging platform.
• Authentication Types: Form-based
• Encrypted Data at Rest: 1

396
 • Overall Risk Level: 5
• Strong Authentication: 0
Based on the attribute details, you can write policy to intercept, control, and
log requests to weibo.com as needed.

Note: You must replace all spaces and punctuation in attribute names with
underscores in CPL, but use no more than one underscore in a row. For example,
specify the Admin Audit attribute as Admin_Audit, and specify the Valid & Trusted
Server Certificates attribute as Valid_Trusted_Server_Certificates.

You can verify how to specify an attribute by selecting it in the Application Attributes
VPM object and viewing the generated CPL. For details on this VPM object, refer
to the Visual Policy Manager Reference.

Download a New Version of the Application Attributes Database

When you enable the service, the appliance downloads the current database
automatically; however, you can manually download a new version of the
database when needed.
1. In the Management Console, select Configuration > Application Classification >
Attributes > Download.

2. Click Download Now. The database download starts in the background; when it
is complete, the tab displays the status of the download.
You can also click Refresh to view the status of the download.

Cancel a Database Download in Progress

(Introduced in 6.6.4) To cancel any download of the Application Attributes
database that is currently in progress (including a download initiated from the
CLI), click Cancel in the Download Options section on Configuration > Application
Classification > Attributes > Download. The console displays a “Canceling download”
dialog. When the download is canceled, the dialog message changes to
“Download Canceled”.

397
Advanced Secure Gateway Administration Guide

Monitor Application Classification and Application Attributes Health

Status
You can configure the appliance to notify you when the Application Classification
or Application Attributes license is about to expire.
❐ Critical threshold (default is 0 days before expiration)
❐ Warning threshold (default is 30 days before expiration)
When the appliance enters a Critical or Warning state, the Management Console
banner displays the status in red. When you renew the license, the status returns
to a green OK.
For errors related to Application Classification or Application Attributes health,
see "Troubleshoot Health Monitoring Errors" on page 389.

View the License Status

Display the license status.
1. In the Management Console, select Statistics > Health Monitoring > Licensing.
2. In the Metric column, look for Application Classification Expiration or Application
Attributes Expiration.

If there are no errors with the license, the Value displays the number of days
left and the State is OK.

View the Subscription Status

Display the health monitoring status.
1. In the Management Console, select Statistics > Health Monitoring > Subscription.
2. In the Metric column, look for Application Classification Communication Status or
Application Attributes Expiration.

If there are no errors with the server, the Value is No update errors and the State is
OK.

Note: You can set a notification method, or disable notification, for all subscribed
services at once in the CLI using the #(config) alert notification subscription
communication-status command.

398
Section F: Configuring a Local Database
The following sections describe how to select and refer to a local database and
how to schedule the database update schedule:
❐ "About the Local Database"
❐ "Creating a Local Database"
❐ "Selecting and Downloading the Local Database"

About the Local Database

Two main reasons to use a local database instead of a policy file for defining
categories are:
❐ A local database is more efficient than policy if you have a large number of
URLs.
❐ A local database separates administration of categories from policy. This
separation is useful for three reasons:
• It allows different individuals or groups to be responsible for
administrating the local database and policy.
• It keeps the policy file from getting cluttered.
• It allows the local database to share categories across multiple boxes that
have different policy.
However, some restrictions apply to a local database that do not apply to policy
definitions:
❐ No more than 200 separate categories are allowed.
❐ Category names must be 32 characters or less.
❐ A given URL pattern can appear in no more than four category definitions.
❐ The local database produces only the most specific URL match and returns a
single category.
The same policy syntax will produce a different match. If more that one
category is provided, policy processing may match more than one category
and hence will return more than one category. See "Local Database Matching
Example" on page 400 for more information.
You can use any combination of the local database, policy files, or the VPM to
manage your category definitions. See "Applying Policy to Categorized URLs" on
page 410 for more information. You can also use both a local database and a third-
party vendor for your content filtering needs.

Note: Blue Coat recommends locating your local database on the same server as
any policy files you are using.

399
Advanced Secure Gateway Administration Guide

Local Database Matching Example

As noted above, the local database produces only the most specific URL match
and returns a single category. Consider the following examples.

Local Database Example

Consider the following syntax.
define category no_detect_protocol
mail.google.com
end

define category google

google.com
end
Local database result:
https://<proxy>:8082/ContentFilter/TestUrl/mail.google.com/
Local: no_detect_protocol
Blue Coat: Mail
Gmail
none

Policy Example
This example uses the same syntax as the local database example.
<proxy>
ALLOW

define category no_detect_protocol

mail.google.com
end

define category google

google.com
end
Policy Result:
https://<proxy>:8082/ContentFilter/TestUrl/mail.google.com/
Policy: no_detect_protocol; google
Blue Coat: Mail, Search Engine
Gmail
none
As shown, policy returns both categories; whereas, the local database returns only
the URL match.

400
Creating a Local Database
The local database is a text file that must be located on a web server that is
accessible by the Advanced Secure Gateway appliance on which you want it
configured. You cannot upload the local database from a local file.
The local database file allows define category statements only.

To create a local database:

1. Create a text file in the following format:
define category <category-name>
url1
url2
urln
end
define category <category-name>
url1
url2
urln
end

Each category can have an unlimited number of URLs.

For example,
define category bluecoat_allowed
bluecoat.com
symantec.com
yahoo.com
microsoft.com
sophos.com
end
define category bluecoat_denied
www.playboy.com
www.hacking.com
www.sex.com
www.poker.com
'[2607:F330:8500:220::195]'
'216.139.0.95'
end

2. Upload the text file to a Web server that the Advanced Secure Gateway
appliance can access.
3. Continue with "Selecting and Downloading the Local Database".

401
Advanced Secure Gateway Administration Guide

Section 4 Selecting and Downloading the Local Database

This section discusses how to select a local database to serve your content filtering
needs. To create the local database, see "Creating a Local Database" on page 401.

To configure local database content filtering:

1. Select the Configuration > Content Filtering > General tab.

2. Select Local Database.

3. Select the Lookup Mode:
a. The default is Always, which specifies that the Local database is always
consulted for category information.
b. Uncategorized specifies that the lookup is skipped if the URL has
already been found in policy.
4. Click Apply.
5. Select the Configuration > Content Filtering > Local Database tab.
6. If the database is located on a server that requires a password for access, you
must configure the Advanced Secure Gateway appliance to use that password
when accessing the database:
a. Click Change Password. The Management Console displays the Change
Password dialog.
b. Enter your password and click OK.
7. Download the database:
a. In the URL field, enter the location of the file to be downloaded.

402
 b. Click Download Now. The Management Console displays the Download
Status dialog.

c. Click Close to close the Download status dialog.

d. Click View Download Status. A new browser window opens and displays
the Download log. For example:
Download log:
Local database download at: 2008/08/11 17:40:42-0400
Downloading from ftp://1.1.1.1/list-1000000-cat.txt
Download size: 16274465
Database date: Sat, 09 Aug 2008 08:11:51 UTC
Total URL patterns: 1000000
Total categories: 10

8. Click Apply.

Note: Incremental updates are not available for the local database.

See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "More Policy Examples"
❐ "Defining Custom Categories in Policy"

403
Advanced Secure Gateway Administration Guide

Section G: Configuring Internet Watch Foundation

The Internet Watch Foundation (IWF) is a non-profit organization that provides
enterprises with a list of known child pornography URLs. The IWF database
features a single category called IWF-Restricted, which is detectable and blockable
using policy. IWF can be enabled along with other content filtering services. For
information on IWF, visit their website at http://www.iwf.org.uk
For information on enabling the IWF database, see "Setting up a Web Content
Filter" on page 372.
To download the IWF database, see "Downloading a Content Filter Database" on
page 376.

See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "More Policy Examples"
❐ "Defining Custom Categories in Policy"

Section H: Configuring a Third-Party Vendor

The third-party vendors supported on the Advanced Secure Gateway appliance
are Internet Watch Foundation (IWF), Optenet, and Proventia. Only IWF can be
configured using the Management Console; you must use the CLI to configure
Optenet and Proventia.
The third-party vendor configuration tasks are identical and are covered in
"Setting up a Web Content Filter".

See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "Defining Custom Categories in Policy"

404
Section I: About Blue Coat Categories for YouTube
The appliance recognizes three types of YouTube URLs. The effectiveness of
policy and coaching pages differs amongst the different URL types. Refer to the
following table.
URL Type Example(s) of User Action Deny Coaching
policy page
works works

YouTube User plays a video at Yes Yes

homepage www.youtube.com within a desktop
web browser.
The URL starts with:
http://www.youtube.com/watch?v=

YouTube User plays a video at Yes Yes

mobile www.youtube.com within a mobile
website web browser (the URL redirects to
http://m.youtube.com/index).
The URL starts with:
http://m.youtube.com/watch?v=

Embedded in User plays a video that has been Yes. The Yes. The
an <iframe> embedded in a blog post. deny page coaching
The URL could start with: is confined page is
within the confined
http://www.youtube.com/embed/
<iframe>. within the
<iframe>.

Video User plays a YouTube playlist within a Yes. The No

transport desktop web browser. user may
The URL could start with: see an error
message
*.c.youtube.com/videoplayback?
for the
blocked
video.

Note: This feature is provided on an "as-is" basis. Blue Coat has no control of,
and is not responsible for, information and content provided (or not) by YouTube.
Customer is required to apply and use its own API key in order to activate this
feature, and therefore obligated to comply with all terms of use regarding the
foregoing (for example, see https://developers.google.com/youtube/terms),
including quotas, restrictions and limits on use that may be imposed by YouTube.
Blue Coat shall not be liable for any change, discontinuance, availability or
functionality of the features described herein.

For information on implementing coaching pages, refer to the “Notify User”

action in Visual Policy Manager Reference and Advanced Policy Tasks.

405
Advanced Secure Gateway Administration Guide

The list of categories is static. In the Visual Policy Manager, you can view the
categories in the category list (Configuration > Edit Categories) and in the Request
URL Category object, but you cannot add, rename, edit, or remove them.

Setting the YouTube Server Key

Before you can enable YouTube as a provider, you must obtain an API server key
and set it on the Advanced Secure Gateway appliance. For instructions, refer to
the following Blue Coat Knowledge Base article:
https://bluecoat.force.com/knowledgebase/articles/Solution/000023564
After you set the server key, select YouTube in the Management Console at
Configuration > Content Filtering > General.

