Document Number: 231-03113

Document Revision: SGOS 6.6.x—3/2017-A

SGOS Administration Guide

SGOS 6.6.x

i
SGOS Administration Guide

Copyright © 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue
Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names
may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as
advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum
extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE
LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC
CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS
DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS,
AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY
WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY
TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT,
RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas: Rest of the World:

Symantec Corporation Symantec Limited
350 Ellis Street Ballycoolin Business Park
Mountain View, CA 94043 Blanchardstown, Dublin 15, Ireland

Document Number: 231-03113

Document Revision: SGOS 6.6.x—5/2017-G

ii
Contents

Chapter 1: Introduction
Document Conventions ................................................................................................................... 22
Notes and Warnings......................................................................................................................... 23
About Procedures ............................................................................................................................. 24

Chapter 2: Accessing the Appliance

Accessing the Advanced Secure Gateway Appliance Using the Management Console ....... 26
Ways to Access the Management Console ............................................................................. 26
About the Management Console Banner................................................................................ 35
Viewing the Benefits of Deploying the Advanced Secure Gateway Appliance ............... 35
Logging Out of the Management Console ............................................................................. 40
Accessing the Advanced Secure Gateway Using the CLI .......................................................... 41
Configuring Basic Settings .............................................................................................................. 43
Configuring the Advanced Secure Gateway Appliance Name ................................................. 44
Changing the Login Parameters ..................................................................................................... 45
Changing the Administrator Account Credentials ............................................................... 45
Changing the Advanced Secure Gateway Realm Name...................................................... 46
Changing the Advanced Secure Gateway Timeout.............................................................. 47
Viewing the Appliance Serial Number ......................................................................................... 48
Configuring the System Time ......................................................................................................... 49
Synchronizing to the Network Time Protocol.............................................................................. 52
Required Ports................................................................................................................................... 54

Chapter 3: Licensing
License Editions.......................................................................................................................... 57
License Types.............................................................................................................................. 60
Licensing Terms ......................................................................................................................... 61
License Expiration...................................................................................................................... 62
Locating the System Serial Number ........................................................................................ 64
Obtaining a BlueTouch Online Account................................................................................. 64
Registering and Licensing Blue Coat Appliance and Software........................................... 64
Installing a License on a Registered System........................................................................... 65
Manually Installing the License ............................................................................................... 66
Adding an Add-on License ............................................................................................................. 69
Adding the Add-on License to the Appliance ....................................................................... 70
Enabling Automatic License Updates ........................................................................................... 71
Viewing the Current License Status............................................................................................... 72

1
 Chapter 4: Controlling Access to the ProxySG
Moderate Security: Restricting Management Console Access Through the Console Access
Control List (ACL) .................................................................................................................... 80

Chapter 5: Backing Up the Configuration

Section A: About Configuration Archives
Section B: Archiving Quick Reference
Archiving Quick Reference Table .................................................................................................. 89
Section C: Creating and Saving a Standard Configuration Archive
Section D: Creating and Saving a Secure (Signed) Archive
Section E: Preparing Archives for Restoration on New Devices
Creating a Transferable Archive..................................................................................................... 99
Section F: Uploading Archives to a Remote Server
Creating and Uploading an Archive to a Remote Server ......................................................... 109
Section G: Restoring a Configuration Archive
Section H: Sharing Configurations
Section I: Troubleshooting

Chapter 6: Explicit and Transparent Proxy

Manually Configure Client Browsers for Explicit Proxy ................................................... 120
Creating an Explicit Proxy Server with PAC Files .............................................................. 120

Chapter 7: Managing Proxy Services

Section A: Proxy Services Concepts
Section B: Configuring a Service to Intercept Traffic
Changing the State of a Service (Bypass/Intercept) .................................................................. 138
Section C: Creating Custom Proxy Services
Section D: Proxy Service Maintenance Tasks
Section E: Global Options for Proxy Services
Proxy Service Global Options ....................................................................................................... 151
Managing Licensed User Connection Limits (ProxySG to Server) ......................................... 158
About User Limits.................................................................................................................... 158
Tasks for Managing User Limits............................................................................................ 159
Viewing Concurrent Users ..................................................................................................... 162
Section F: Exempting Requests From Specific Clients
Adding Static Bypass Entries ........................................................................................................ 165
Section G: Trial or Troubleshooting: Restricting Interception From Clients or To Servers
Restricted Intercept Topics............................................................................................................ 170

2
 Section H: Reference: Proxy Services, Proxy Configurations, and Policy

Chapter 8: Intercepting and Optimizing HTTP Traffic

Section A: About the HTTP Proxy
Section B: Changing the External HTTP (Transparent) Proxy Service to Intercept All IP Addresses
on Port 80
Section C: Managing the HTTP Proxy Performance
About HTTP Compression ..................................................................................................... 186
Understand Compression Behavior ...................................................................................... 187
Compression Exceptions......................................................................................................... 188
Configuring Compression ...................................................................................................... 188
Notes .......................................................................................................................................... 191
About the HTTP Object Caching Policy Global Defaults ......................................................... 192
Setting the HTTP Default Object Caching Policy....................................................................... 196
Section D: Selecting an HTTP Proxy Acceleration Profile
Configuring the HTTP Proxy Profile ........................................................................................... 205
Section E: Using a Caching Service
Prerequisite for Using CachePulse ........................................................................................ 207
Enabling CachePulse...................................................................................................................... 208
Downloading the CachePulse Database ............................................................................... 208
Section F: Fine-Tuning Bandwidth Gain
Allocating Bandwidth to Refresh Objects in Cache................................................................... 211
Section G: Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)
Section H: Viewing HTTP/FTP Statistics
Viewing the Number of HTTP/HTTPS/FTP Objects Served.................................................. 230
Viewing the Number of HTTP/HTTPS/FTP Bytes Served ..................................................... 231
Viewing Active Client Connections............................................................................................. 232
Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics .................... 233
Viewing HTTP/FTP Client Compressed Gain Statistics ................................................... 233
Viewing HTTP/FTP Server Compressed Gain Statistics................................................... 234
Section I: Supporting IWA Authentication in an Explicit HTTP Proxy
Section J: Supporting Authentication on an Upstream Explicit Proxy
Deployment Scenarios............................................................................................................. 237
Section K: Detect and Handle WebSocket Traffic
How the ProxySG Appliance Handles an Upgrade Request................................................... 239
Feature Limitations......................................................................................................................... 241

3
 Chapter 9: Managing the SSL Proxy
IPv6 Support ............................................................................................................................. 244
Working with SSL Traffic........................................................................................................ 245
Section A: Intercepting HTTPS Traffic
Configuring the SSL Proxy in Explicit Proxy Mode .................................................................. 249
Specifying an Issuer Keyring and CCL Lists for SSL Interception ................................... 250
Using Client Consent Certificates