Distinguishing Blue Coat Categories for YouTube in the Access Log

If the feature is enabled and categories are selected, and if you use an extended
log file format (ELFF) for access logs, you can use the existing category access-log
field to report on specified categories; however, the categories will be logged
without the provider name. In addition, some categories share names with Blue
Coat categories, such as Entertainment.
To distinguish between Blue Coat-defined categories and Blue Coat categories for
YouTube in the access log, specify the ELFF field cs-categories-qualified. This
field provides a list of all content categories of the request URL, qualified by the
provider. For example, traffic matching YouTube’s Entertainment category would
be logged as Entertainment@YouTube.
For information on access log formats, see Chapter 30: "Access Log Formats" on
page 671.

406
Section J: Using Quotas to Limit Internet Access
You can limit user access to the Internet by creating policy for:
❐ Time quotas: Limit the amount of time that users can spend on the Internet or
Internet resource during a specific period of time
❐ Volume quotas: Limit users’ Internet or Internet resource usage during a
specific period of time
To create time and volume quotas, use the Time Quota and Volume Quota objects in
the VPM instead of writing policy in Content Policy Language (CPL). For detailed
information on the quota objects, refer to the Visual Policy Manager Reference.

Note: Before you can install quota policy, you must enable the quota library in
the CLI. Issue the following command:
#(config)policy quota

Scenario: Limit a User’s Daily Access to YouTube Videos

You want to restrict a user’s access to YouTube videos to 30 minutes a day within
a specified period of time. Create the following policy:
1. In the Management Console, select Configuration > Policy > Visual Policy Manager
and click Launch.
2. In the VPM, add a new Web Access Layer (Policy > Add Web Access Layer).
3. Create a rule with the following settings:
a. In the Source column, set the User object. Specify the user,
authentication realm, and full name (if applicable). Click OK.
b. In the Destination column, set the Request URL Application object. Select
YouTube and click OK.
c. In the Service column, leave the selection as Any.
d. In the Time column, set the Time object. In the Between section, specify
the hours 09:00 and 13:00. Click OK.
e. In the Action column, set the Time Quota object. For the Quota period,
select Daily. For the Quota amount, select 30 for Min.
To present an exception page when the user reaches 75% of the quota
(about 20 minutes), select 75% under Warning threshold.
4. Install the policy.

407
Advanced Secure Gateway Administration Guide

Scenario: Limit a User’s Weekly Data Usage

You want to restrict a user’s data usage (sent and received) to 6000 MB a week.
Create the following policy:
1. In the Management Console, select Configuration > Policy > Visual Policy Manager
and click Launch.
2. In the VPM, add a new Web Access Layer (Policy > Add Web Access Layer).
3. Create a rule with the following settings:
a. In the Source column, set the User object. Specify the user,
authentication realm, and full name (if applicable). Click OK.
b. In the Destination column, leave the selection as Any.
c. In the Service column, leave the selection as Any.
d. In the Action column, set the Volume Quota object. For the Quota period,
select Weekly. For the Quota amount, enter 6000 for MB.
To present an exception page when the user reaches 75% of the quota
(about 4500 MB), select 75% under Warning threshold. Click OK.
4. Install the policy.

View Quota Statistics

You can view time and volume quota statistics for an authenticated user or client
IP address.
1. In a web browser, access the appropriate URL, where <IP_address:port> is the
IP address and port number of the Advanced Secure Gateway Management
Console:
• https://IP_address:port/quota/time/view

Display time quota statistics.

• https://IP_address:port/quota/volume/view

Display volume quota statistics.

2. In the Quota Name field, enter/select the name of the quota you want to view.
3. For the Quota Period, select the period for which you want to view statistics.
4. For Username, enter the Username or IP address.
5. Click View Quota. The page displays statistics for the quota, period, and user
you selected.

Examples of Quota Statistics

The Time Quota page (https://<IP_address:port>/quota/time/view) displays the
following details:
Current quota consumption for user '<username_or_IP_address>':
x minutes.

408
 The Volume Quota page (https://<IP_address:port>/quota/volume/view)
displays the following details:
Current quota consumption for user '<username_or_IP_address>':
x bytes.

Note: Be sure to enter the correct quota name and username/IP address. The
appliance does not validate your entries, and if you enter names/addresses that
do not exist, the page displays a quota consumption of 0 minutes/bytes.

Reset Usage Quotas

You can reset time and volume quota usage for an authenticated user or client IP
address, or reset all quotas.
1. In a web browser, access the appropriate URL, where <IP_address:port> is the
IP address and port number of the Advanced Secure Gateway Management
Console:
• https://IP_address:port/quota/time/reset

Reset time usage quota.

• https://IP_address:port/quota/volume/reset

Reset volume usage quota.

2. In the Quota Name field, enter/select the name of the quota you want to reset.
Alternatively, to reset all quotas, go to step 6.
3. For the Quota Period, select the period for which you want to reset quota usage.
4. For Username, enter the Username or IP address.

Note: Be sure to enter the correct quota name and username/IP address.
The appliance does not validate your entries.

5. Click Reset Quota. The page displays the message:

Current quota consumption for user '<username_or_IP_address>’ has been
reset to 0 minute.
Current quota consumption for user '<username_or_IP_address>’ has been
reset to 0 byte.

6. To reset the usage for all time/volume quotas, click the Reset all time/volume
quotas link. The page displays one of the following confirmation messages:
All time quota consumption has been reset to 0 minute.
All volume quota consumption has been reset to 0 byte.

409
Advanced Secure Gateway Administration Guide

Section K: Applying Policy

Even if you have enabled and downloaded a content filtering database on the
Advanced Secure Gateway appliance, you cannot regulate access to web content
until you create and install policy. This section discusses the interaction between
content filtering categories and applications, and the creation and application of
control policies.
Policy allows you to configure a set of rules that are used to filter web content for
HTTP, HTTPS, FTP, MMS and IM protocols. After you create and install policy on
the Advanced Secure Gateway appliance, every incoming client request is
checked to determine if a rule matches the requested content. If a rule matches the
request, the Advanced Secure Gateway appliance uses the action specified in the
rule to handle the incoming request.

Note: A URL can belong to a maximum of 16 categories. If a URL is assigned to

more than 16 categories, the policy rules that you define will not apply for the
additional categories.

Applying Policy to Categorized URLs

Policy rules are created to restrict, allow, and track Web access. Every content filter
database provides pre-defined categories that you can reference in policy to create
rules.
The examples in this section are created using the Visual Policy Manager (VPM)
in the Advanced Secure Gateway. For composing policy using the Content Policy
Language (CPL), refer to the Blue Coat Content Policy Language Guide.
The VPM layers that are relevant for configuring content filtering policy are:
❐ Web Authentication Layer (<Proxy> Layer in CPL)—Determines whether users
must authenticate to the Advanced Secure Gateway appliance for accessing
web content. If your content filtering policy is dependent on user identity or
request characteristics, use this layer.
❐ Web Content Layer (<Cache> Layer in CPL)—Determines caching behavior,
such as verification and ICAP redirection. If you are using content filtering to
manage a type of content globally, create these rules in this layer.
❐ Web Access Layer (<Proxy> Layer in CPL)—Determines access privileges and
restrictions for users when they access web content.
❐ SSL Access Layer (<SSL> Layer in CPL)—Determines the allow or deny actions
for HTTPS traffic.

Creating a Blacklist
If your default proxy policy is set to allow and you would like to block users
access to certain categories, you must create policy to block all requests for the
categories that you wish to restrict access in your network.

410
In this example, Sports/Recreation, Gambling, and Shopping categories are blocked
with a single rule and a predefined exception page content_filter_denied is
served to the user. This exception page informs the user that the request was
denied because the requested content belongs to a category that is blocked.

To create a blacklist using VPM:

1. Select the Configuration > Policy > Policy Options tab.

2. Verify that the Default Proxy Policy option is set to Allow.

411
Advanced Secure Gateway Administration Guide

3. Access the VPM (Configuration > Policy > Visual Policy Manager).
.

4a

4c

4b

4. Add a rule in a Web Access Layer:

a. In the Destination column, right click and select Set. The Set Destination
Object dialog displays.

b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays.

c. Expand the list of categories for your content filter database in the
Categories list.

412
5. Select the categories to block and click OK. This example blocks Shopping,
Gambling and Sports/Recreation categories.

6. Set the action for blocking the categories In the Action column, right click and
select Deny or Deny Content Filter.
• Deny—Denies the user request without providing an denial explanation.
• Deny Content Filter—Denies the user access to the requested content and
describes that the request was denied because it belongs to a category
blocked by organizational policy.

Configuring Authentication-Based Access Privileges

Prerequisite: To configure access privileges using authentication, authentications
realms must be configured on the Advanced Secure Gateway appliance.
Authentication realms allow you to create policy to exempt certain users or
groups from accessing specified content while allowing access to specific
individuals or groups.
The following example illustrates how to restrict software downloads to users in
the IT group only. The default proxy policy in this example is Allow.

Note: While the following example blocks most downloads, it will not prevent all
web downloads. For example, compressed and encrypted files, server side scripts
and webmail attachments are not detected.

1. Add a rule in a Web Authentication Layer to authenticate users before granting

access to web content. This policy layer prompts the user for authentication:

413
Advanced Secure Gateway Administration Guide

a. In the Action column, right click and select Set. The VPM displays the
Set Action Object dialog.

b. In the Set Action Object dialog, click New > Authenticate. The VPM
displays the Add Authenticate Object dialog. Select the authentication
mode and realm.
c. Click OK to save your changes and exit.
2. Add a rule in a Web Access Layer to restrict access to downloads by file
extension and by Apparent Data Type of the content:
a. In the Destination column, right click and select Set. The VPM displays
the Set Destination Object dialog.

414
 b. In the Set Destination Object dialog, click New > File Extensions. The VPM
displays the Add File Extension Object dialog.

2c

c. In the Known Extensions field, Find and Add .exe files. Click OK.

415
Advanced Secure Gateway Administration Guide

d. Remaining in the Set Destination Object dialog, select New > Apparent
Data Type. Select the apparent data types that includes Windows
executables and Windows Cabinet files. Click OK.

e. Combine the two rules using a combined object. In the Set Destination
Object dialog, select New > Combined Destination Object and add the file
extensions and the apparent data type rule created above. Click OK

3. See the Action to Deny

4. Exempt IT group users.
a. Select the source field and click New > Group. Browse for the IT user
group and click OK.
b. Right-click the source field in this rule and click Negate.
This rule prevents all users, except for those in the Active Directory group IT, from
downloading executables and CAB files.

416
Creating a Whitelist
If the default policy on the Advanced Secure Gateway appliance is set to deny,
you must create a whitelist to permit web access to users. Whitelists require
constant maintenance to be effective. Unless your enterprise web access policy is
very restrictive, Blue Coat recommends setting the default policy to allow. The
default policy of allow keeps the help desk activity less hectic when managing
web access policies.

To create a whitelist using VPM:

1. Select the Configuration > Policy > Policy Options tab.

2. Verify that the Default Proxy Policy is Deny.

3. Add a rule in a Web Access Layer:

a. In the Destination column, right click and select Set. The VPM displays
the Set Destination Object dialog displays.
b. In the Set Destination Object dialog, click New > Request URL Category. The
VPM displays the Add Request URL Category Object dialog.

417
Advanced Secure Gateway Administration Guide

c. Expand the list of categories for your content filter database in the
Categories list.

4. Select the categories to allow and click OK. This example allows Business/
Economy and the Computers/Information Security categories. Click OK to close
each dialog.

5. Set the action for blocking the categories In the Action column, right-click and
select Allow.

418
Creating Policy to Log Access to Specific Content
To monitor web content requests from users in the network, you can record
information in the Advanced Secure Gateway appliance event log. For example,
you can create policy to allow or deny access to a category and record users who
attempt to access the specified category. The following example, illustrates how to
use policy to track users who access the Adult/Mature Content category.

To log web content access in an event log:

1. Add a rule in a Web Access Layer:

a. In the Destination column, right-click and select Set. The VPM displays
the Set Destination Object dialog.
b. In the Set Destination Object dialog, click New > Request URL Category. The
VPM displays the Add Request URL Category Object dialog.
c. Expand the list of categories for your content filter database in the
Categories list.

419
Advanced Secure Gateway Administration Guide

d. Select the categories to monitor and click OK. This example tracks
access of Adult/Mature Content.

2. Select the information to be logged. This example logs information on the

username, domain and IP address.
a. In the Web Access Layer, select the Track column, right-click, and select
New > Event Log.

b. Select from the list of Substitution Variables to log specific details about
the URL or the USER and click OK. For information on substitution
variables, refer to the Visual Policy Manager Reference.

Creating Policy When Category Information is Unavailable

An attempt to categorize a URL fails if no database is downloaded, your license is
expired, or if a system error occurs. In such a case, the category is considered
unavailable and triggers to block a category are not operative because the
Advanced Secure Gateway is unable to determine the category. When the policy
depends on the category of a URL, you do not want such errors to inadvertently
allow ordinarily restricted content to be served by the Advanced Secure Gateway
appliance.
The category unlicensed is assigned in addition to unavailable when the failure
to categorize occurred because of license expiry. This can be caused by the
expiration of your Blue Coat license to use content filtering, or because of
expiration of your license from the provider.

420
The following example illustrates how to block access (this is a mode of operation
called fail-closed) to the requested content when category information is
unavailable.
The System category unavailable includes the unavailable and unlicensed
conditions. The unlicensed condition helps you identify that the category was not
identified because the content filter license has expired.

To create policy when the category for a requested URL is unavailable:

1. Add a rule in a Web Access Layer:

a. In the Destination column, right-click and select Set. The VPM displays
the Set Destination Object dialog.
b. In the Set Destination Object dialog, click New > Request URL Category. The
VPM displays the Add Request URL Category Object dialog.
c. Expand the System category list.
2. Select the category to monitor:
a. Select unavailable for the System category.
b. Click OK.
3. Set the action to restrict access. In the Action column, right click and select Deny
Content Filter.
You can also use this feature with custom exception pages (refer to the Visual
Policy Manager Reference), where a custom exception page displays during
business hours, say between 8 am and 6 pm local time for the requested content.
In the event that the license is expiring, the user can be served an exception page
that instructs the user to inform the administrator about license expiry.

421
Advanced Secure Gateway Administration Guide

Creating Policy for Uncategorized URLs

URLs that are not categorized are assigned the system category none. This is not
an error condition; many sites (such as those inside a corporate intranet) are
unlikely to be categorized by a commercial service. Use category=none to detect
uncategorized sites and apply relevant policy. The following example disallows
access to uncategorized sites outside of the corporate network:
define subnet intranet
10.0.0.0/8 ; internal network
192.168.123.45; external gateway
end
<proxy>
; allow unrestricted access to internal addresses
ALLOW url.address=intranet

; otherwise (internet), restrict Sports, Shopping and

uncategorized sites
DENY category=(Sports, Shopping, none)

Creating Policy for Controlling Web Applications

The Web Application policy control objects are listed below:
❐ Request URL Application:The Request URL Application object gives you the ability
to block popular web applications such as Facebook, Linkedin, or Pandora. As
new applications emerge or existing applications evolve, BCWF tracks the
HTTP requests that these web applications use to serve content, and provides
periodic updates to include the new request domains that are added. You can
use the Request URL Application object to block an application and all the
associated requests automatically.
For the applications you have blocked, you are not required to update your
policy to continue blocking the new content sources; to block newly
recognized applications, you must select the new applications and refresh
your network policy.
❐ Request URL Operation: The Request URL Operation object restricts the actions a
user can perform on a web application. For instance, when you select the
Upload Picture action for the Request URL Operation, you create a single rule that
blocks the action of uploading pictures to any of the applications or services
where the action can be performed, such as Flickr, Picasa, or Smugmug.
When you block by operation, unlike blocking by application, you prevent
users in your network from performing the specified operation for all
applications that support that operation. They might, however, be able to
access the application itself.
Be advised that the Request URL operation object only pertains to operations
for sites that BCWF recognizes as web applications. Therefore, blocking
picture uploads does not prevent users in your network from using FTP to
upload a JPEG file to an FTP server or from using an HTTP POST to upload a
picture on a website running bulletin board software.

422
 Pre-requisites for Controlling Web Applications
• Proxy Edition license
• Blue Coat WebFilter license.
• The Blue Coat WebFilter feature must be enabled. (Configuration > Content
Filtering > General).

• A current BCWF database must be downloaded to the Advanced Secure

Gateway. (Configuration > Content Filtering > Blue Coat WebFilter).
• The Advanced Secure Gateway must have one or more web services, such
as External HTTP and HTTPS, set to intercept. Bypassed web traffic is not
classified into applications.

Policy Examples Using the Application Control Objects

Use Case: Allow users to access Facebook and LinkedIn, but block access to other
social networking sites. Also block access to all games, including access to games
on Facebook.
1. Launch the Advanced Secure Gateway Management Console.
2. Launch the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager, and click Launch.
3. Create the rules to allow access to Facebook and LinkedIn, but restrict access
to all other social networking sites. You must define the allow Facebook and
LinkedIn rule before the rule that blocks access to other social networking
sites.
To allow access to Facebook:
a. Add a Web Access Layer. Select Policy > Add Web Access Layer.
b. On the Destination column, right click and select Request URL Application.
c. Select Facebook and LinkedIn from the application list and click OK.

Note: To filter through the list of supported applications, you can enter the
name of the application in the Filter applications by: pick list. Based on your
input, the on-screen display narrows the list of applications. You must then
select the application(s) for which you want to create rules.

d. Set Action to Allow.

To restrict access to all other social networking sites:
a. Select Edit > Add Rule to add a new rule in the same Web Access layer.
b. On the Destination column, right click and select Request URL Category.
c. Select the Social Networking category from the list that displays and click
OK.

423
Advanced Secure Gateway Administration Guide

d. On the Action column, right click and select Deny. Your rules should
look similar to the following (third row).

4. To properly block access to all games, including those on Facebook, you must
create another Web Access Layer that defines the rule as follows.
a. Select Policy > Add Web Access Layer.
b. On the Destination column, right-click and select Request URL Category.
c. Select the Games category from the list that displays and click OK.

5. Click Install Policy. You have now installed policy that blocks all games in your
network, and permits access to the Facebook and LinkedIn applications in the
social networking category.

424
Use Case: Allow limited access on Facebook but deny access all other sites in the
social networking category. In this example, you restrict users from uploading
attachments, videos or pictures on Facebook, but allow all other operations that
the application supports.
1. Launch the Advanced Secure Gateway Proxy Management Console.
2. Launch the Visual Policy Manager (VPM).
Select Configuration > Policy > Visual Policy Manager, and click Launch.
3. Select Policy > Add Web Access Layer.
4. Create a rule that allows access to Facebook but restricts uploads.
a. On the Destination column, right click and select Set > New > Combined
Destination Object.

b. Select New > Request URL Application and select Facebook from the list of
applications.
c. Select New > Request URL Operation.
d. Select Upload Attachment, Upload Videos and Upload Pictures from the list of
operations and click OK.
e. Create the rule that checks for the application and the associated
operation.
• Select the application object you created for Facebook in Step 4b and
Add it to At least one of these objects.

425
Advanced Secure Gateway Administration Guide

• Select the Negate option in the bottom list. The display text changes
from AND At least one of these objects to AND None of these objects. Then
select the operation object you created for the uploading actions in
Step 4d and click Add. Your policy should look similar to the following.

• Click OK to exit all open dialogs.

f. On the Action column of the Web Access Layer, right click and select
Allow.

You have now created a rule that matches on the application Facebook but
prevents the action of uploading attachments, pictures or video. When a
user attempts to upload these items on Facebook, the action will be
blocked.
5. Restrict access to all other social networking sites.
a. Select Edit > Add Rule to add a new rule in the same Web Access Layer.
b. On the Destination column, right-click and select Request URL Category.
c. Select the Social Networking category from the list that displays and click
OK.

d. On the Action column, right click and select Deny.

6. Click Install Policy. Your policy rule that allows limited access on Facebook and
blocks access all other social networking sites is installed on the Advanced
Secure Gateway appliance.

See Also
❐ Content Policy Language Reference
❐ Command Line Interface Reference

426
 Verify the Application Filtering Policy is Working Properly
After you have installed your application filtering policy, verify that the policy
works as intended. From a client workstation on the network:
❐ Verify that you cannot access websites of blocked categories.
❐ Confirm that you can access websites of allowed categories.
❐ For each application that is unitarily blocked, verify that you cannot access
any component of the application.
❐ For each operation that is blocked for an application, verify that you cannot
perform that operation for that application. In addition, verify that you can
perform operations that are not denied.
If your policy is not working properly, verify that you have spelled the
application and operation names exactly as listed in the view applications and
view operations command output. Also make sure that the operation is
supported by the application. Correct any errors, install the revised policy, and
run through the above verification steps again.

Additional Information
The following two access log variables are available in the Blue Coat Reporter
access log format (bcreportermain_v1):
x-bluecoat-application-name
x-bluecoat-application-operation

Limitations
The policy compiler will not display a warning if you create policy that defines
unsupported combinations of application names and operations. For example,
Twitter does not support uploading of pictures but the compiler does not warn
you that the following policy is invalid.
url.application.name=Twitter url.application.operation=”Upload
Pictures” deny

More Policy Examples

Use Case: Limit employee access to travel websites.
The first step is to rephrase this policy as a set of rules. In this example, the model
of a general rule and exceptions to that rule is used:
❐ Rule 1: All users are denied access to travel sites.
❐ Rule 2: As an exception to the above, Human Resources users are allowed to
visit Travel sites.
Before you can write the policy, you must be able to identify users in the Human
Resources group. You can do this with an external authentication server, or define
the group locally on the Advanced Secure Gateway appliance. For information on
identifying and authenticating users, see "Controlling User Access with Identity-
based Access Controls" on page 916. For information on authentication modes
supported on the Advanced Secure Gateway see "About Authentication Modes"
on page 927.

427
Advanced Secure Gateway Administration Guide

In this example, a group called human_resources is identified and authenticated

through an external server called my_auth_server.
This then translates into a fairly straightforward policy written in the local policy
file:
<proxy>
; Ensure all access is authenticated
Authenticate(my_auth_server)
<proxy>
; Rule 1: All users denied access to travel
DENY category=travel
<proxy>
; Rule 2: Exception for HR
ALLOW category=travel group=human_resources
DENY category=sites

Use Case: Student access to Health sites is limited to a specified time of day, when
the Health 100 class is held.
This time the policy contains no exceptions:
❐ Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 10-
11am.
❐ Rule 2: Health sites can not be accessed at other times.
define condition Health_class time
weekday=(1, 3, 5) time=1000..1100
end
<proxy>
; 1) Allow access to health while class in session
ALLOW category=health condition=health_class_time
; 2) at all other times, deny access to health
DENY category=health

Defining Custom Categories in Policy

Custom categories give administrators the ability to create their own filtering
criteria. This ability allows administrators to create specific categories that lists
websites and keywords to block or allow and can be adapted to their
organizational requirements.
Custom categories are created in the policy file using the VPM or CPL. If you have
extensive category definitions, Blue Coat recommends that you put them into a
local database rather than into a policy file. The local database stores custom
categories in a more scalable and efficient manner, and separates the
administration of categories from policy. See "Configuring a Local Database" on
page 399.

428
To add URLs to a category, you only need to specify a partial URL:

Note: The local database produces only the most specific URL match and returns
a single category.
The same policy syntax will produce a different match. If more that one category
is provided, policy processing may match more than one category and hence will
return more than one category. See "Local Database Matching Example" on page
400 for more information.

❐ Hosts and subdomains within the domain you specify will automatically be
included
❐ If you specify a path, all paths with that prefix are included (if you specify no
path, the whole site is included). For example, if you add
www2.nature.nps.gov/air/webcams/parks/grcacam/nps.gov/grca
only the pages in the /grca directory of nps.gov is included in the category,
but if you just add www2.nature.nps.gov/ all pages in the entire directory are
included in the category.

Note: If a requested HTTPS host is categorized in a content filtering database,

filtering rules apply even when HTTPS Intercept is disabled on the Advanced
Secure Gateway appliance. However, if the request contains a path or query string
and the categorization relies on the host/relative path, the categorization results
could be different. This is because the path or query is not accessible when HTTPS
Intercept is disabled. The difference in categorization is caused as a result of
categorizing the host name only versus using the host name and path or query
string.

Example:
define category Grand_Canyon
kaibab.org
www2.nature.nps.gov/air/webcams/parks/grcacam
nps.gov/grca
grandcanyon.org
end
Any URL at kaibab.org is now put into the Grand_Canyon category (in addition to
any category it might be assigned by a provider). Only those pages in the /grca
directory of nps.gov are put in this category.

Nested Definitions and Subcategories

You can define subcategories and nest category definitions by adding a
category=<name> rule. To continue the example, you could add:
define category Yellowstone
yellowstone-natl-park.com
nps.gov/yell/
end
define category National_Parks

429
Advanced Secure Gateway Administration Guide

category=Grand_Canyon; Grand_Canyon is a subcategory of

National_Parks
category=Yellowstone; Yellowstone is a subcategory of National_Parks
nps.gov/yose; Yosemite – doesn’t have its own category (yet)
end
With these definitions, pages at kaibab.org are assigned two categories:
Grand_Canyon and National_Parks. You can add URLs to the Grand_Canyon
category and they are automatically added by implication to the National_Parks
category as well.
Multiple unrelated categories can also be assigned by CPL. For example, by
adding:
define category Webcams
www2.nature.nps.gov/air/webcams/parks/grcacam
end
the URL, http://www2.nature.nps.gov/air/webcams/parks/grcacam/grcacam.htm,
will have three categories assigned to it:
❐ Grand_Canyon (because it appears in the definition directly)
❐ National_Parks (because Grand_Canyon is included as a subcategory)
❐ Webcams (because it also appears in this definition)
However, the other sites in the Grand_Canyon category are not categorized as
Webcams. This can be seen by testing the URL (or any other you want to try)
clicking the Test button on the Management Console.
You can test for any of these categories independently. For example, the following
example is a policy that depends on the above definitions, and assumes that your
provider has a category called Travel into which most national park sites
probably fall. The policy is intended to prevent access to travel sites during the
day, with the exception of those designated National_Parks sites. But the
Grand_Canyon webcam is an exception to that exception.

Example:
<proxy>
category=Webcams DENY
category=National_Parks ALLOW
category=Travel time =0800..1800 DENY
Click the Test button on the Management Console or the test-url command in
CLI to validate the categories assigned to any URL. This can help you to ensure
that your policy rules have the expected effect (refer to Configuring Policy Tracing
in the Content Policy Language Reference).
If you are using policy-defined categories and a content-filter provider at the
same time, be sure that your custom category names do not coincide with the
ones supplied by your provider. You can also use the same names—this adds your
URLs to the existing categories, and extends those categories with your own
definitions. For example, if the webcam mentioned above was not actually
categorized as travel by your provider, you could do the following to add it to the
Travel category (for the purpose of policy):

430
 define category Travel ; extending a vendor category
www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam
end

Note: The policy definitions described in this section can also be used as
definitions in a local database. See "Configuring a Local Database" on
page 399 for information about local databases.

Section L: Troubleshooting
This section describes troubleshooting tips and solutions for content filtering
issues. It discusses the following topics:
❐ "Unable to Communicate with the WebPulse Service" on page 431
❐ "Event Log Message: Invalid WebPulse Service Name, Health Check Failed"
on page 431
❐ "Error Determining Category for Requested URL" on page 431
❐ "Error Downloading a Content Filtering Database" on page 432

Unable to Communicate with the WebPulse Service

Blue Coat WebFilter and WebPulse are enabled, and the following error message
displays:
Dynamic categorization error: unable to communicate with service 0
510000:1 ../protocols/cerberian/Cerberian_api.cpp:79

To resolve this issue:

1. Use DNS to resolve sp.cwfservice.net.

Note: The Advanced Secure Gateway appliance resolves the domain name
sp.cwfservice.net once a day and maintains the list of returned IP addresses.
The Advanced Secure Gateway appliance then uses the IP address that
provides the fastest service. If an IP address that is in use fails to respond, the
Advanced Secure Gateway appliance fails over to an alternate IP address.
Health checks are automatically conducted on all the IP addresses to make
this failover as smooth as possible and to restore service to the geographically
closest IP address as soon as it is available.

2. Check the firewall logs for messages about denied or blocked traffic
attempting to reach IP addresses or in response from IP addresses. A firewall
rule denying or blocking in either direction impedes WebPulse.

431
Advanced Secure Gateway Administration Guide

Event Log Message: Invalid WebPulse Service Name, Health Check Failed
The following event log message is displayed:
Invalid WebPulse service name - Health check failed - Receive failed.
These messages are common in event logs and, for the most part, should not affect
your service. A server may fail an L4 health check for various reasons, but unless
all servers (services) are unavailable for extended periods of time, you should not
experience interruptions in WebPulse services and can regard this as expected
behavior.
When the proxy makes a request for the WebPulse service name, several IP
addresses for our servers are returned. The Advanced Secure Gateway appliance
periodically performs a quick Layer-4 health check (opening and closing a TCP
socket with no data transfer) to each of those servers. In the event that the
Advanced Secure Gateway appliance cannot contact the server or does not receive
a response quickly enough, it logs similar event log messages.
Your WebPulse service is interrupted unless all of the servers are unable to be
contacted for more than a few seconds. When one of these error messages
appears, the services health status changes back to healthy within 2 to 10 seconds.

Error Determining Category for Requested URL

The access log shows the category for a URL as Unavailable; Category Unavailable
indicates that an error occurred when determining the category for a requested
URL.
The following is an example access log message:
2007-08-07 22:19:02 59 10.78.1.98 404 TCP_NC_MISS 412 428 GET http
www.sahnienterprise.com 80 /images/menu.gif - - - DIRECT
www.sahnienterprise.com text/html;%20charset=iso-8859-1 http://
www.sahnienterprise.com/Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 PROXIED “Unavailable” -
10.78.1.100
Start by manually testing the URL in the URL field in Configuration > Content Filtering
> General on the Management Console.
If the category is still Unavailable, go through the list of possible causes in the
following table.
Possible Causes Check the Following

The database is not installed Check show content-filter status.

The database is corrupt. Check show content-filter
status.

432
 Possible Causes Check the Following

The database has expired. Check the validity of the database.

To verify that the latest content filter
database is available on the Advanced
Secure Gateway, enter the following
commands in the CLI:
Blue Coat SG210 Series>en
Enable Password:XXXXX
Blue Coat SG210 Series#show
content-filter status
Provider: Blue Coat
Status: Ready

A communication error occurred contacting Check the event log entries for
the WebPulse service. WebPulse messages.

The Advanced Secure Gateway If you are using a trial or demo license,
appliance license has expired. instead of a perpetual license, the
Advanced Secure Gateway appliance
license might have expired. Verify the
status of your license on the
Maintenance > Licensing > View tab. To
purchase a license, contact Blue Coat
Technical Support or your Blue Coat
sales representative.

(Possible, but not likely) There are issues Check event log entries for disk or
with memory or a disk error. memory messages.

Error Downloading a Content Filtering Database

To view the status of your database download, click View Download Status on the
Configuration > Content Filtering > Vendor_Name tab.

❐ For the ERROR: HTTP 401 - Unauthorized, verify that you have entered your
username and password correctly. For example, the following error message
was generated when an incorrect username was entered to download a BCWF
database:
Download log:
Blue Coat download at: Thu, 21 June 2015 18:03:08
Checking incremental update
Checking download parameters
Fetching:http://example.com/
Warning: HTTP 401 - Unauthorized
Downloading full control file
Blue Coat download at: Thu, 21 June 2015 18:03:17
Downloading from http://example.com/
Fetching:http://example.com/
ERROR: HTTP 401 - Unauthorized
Download failed
Download failed
Previous download:
...

433
Advanced Secure Gateway Administration Guide

If you have an upstream proxy and all internet traffic must be forwarded to
this upstream proxy, you must enable download-via-forwarding on this
Advanced Secure Gateway using the following CLI command:
> enable
# config t
#(config)forwarding
#(config forwarding) download-via-forwarding enable

❐ For the Socket Connection Error, check for network connectivity and Internet
access in your network.
Only after completing network troubleshooting, perform the following
procedure if the socket connection error persists.
Because the content filter database is downloaded using SSL, if the SSL client
on the Advanced Secure Gateway appliance gets corrupt, a connection error
occurs.
1. Verify that you have a valid SSL client on the Advanced Secure Gateway
appliance.
a. Access the Command Line Interface (CLI) of the Advanced Secure
Gateway appliance.
b. In configuration mode, view the SSL client configuration.
Blue Coat SG210 Series>en
Enable Password:XXXXX
Blue Coat SG210 Series#conf t
Blue Coat SG210 Series#(config)ssl
Blue Coat SG210 Series#(config ssl)view ssl-client
SSL-Client Name Keyring CCL Protocol
default <None> browser-trusted TLSv1.2vTLSv1.1

2. If you have an SSL client configured but the issue still persists, delete, and
recreate the SSL client.
a. In the Configuration mode:
Blue Coat SG210 Series#(config ssl)delete ssl-client
ok
Blue Coat SG210 Series#(config ssl)create ssl-client default
defaulting protocol to TLSv1.2vTLSv1.1 and CCL to browser-trusted
ok

434
Chapter 19: Web Application Protection

You can protect web applications from web attacks using Application
Protection, which is a component of Web Application Protections, a
subscription-based offering that supplements the services available in Web
Application Reverse Proxy. This feature downloads a SQL injection fingerprints
database, which defines how the appliance detects attacks.

Note: A valid subscription license for Web Application Protection is required

to make use of the policy gestures used for Web Application Firewall (WAF)
policy. For details on WAF policy, refer to the Web Application Firewall Solutions
Guide.

Topics in this Chapter

The following sections describes Application Protection and how to use policy
to protect your web applications from attacks.
❐ "Enabling Application Protection" on page 436
❐ "Testing the Application Protections" on page 437
❐ "Verifying the Database Download" on page 437

435
Section A: Using Application Protection
Application Protection allows the appliance to detect SQL injection attacks
without the need to write and maintain SQL injection policy. When you enable the
feature, it downloads a database containing the latest SQL injection fingerprints,
culled from real-world attacks. This allows the appliance to detect numerous SQL
injection attacks against different SQL databases that web applications use.
To keep the database up-to-date, you can configure settings to be notified
whenever an update is available, or you can allow the service to automatically
download new versions.

Prerequisite for Using Application Protection

Before you can set up Application Protection, you must have a valid license for it.
Refer to your Sales Engineer for more information.
If you enable Application Protection but do not have a valid license, the
Management Console and event log display errors indicating that the
subscription could not be downloaded.

Enabling Application Protection

Before you can use Application Protection or related policy, you must enable the
feature on the appliance. For information on using this feature in a test
environment, see "Testing the Application Protections" on page 437.
To enable Application Protection:
1. In the Management Console, select Configuration > Threat Protection > Application
Protection.

2. On the Application Protection tab, select the Enable check box.

3. Click Apply. The appliance attempts to download the database for the first
time.
The service will automatically check for and download updates if:
• the service is enabled
• an Internet connection exists
• the notification setting (described in "Testing the Application Protections"
on page 437) is disabled

What if the Initial Download is Not Successful?

If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the download might have failed. To confirm if
this is the case, select Statistics > Health Monitoring > Status and look for the status
“Application Protection failed on initial download” for Subscription Communication
Status.

436
 Note: The Critical error appears if the initial download attempt fails. After the
database downloads successfully, the service periodically checks for a newer
version of the database. If several update checks fail to connect to Blue Coat, a
Warning error appears in Health Monitoring until the failure is corrected.

See Also
❐ "Using Application Protection" on page 436
❐ "Verifying the Database Download" on page 437

Testing the Application Protections

If you want to test the application protections before deploying them in a
production environment, you can manually download fingerprint database
updates to an appliance in your lab or staging area.

Enable Notification
To enable notification:
1. In the Management Console, select Configuration > Threat Protection > Application
Protection.

2. (If feature is not already enabled) On the Application Protection tab, select
Enable.

3. Select the Do not auto download, but notify when a new version becomes available
check box.
4. Click Apply.
When a new database is available, a notification is sent to the administrator e-
mail account and also recorded in the event log.

Download Updates Manually

To download the database manually:
1. In the Management Console, select Configuration > Threat Protection > Application
Protection.

2. On the Application Protection tab, click Download Now.

See Also
❐ "Verifying the Database Download" on page 437

Verifying the Database Download

The License and Download Status field shows statistics about the previous
successful and unsuccessful downloads. If the last download was
unsuccessful, the field contains an error.
If you receive a download error, check your network configuration and make
sure that the appliance can connect to the Internet.

437
438
Chapter 20: Analyzing the Threat Risk of a URL

The Threat Risk Levels service analyzes a requested URL's potential risk and
summarizes it in the form of a numeric value (see "Threat Risk Levels
Descriptions" ). You can reference these values in policy to protect your
network and your users from potentially malicious web content.
Threat Risk Levels are calculated based on numerous factors that measure
current site behavior, site history, and potential of future malicious activities.
This service is part of Intelligence Services. For information on Intelligence
Services, refer to the "Using Intelligence Services to Classify Applications" on
page 391.

Note: Threat Risk Levels are not related to risk score policy. For details on risk
score policy, refer to the Content Policy Language Reference.

How the Threat Risk Service Works with WebPulse

To have the Threat Risk Levels feature return both risk levels and category
information for requests, the Advanced Secure Gateway appliance must have
valid Intelligence Services and Threat Risk Levels licenses. Although it is not
required, Blue Coat recommends that you also enable the WebPulse
categorization service on the appliance. Refer to Chapter 18: "Filtering Web
Content" on page 357 for details on Intelligence Services and WebPulse.
Enabling WebPulse ensures that a risk level is returned for every user request,
provided there is no connection problem. If the risk level for a request does not
exist in the on-box database, the appliance queries WebPulse for information
and forwards the request to WebPulse for risk level analysis and categorization.
The appliance then caches the information that it retrieves from WebPulse.

Threat Risk Levels Descriptions

The Threat Risk Levels service assigns threat risk levels to URLs according to
specific criteria. See Table 20–1 for an overview of the risk levels and how they
are represented on in the Threat Risk Details report in the Management
Console (Statistics > Threat Risk Details).

Table 20–1 Descriptions of Threat Risk Levels

Level Report Color Description

Low (Levels 1-2) Green The URL has an established history of

normal behavior and has no future
predictors of threats; however, this level
should be evaluated by other layers of
defense (such as Content Analysis and
Malware Analysis).

439
Advanced Secure Gateway Administration Guide

Table 20–1 Descriptions of Threat Risk Levels

Level Report Color Description

Medium-Low Green The URL has an established history of

(Levels 3-4) normal behavior, but is less established than
URLs in the Low group. This level should be
evaluated by other layers of defense (such as
Content Analysis and Malware Analysis).

Medium (Levels Yellow The URL is unproven; there is not an

5-6) established history of normal behavior. This
level should be evaluated by other layers of
defense (such as Content Analysis and
Malware Analysis) and considered for more
restrictive policy.

Medium-High Orange The URL is suspicious; there is an elevated

(Levels 7-9) risk.
Blue Coat recommends blocking at this
level.

High (Level 10) Red The URL is confirmed to be malicious.

Blue Coat recommends blocking at this
level.

The service returns a system-defined value in the rare instance when a threat
risk level does not apply. See Table 20–2 for an overview of the values. Note
that the report color for all system values is gray.

Table 20–2 System-defined values for Threat Risk Levels

CPL VPM Description

Use for Use in Threat Risk Level

url.threat_risk.level= Objects

none Threat Risk Level not available The URL does not have a threat
risk level assigned to it and the
request is not forwarded to
WebPulse (or it has been
forwarded and there is still no
data).
pending Threat Risk Level data pending No risk level is assigned to the
background WebPulse analysis URL on the Advanced Secure
Gateway appliance, but the
appliance performed a
WebPulse request in the
background. Subsequent
requests for the URL could
match a result from the
WebPulse cache.

440
Table 20–2 System-defined values for Threat Risk Levels

CPL VPM Description

Use for Use in Threat Risk Level

url.threat_risk.level= Objects

unavailable Threat Risk Level database or A non-licensing problem exists

service not accessible with the BCWF database or with
accessing the WebPulse service.
unlicensed Threat Risk Level feature not The Threat Risk Levels license is
licensed not valid.

Configure Threat Risk Levels

Step # Description Reference

1 Make sure that you meet "Requirements for Using Threat

requirements for using Threat Risk Risk Levels" on page 441
Levels.

2 Enable the Threat Risk Levels "Enable Threat Risk Levels" on

service. page 442

3 Write threat risk level policy through "Write Threat Risk Policy" on
the VPM or using CPL. page 443

Requirements for Using Threat Risk Levels

Before using Threat Risk Levels, make sure you have the following:
❐ A constant connection to Blue Coat servers to maintain license validity and
download periodic database updates.
❐ A valid license for the solution bundles that include Threat Risk Levels.
Refer to your SE for more information.
If you enable the feature but do not have a valid license:
• You cannot download the database.
• Any existing threat risk policy will not work.
• The Management Console displays Health Monitoring errors. See
"Troubleshoot Threat Risk Levels" on page 449 for information.

Note: After verifying that you have a license, you can make sure that you
have the Threat Risk Levels service. See "Verify Subscribed Bundles" on page
387

441
Advanced Secure Gateway Administration Guide

Enable Threat Risk Levels

Before you can use Threat Risk Levels or related policy, you must enable the
service on the appliance.
1. In the Management Console, select Configuration > Threat Protection > Threat
Risk Levels > General.

2. On the General tab, select Enable Threat Risk lookups on this device.

3. Click Apply. The appliance saves your configuration changes.

4. (Optional) Enable WebPulse dynamic categorization:

Note: If the Real-time analysis link says Enabled, WebPulse is already

enabled; however, you must still make sure dynamic categorization is
enabled.

a. Select Configuration > Threat Protection > WebPulse.

b. If needed, select Enable WebPulse service.
c. Under Dynamic Categorization, select Perform dynamic categorization.
d. Click Apply. The appliance saves your configuration changes.

What if the Initial Download is Not Successful?

The License and Download Status field shows statistics about the previous
successful and unsuccessful downloads. If the last download was unsuccessful,
the field contains an error.
If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the download might have failed. To confirm
if this is the case, select Statistics > Health Monitoring > Subscription and look for the
status "Threat Risk failed on initial download". See "Troubleshoot Threat Risk
Levels" on page 449 for more information.

Note: A Critical error appears if the initial download attempt fails. After the
database downloads successfully, the service periodically checks for a newer
version of the database. If several update checks fail to connect to Blue Coat, a
Warning error appears in Health Monitoring until the failure is corrected.

442
Write Threat Risk Policy
CPL and VPM policy objects have been added and updated to support the
feature.

Set Threat Risk Levels in the VPM

1. In the Management Console, select Configuration > Policy > Visual Policy
Manager.

2. Click Launch. The console opens the Visual Policy Manager.

3. In the VPM, select Policy and add a policy layer. See Table 20–3 for a list of
layers available.
4. In the Destination column, right click and select Set > New . Then, select the
threat risk level object. See Table 20–3 for a list of objects available.
The VPM displays the object.
5. Enter a name for the object or accept the default name.
6. Specify the risk level:
• Select Risk levels between __ and __ to specify the risk level.
For both values, select a level from 1 to 10. Select the same number in
both fields to specify one level; select different values to specify a range.
• Specify a system-defined value. Refer to Table 20–2 on page 440 for
definitions of the options.

7. Click OK to save the object.

8. Specify other settings as required in the policy layer, and then install policy.
To override the threat risk, see "Use Threat Risk Features" on page 446.
Table 20–3 Threat Risk Levels in Policy Layers and Objects

Policy Layer Destination Object

DNS Access Layer DNS Request Threat Risk

443
Advanced Secure Gateway Administration Guide

Table 20–3 Threat Risk Levels in Policy Layers and Objects

Policy Layer Destination Object

SSL Intercept Layer Request URL Threat Risk

Server Certificate Threat Risk

SSL Intercept Layer Request URL Threat Risk

Server Certificate Threat Risk

Web Authentication Layer Request URL Threat Risk

Web Access Layer Request URL Threat Risk

Web Content Layer Request URL Threat Risk

Forwarding Layer Server URL Threat Risk

Write Threat Risk Policy in CPL

You can write policy to trigger an action when the Advanced Secure Gateway
appliance detects a specified threat risk score for a request URL.
In the following descriptions, <numeric_or_system_value> is a value from 0 to
10 or one of four system-defined strings:
• An exact value, such as 10
• A range, such as:
• 5..7 (a value between 5 and 7)
• 5.. (a value equal to or greater than 5)
• ..8 (a value equal to or less than 8)
• A system-defined string. Refer to Table 20–2 on page 440 for definitions
of the options.

Trigger an action based on the threat risk of a request URL

url.threat_risk.level=<numeric_or_system_value>
Use this gesture in <Cache>, <Exception>, <Proxy>, <SSL>, and <SSL-Intercept>
layers.
Example
The appliance blocks the connection if the request URL has a threat risk level of
7 or higher.
<proxy>
deny url.threat_risk.level=7..

Trigger an action based on the threat risk of a DNS queried hostname or

IP address
dns.request.threat_risk=<numeric_or_system_value>
Example
The appliance performs trace if the hostname or IP address has a threat risk
level of 7.

444
 <DNS-proxy>
dns.request.threat_risk.level=7 trace.request(yes)

Trigger an action based on the threat risk of the Referer URL

request.header.Referer.url.threat_risk.level=<numeric_or_system_value>
Example
The appliance blocks the connection when it detects the Referer URL’s threat
risk is unavailable.
<proxy>
deny request.header.Referer.url.threat_risk.level=unavailable

Trigger an action based on the threat risk of the hostname extracted from
the X.509 certificate
server.certificate.hostname.threat_risk=<numeric_or_system_value>

Note: The hostname is extracted from the X.509 certificate returned by the
server while establishing an SSL connection. If it is not an SSL connection, the
value is null.

Example
The appliance blocks the connection when it detects the hostname from the
X.509 certificate has a threat risk level of 8.
<proxy>
deny server.certificate.hostname.threat_risk.level=8

Trigger an action based on the threat risk of the URL that the appliance
sends for user request
server_url.threat_risk.level=<numeric_or_system_value>

Note: If the URL was rewritten, the condition matches the risk levels of the
rewritten URL instead of the requested URL.

Example
The appliance blocks the connection when it detects the URL sent for user
request has a threat risk level of 10.
<proxy>
deny server_url.threat_risk.level=10

445
Advanced Secure Gateway Administration Guide

Use Threat Risk Features

What do you want to do? Reference

Look up the threat risks associated with a "Monitor Threat Risk Statistics" on
specific URL. page 447

If needed, download a new database. "Download a New Version of the

Database" on page 446

View a summary of the threat risk "Monitor Threat Risk Statistics" on

assigned to each request within a specified page 447
period.

Perform troubleshooting tasks. "Troubleshoot Threat Risk Levels" on

page 449

Look up Threat Risks for a Web Page

Determine the threat risk of a specific web page.
1. In the Management Console, select Configuration > Threat Protection > Threat
Risk Levels > General.

2. On the General tab, in the Threat Risk Lookup section, enter a URL in the
URL field and click Lookup. The console displays the threat risk level
associated with the URL, as described in "Threat Risk Levels Descriptions"
on page 439.

3. (Optional) Click the View Threat Risk Levels link to display the list of threat
risk levels in a new browser window.

Download a New Version of the Database

When required, you can download a new version of the database. If you
already have the latest version, the console indicates that no download is
required.
1. In the Management Console, select Configuration > Threat Protection > Threat
Risk Levels > Download.

446
 2. On the Download tab, click Download Now..
The database download starts in the background; when it is complete, the
tab displays the status of the download.
You can also click Refresh or Refresh Status to view the status of the
download.

Monitor Threat Risk Statistics

The Management Console provides a summary of the threat risk assigned to
each request within a specified period. Select Statistics > Threat Risk Details >
Threat Risk. The console displays the Threat Risk Details report. By default, the
report is set to display the last hour of activity.

Note: Before you can view threat risk statistics, you must enable the feature
(Configuration > Threat Protection > Threat Risk Levels > General) and download the
database. If the Threat Risk Levels service is disabled or the database is not
downloaded, the report screen displays no data.

In addition, report data does not persist if you disable and then re-enable the
Threat Risk Levels service. The report data is accurate from when you last
enabled the feature.

The report consists of three parts:

❐ Threat Risk Level Hits: A line chart shows threat risk hits for the specified
period of time. Hover over any part of the chart to display an overview of
the colors and groups represented in the chart.
❐ Threat Risk Levels:
A pie chart represents the proportions of each threat risk
group within all the threat risk hits for the specified period of time.
❐ At the bottom of the tab, a table arranges threat risk data according to
groups, specific levels, or total number of hits for the specified period of
time. To sort by one of these criteria, click the column header (Group, Threat
Risk Level, or Hits).

447
Advanced Secure Gateway Administration Guide

To change the time range for the report, select an option beside Duration:
❐ Last Hour: This is the default selection. The report displays data from the last
60 minutes. It may take a minute or more for the report to start displaying
activity.
❐ Last Day: The report displays data from the last 24 hours.
❐ Last Week: The report displays data from the last seven days.
❐ Last Month:
The report displays data for one month, for example, from
November 19 to December 19.
❐ Last Year:The report displays data for one year, for example, from January
2015 to January 2016.

Monitor Threat Risk Health Status

You can configure the appliance to notify you when the Threat Risk Levels
license is about to expire:
❐ Critical threshold (default is 0 days before expiration)
❐ Warning threshold (default is 30 days before expiration)
When the appliance enters a Critical or Warning state, the Management Console
banner displays the status in red. When you renew the license, the status
returns to a green OK.

View the License Status

Display the license status:
1. In the Management Console, select Statistics > Health Monitoring > Licensing.
2. In the Metric column, look for Threat Risk Expiration.

448
 If there are no errors with the license, the Value displays the number of days
left and the State is OK.

View the Subscription Status

Display the health monitoring status:
1. In the Management Console, select Statistics > Health Monitoring > Subscription.
2. In the Metric column, look for Threat Risk Communication Status.
If there are no errors with the server, the Value is No update errors and the
State is OK.

Note: You can set a notification method, or disable notification, for all
subscribed services at once in the CLI using the #(config) alert notification
subscription communication-status command.

Set Subscription Thresholds and Notifications

Change the default thresholds and specify how you want to receive
notifications when the license reaches each threshold:
1. In the Management Console, select Maintenance > Health Monitoring > Licensing.
2. In the License column, select Threat Risk Expiration. Then, click Edit. The
console displays an Edit Health Monitor Settings dialog.
3. In the dialog, specify the Critical Threshold and the Warning Threshold.
4. Specify the Notification method(s): Log, Trap, or Email.
5. Click OK > Apply.

Troubleshoot Threat Risk Levels

Refer to the following to troubleshoot issues with Threat Risk Levels.

449
Advanced Secure Gateway Administration Guide

Health Monitoring Errors

The Management Console could display the following error and warning
messages.

Threat Risk has x update errors

This Health Monitoring error means that the Threat Risk Levels database failed
to download x times.
If you see this error, investigate possible connectivity and network issues and
check the license expiration date.

Threat Risk failed on initial download

This Health Monitoring error means that the appliance’s initial attempt to
download the Threat Risk Levels database failed.
If you see this error, investigate possible connectivity and network issues and
check the license expiration date. This error message also appears if you enable
the Threat Risk service without a valid license.

450
451
Advanced Secure Gateway Administration Guide

452
Chapter 21: Configuring Threat Protection

The Advanced Secure Gateway supports threat protection scanning with the
use of either external appliance services such as ProxyAV or Content Analysis,
or the internal Content Analysis service. When configured, these services
analyze incoming web content and protect users from malware and malicious
content. Malware is defined as software that infiltrates or damages a computer
system without the owner’s informed consent. The common types of malware
include adware, spyware, viruses, downloaders and Trojan horses.
Blue Coat’s threat protection solution protects user productivity, blocks
malware downloads and web threats, and enables compliance to network
security policies.
The following sections describe how to configure threat protection with the
internal Content Analysis service:
❐ "About Threat Protection"
❐ "Enabling Malware Scanning"
❐ "Updating the Malware Scanning Policy"
❐ "Fine Tuning the Malware Scanning Policy using VPM"
❐ "Disable Malware Scanning"
❐ "Edit an ICAP Content Analysis Service"
❐ "Delete an ICAP service From the List of ICAP services"

About Threat Protection

Owing to the interactive nature of the Internet, enterprises are constantly
exposed to web threats that can cause damage to company data and
productivity. To ensure that your users, systems and data are protected at all
times, Blue Coat provides a multi-layered solution in a single appliance that
protects you from existing and emerging threats.
Content Analysis is an advanced module that, when used in conjunction with
the SGOS Proxy module, encompasses all facets of network-level threat
protection:
❐ Web Filtering protection during policy execution using Blue Coat Web
Filtering services,
❐ Anti-virus scanning with multiple vendors
❐ File Whitelisting to reduce resource load on known-good files
❐ Sandboxing with Blue Coat Malware Analysis and FireEye external
appliance solutions to analyze suspicious files and update WebPulse with
the results.

453
Advanced Secure Gateway Administration Guide

Blue Coat WebPulse

Blue Coat WebPulse is a community watch cloud-based provides reputation and
web content analysis in real time. WebPulse services are offered to all customers
who have a valid Blue Coat WebFilter license. For more information about
WebPulse, see "About Blue Coat WebFilter and the WebPulse Service" on page 361.
In addition to providing reputation and web categorization information, the
WebPulse service proactively notifies all Blue Coat WebFilter subscribers of
emerging malware threats. This notification is possible because of the malware
feedback mechanism between the Advanced Secure Gateway appliance and Blue
Coat’s ICAP analysis services, Content Analysis and ProxyAV.
The Advanced Secure Gateway appliance monitors the results of content scans
and notifies the WebPulse service when a new virus or malware is found. This
notification triggers an update of the Blue Coat WebFilter database and all
members of the WebPulse community are protected from the emerging threat.
Blue Coat’s threat protection solution also provides a threat protection policy that
is implemented when you integrate the appliances and enable malware scanning.
The malware scanning policy that is implemented is predefined set of policies
that offer optimal protection. The Malware Scanning policy can be set to optimize
either your network security needs or your network performance needs.

Internal Content Analysis Threat Protection Configuration Tasks

Two ICAP services to leverage the internal Content Analysis service are
configured automatically on the Advanced Secure Gateway appliance; one for
request data, and one for response data. Unlike with external ICAP services, the
internal ICAP objects do not require additional configuration.
For instructions on configuring internal Content Analysis to scan request and
response data, refer to the Content Analysis context-sensitive help.

External Threat Protection Configuration Tasks

The tasks that must be completed for configuring threat protection between the
Advanced Secure Gateway appliance and an external the ProxyAV appliance or
Content Analysis service are listed in the following table.
Table 21–1 Tasks for Configuring Threat Protection

454
Task Task Description

1. Install and configure the • Configure the ProxyAV appliance or Content

ICAP appliance. Analysis service with basic network settings.
Make sure to configure the ICAP server and the
Advanced Secure Gateway appliances on the
same subnet.
From the ProxyAV Management Console, perform the
following tasks:
• Activate the ICAP server licenses, as appropriate.
• Configure the scanning behavior on the ProxyAV
appliance or Content Analysis Management
Console
For information on these tasks, refer to the ProxyAV
Configuration and Management Guide or the Content
Analysis System WebGuide.

2. Select whether to transfer The Advanced Secure Gateway appliance and the
data between the Advanced ProxyAV appliance or Content Analysis appliances
Secure Gateway and the communicate with each other using plain ICAP,
ProxyAV or Content secure ICAP, or both methods.
Analysis service using plain To use secure communication mode between
ICAP or secure ICAP. appliances, either use the built-in SSL device profile or
create a new SSL device profile to authorize ProxyAV
or Content Analysis on the Advanced Secure Gateway
appliance. For information about SSL device profile,
see "About SSL Device Profiles" on page 1349.
If you create an SSL device profile, verify that the CA
certificate is imported in the Advanced Secure
Gateway appliance at Configuration > SSL > External
Certificates. Otherwise, when the Verify Peer option is
enabled in Configuration > SSL > Device Profiles, the
Advanced Secure Gateway appliance fails to verify
ProxyAV or Content Analysis as trusted.
For information on enabling secure connection on
ProxyAV appliance or Content Analysis, or creating a
new certificate, refer to the ProxyAV Configuration and
Management Guide or the Content Analysis System
WebGuide.

3. Add the ProxyAV or To add the external ProxyAV or Content Analysis

Content Analysis to allow appliance to the Advanced Secure Gateway appliance,
in-path threat detection and see "Adding an External ICAP Service for Content
enable malware scanning, Scanning".
on the Advanced Secure To begin scanning of web responses you must enable
Gateway. malware scanning. Malware scanning, when enabled,
automatically invokes a predefined threat protection
policy. See "Enabling Malware Scanning" on page 457.

455
Advanced Secure Gateway Administration Guide

Section 1 Adding an External ICAP Service for Content Scanning

External Blue Coat ICAP services, (ProxyAV and Content Analysis) are designed
to prevent malicious content from entering your network. When you add these
services to your configuration, the Advanced Secure Gateway appliance redirects
web responses fetched from the origin web server to the ICAP service to be
scanned before delivering the content to the user.
The protocol that the ProxyAV appliance or Content Analysis and the Advanced
Secure Gateway appliance use to communicate is the Internet Content Adaptation
Protocol or ICAP.

To for content scanning:

1. Select Configuration> Threat Protection> Malware Scanning.If you will be using the
internal Content Analysis service, select Use Internal Content Analysis and click
Apply. If you’ll be using an external ICAP service, follow the remaining steps.

2. Select New. The Management Console displays the Add New CAS/ProxyAV
ICAP Server dialog.

3. In the Server host name or IP address field, enter the host name or IP address of
the ICAP server. Only an IPv4 address is accepted.
4. Select the connection mode(s) and ports. The default is plain ICAP only.
If you select secure ICAP, you must add an SSL device profile. An SSL device
profile contains the information required for device authentication, including
the name of the keyring with the private key and certificate this requires to be
authenticated. For information on SSL device profiles, see "About SSL Device
Profiles" on page 1349.
5. Click OK to save your changes and exit the open dialog.
You now have proxyavx service that is automatically created to perform
response modification. Response modification means that the ICAP service
only acts on requested content that is redirected to it by the Advanced Secure
Gateway appliance after the content is served by the origin web server.

456
 6. Click Perform health check to verify that the ICAP server is accessible. The
health check result is displayed immediately. For information on health
checks, see "Managing ICAP Health Checks" on page 485.
7. Continue with "Enabling Malware Scanning".

Enabling Malware Scanning

To begin content scanning after adding an ICAP service to the Advanced Secure
Gateway appliance, Blue Coat provides a built-in threat protection policy with a
set of predefined rules. These rules protect your network from malicious content
while supporting your network performance or network protection needs.
Enabling malware scanning implements the threat protection policy on the
Advanced Secure Gateway appliance. The threat protection policy compiles
policy conditions based on your preferences in the malware scanning
configuration. By default, when you enable malware scanning, the options
selected in the malware scanning configuration supports high performance
scanning using a secure ICAP connection between the ICAP service and the
Advanced Secure Gateway appliance, if available, and the user is denied access to
the requested content if the scan cannot be completed for any reason.
The rules used by the predefined threat protection policy can be made more or
less strict with the use of a simple radio button configuration. That is, while the
threat-protection policy itself does not change, only conditions that match your
configuration settings are implemented from the threat protection policy file.
And, when you change configuration, the compiled policy is automatically
updated to reflect the configuration changes.

Note: The threat protection policy cannot be edited. If you would like to
supplement or override the configuration in this policy, see "Fine Tuning the
Malware Scanning Policy using VPM" on page 462.

To enable malware scanning:

1. Select Configuration > Threat Protection > Malware Scanning. By default, malware
scanning is disabled on the Advanced Secure Gateway appliance.
2. Verify that one or more ICAP services are added for content scanning. For
information on adding a ICAP service, see "Adding an External ICAP Service
for Content Scanning" on page 456.
3. Select Enable malware scanning. The threat protection policy is invoked with the
malware scanning options selected in configuration or the pre-set default.
4. Click Apply to save your changes.
5. (Optional) To modify the malware scanning options that constitute the rules in
the threat protection policy for your network, see the following topics:
• "Selecting the Protection Level"
• "Selecting the Connection Security Mode"
• "Defining the Scan Failure Action"

457
Advanced Secure Gateway Administration Guide

6. (Optional) To verify that malware feedback to the WebPulse service is

enabled, check that Enable WebPulse service is selected in Configuration > Threat
Protection > WebPulse. By default, when Blue Coat WebFilter is enabled on the
Advanced Secure Gateway appliance, WebPulse is enabled.
For information on WebPulse, see "About Blue Coat WebFilter and the
WebPulse Service" on page 361. For information on configuring WebPulse, see
"Configuring WebPulse Services" on page 382.

Selecting the Protection Level

The threat protection policy offers two levels for scanning ICAP responses — high
performance and maximum security. While the ProxyAV scans all web responses
when set to maximum security, it selectively scans web responses when set to
high performance bypassing content that has a low risk of malware infection.
The high performance option is designed to ensure network safety while
maintaining quick response times for enterprise users. For example, file types that
are deemed to be low risk, such as certain image types, are not scanned when set
to high performance. To view the content that is not scanned with the high
performance option, in configuration mode of the CLI enter show sources policy
threat-protection.
The scanning rules configured for high performance and maximum security are
subject to change, as Blue Coat may update rules based on the latest web
vulnerabilities and security risk assessments. To obtain the latest version of the
malware scanning policy, see "Updating the Malware Scanning Policy" on page
460.

To set the protection level:

1. Select Configuration> Threat Protection > Malware Scanning.
2. Select the Protection level preference for your enterprise. The default protection
level is High performance.
3. Click Apply to save your changes.
For information on adding rules in VPM to make an exception to the configured
protection level, see "Fine Tuning the Malware Scanning Policy using VPM" on
page 462.

Selecting the Connection Security Mode

The communication between the Advanced Secure Gateway appliance and
external ICAP servers can be in plain ICAP, secure ICAP or can use both plain and
secure ICAP, depending on whether the response processed by the Advanced
Secure Gateway appliance uses the HTTP, FTP, or HTTPS protocol.
Plain ICAP should be used only for non-confidential data. In particular, if plain
ICAP is used for intercepted HTTPS traffic, then data intended to be
cryptographically secured would be transmitted in plain text on the local
network. With secure ICAP data exchange occurs through a secure data channel.
This method protects the integrity of messages that are sent between the
Advanced Secure Gateway appliance and the external ICAP server.

458
 To select a connection security mode:
1. Select Configuration> Threat Protection > Malware Scanning.

2. Select the Connection security preference for your network:

a. Always use secure connections ensures that all communication between
the Advanced Secure Gateway and the ICAP server uses SSL-
encrypted ICAP. By default, secure ICAP uses port 11344.
b. Use secure connections for encrypted requests, if available is the default
option and it ensures that requests will be sent over secure ICAP, if the
service supports it.
c. Always use plain connections sets all communication between the
Advanced Secure Gateway and the external ICAP service in non-
secure mode. This option is available only if the service object is
configured to support plain ICAP.
d. Click Apply to save your changes.

Defining the Scan Failure Action

If an error occurs while scanning a file, you must configure the Advanced Secure
Gateway appliance for the action that it must take. The action you define allows
the Advanced Secure Gateway appliance to either serve the requested content to
the client or deny the request when the scan cannot be completed.
A scan might fail because the ICAP service is not available becaues of a health
check failure, a scanning timeout, a connection failure between the Advanced
Secure Gateway appliance and the ICAP server, or an internal error on the ICAP
server. For maximum security, the recommended and default setting is to deny
the request when failures occur.
In addition to setting the action on an unsuccessful scan globally, you can
configure policy for individual ICAP scanning errors. For information on ICAP
error scan codes, see "Editing an ICAP Service" on page 488.
The rule is configured only to determine the action in the event an error occurs
while scanning a file.

To select an action upon an unsuccessful scan:

1. Select Configuration > Threat Protection > Malware Scanning.

459
Advanced Secure Gateway Administration Guide

2. Select your preferred failure option under Action on an unsuccessful scan. To

ensure network security, the default is Deny the client request.
3. Click Apply to save your changes.

Viewing the Installed Malware Scanning Policy

After configuring the options for malware scanning, you can view the policy that
was compiled and installed on the Advanced Secure Gateway using the
Management Console.

To view the installed policy using the Management Console:

1. Select Configuration > Policy > Policy Files.
2. Select Current Policy in the View Policy drop-down menu
3. Click View. The current policy installed on your Advanced Secure Gateway
appliance displays in a new window.
The malware scanning policy begins with the following text:
<Cache BC_malware_scanning_solution>
policy.BC_malware_scanning_solution
...

See Also
❐ "Updating the Malware Scanning Policy"
❐ "Fine Tuning the Malware Scanning Policy using VPM"

Updating the Malware Scanning Policy

Because the threat landscape changes rapidly, Blue Coat facilitates updates to the
threat protection solution to protect your network from the latest malware attacks
and exploits.The threat protection policy updates are independent of SGOS
upgrades.
Updates to the threat protection solution are available as a gzipped tar archive file
which can be downloaded to a local web server in your network or installed
directly on the Advanced Secure Gateway appliance.

To update the malware scanning policy directly on the Advanced Secure

Gateway appliance:
1. Select Configuration > Threat Protection > Malware Scanning.

460
2. Click Update malware scanning policy. The Management Console displays the
Install Malware Scanning Policy dialog.

3. (Optional) Enter the Installation URL. By default, the URL is

https://bto.bluecoat.com/download/modules/security/SGv6/
threatprotection.tar.gz
If you have downloaded the threat protection policy to a local Web server, add
the URL for the local Web server in this field.

Note: If you change the default URL, you cannot revert to the default
value. You must manually re-enter the URL.

4. Click Install.
5. (Optional) Click View to view the contents of the updated threat protection
policy file.

Note: The threat protection policy cannot be edited.

6. Click OK to save your changes and exit.

461
Advanced Secure Gateway Administration Guide

Fine Tuning the Malware Scanning Policy using VPM

When malware scanning is enabled, the threat protection policy file is invoked.
The rules implemented in the threat protection policy either use the defaults or
the selections that you configured in the malware scanning options in
Configuration > Threat Protection > Malware Scanning.
Unlike other policy files, the threat protection policy file is not displayed in the
Policy Evaluation Order list in Policy > Policy Options > Policy Options and the threat
protection policy file cannot be edited or modified. However, you can create rules
in the local policy file or in VPM policy to supplement or override the configured
defaults. The rules created in local or VPM policy supersede the configuration in
the threat protection policy because of the evaluation order of policy files. By
default on the Advanced Secure Gateway appliance, policy files are evaluated in
the following order — Threat protection, VPM, Local, Central, and Forward.
The threat protection policy is evaluated first to provide you with the flexibility to
adapt this policy to meet your business needs. For example, even if the malware
scanning mode is configured at maximum protection through configuration, you
can create rules in VPM to allow all traffic from internal hosts/subnets to be
scanned using the high performance mode. Alternatively, if the default malware
scanning mode is high performance, you can add rules in VPM to invoke
maximum protection mode for sites that belong to select content filtering
categories such as software downloads or spyware sources.
The following example demonstrates how to create rules in VPM to complement
the malware scanning options that are set in configuration. The setting in
configuration, in the example below, uses maximum security. The VPM rule
allows internal traffic to be scanned using the high performance rules that are
defined in the threat protection policy.

Example: Configure high performance scanning for internal traffic

1. Set the Scanning mode in Configuration > Threat protection > Malware Scanning to
Maximum protection.

2. Launch the VPM and create policy to scan all traffic from an internal host
using the high performance mode. This example uses the 10.0.0.0/8 subnet.
a. Select Configuration > Policy > Visual Policy Manager.
b. Click Launch.
c. In the VPM, select Policy > Add Web Content Layer.
d. In the Action column, right-click and select Set. The VPM displays the
Set Action Object dialog.
e. Click New > Set Malware Scanning. The VPM displays the Add Malware
Scanning Object dialog.
f. Select Perform high performance malware scan.
g. Click OK to save your changes and exit all open dialogs.
h. In the Destination column, right click and select Set. The VPM displays
the Set Destination Object dialog.

462
 i. Select Destination IP Address/Subnet. The VPM displays the Set
Destination IP/Subnet Object dialog.
j. Add the IP address and subnet for the internal host and click Close.
k. Click OK to save your changes and exit all open dialogs.
l. Click Apply to install the policy. After this policy is installed, all traffic
from the internal subnet 10.0.0.0/8 will be scanned using the high
performance mode.
3. The completed rule is similar to the following.

Disable Malware Scanning

If you prefer to manually create policy for content scanning rather than use Blue
Coat’s threat protection solution that provides pre-defined rules for ICAP-based
malware scanning, follow the instructions below.

Note: Malware scanning cannot be disabled if the threat protection solution is

referenced in policy. For example, if you have created a rule in the Web Content
Layer that references the threat protection policy file, disabling malware
scanning causes policy compilation to fail. You must remove all references to
the threat protection policy file before disabling malware scanning.

To disable malware scanning:

1. Select Configuration > Threat Protection > Malware Scanning.
2. Clear the Enable malware scanning option.
3. Click Apply.
4. For information on creating policy, refer to the Visual Policy Manager Reference.

Edit an ICAP Content Analysis Service

In the context of the Configuration tab’s Content Analysis section, a Content
Analysis service is a collection of attributes that defines the communication
between the Advanced Secure Gateway appliance and external ICAP services,
such as Content Analysis, ProxyAV, or DLP services.
Use the following procedure to edit the service URL, change the maximum
number of connections, modify ICAP service ports, or set ICAP options.

To edit a ProxyAV service:

1. Select Configuration > Content Analysis > ICAP > ICAP Services.

463
Advanced Secure Gateway Administration Guide

2. Select the service to edit.

3. Click Edit. The Edit ICAP Service dialog displays.
4. Edit the service options, as desired (service URL, maximum number of
connections, ICAP service ports, or ICAP options).
5. Click OK.
6. Click Apply to save your changes.
7. (Optional) For modifying advanced configuration options, see "Editing an
ICAP Service" on page 488.

Delete an ICAP service From the List of ICAP services

Use the following steps to remove an ICAP service from the list of configured
Content Analysis servers.

Note: If you have enabled malware scanning and have added only one Content
Analysis or ProxyAV appliance for content scanning, you must disable malware
scanning before you can delete that service from the CAS/ProxyAV ICAP Servers list.
Malware scanning must be disabled so that the ICAP service to be deleted is no
longer referenced in the threat protection policy.

To delete an external CAS or ProxyAV ICAP service:

1. Select Configuration > Threat Protection > Malware Scanning.
2. Select the ICAP service to be deleted from the CAS/ProxyAV ICAP Servers list.
3. Click Delete; click OK to confirm.
4. Click Apply. The service is deleted from the CAS/ProxyAV ICAP Servers list.

464
Chapter 22: Malicious Content Scanning Services

This chapter describes how to configure the Advanced Secure Gateway

appliance to interact with Internet Content Adaptation Protocol (ICAP) servers
to provide content scanning.
The Advanced Secure Gateway appliance supports ICAP connections with the
internal Content Analysis service, as well as external Content Analysis, ProxyAV,
Blue Coat DLP, and other third party ICAP services.
To integrate Content Analysis or ProxyAV with the Advanced Secure Gateway
appliance, see Chapter 21: "Configuring Threat Protection" on page 453.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "About Content Scanning" on page 466
❐ Section B: "Configuring ICAP Services" on page 479
❐ Section C: "Securing Access to an ICAP Server" on page 495
❐ Section D: "Monitoring Content Analysis and Sessions" on page 501
❐ Section E: "Creating ICAP Policy" on page 509
❐ Section F: "Managing Virus Scanning" on page 524

465
Advanced Secure Gateway Administration Guide

Section A: About Content Scanning

Internet Content Adaptation Protocol (ICAP) is an open standard protocol that
allows content engines to send HTTP based content to an ICAP server for
performing value added services.
An ICAP server can filter, modify, or adapt Web content to meet the needs of your
enterprise. The appliance, when integrated with a supported ICAP server such as
Content Analysis and ProxyAV, provides content scanning, filtering, and repair
service for Internet-based malicious code, in addition to reducing bandwidth
usage and latency.
To eliminate threats to the network, the Advanced Secure Gateway appliance
forwards a web request and/or the response to the ICAP server. The ICAP server
filters and adapts the requested content, based on your needs, then returns the
content to the Advanced Secure Gateway appliance. The scanned and adapted
content is then served to the user who requested the content, and stored on the
Advanced Secure Gateway appliance object store. For frequently accessed web
content, this integrated solution provides defense against malware, along with the
benefits of limiting bandwidth usage and latency in the network.

Plain ICAP and Secure ICAP

The transaction between the Advanced Secure Gateway appliance and the ICAP
server can be executed using plain ICAP, secure ICAP or both. Plain ICAP is
useful for scanning non-confidential data (HTTP).
Secure ICAP is SSL encrypted ICAP and requires an SSL license; both the
Advanced Secure Gateway appliance and the ICAP server must support secure
ICAP. While Secure ICAP can be used for both HTTP and HTTPS traffic, plain
ICAP is faster than secure ICAP because it does not have to deal with any
encryption overhead. Therefore, Blue Coat recommends that you only use secure
ICAP when scanning confidential data.

Note: Advanced Secure Gateway appliance does not support secure ICAP for
the internal Content Analysis service.

Content Processing Modes

An ICAP server processes web content that is directed to it during Proxy policy
evaluation. The content that the ICAP server receives can be processed in two
modes — request modification and response modification.
❐ Request modification (REQMOD)—Allows modification of outbound client
requests. These requests are sent from the Advanced Secure Gateway
appliance to the ICAP server on their way to the origin content server. This is
represented in the Visual Policy Manager (VPM) as Perform Request Analysis.

466
 ❐ Response modification (RESPMOD)—Allows modification of inbound client
requests. These requests are sent from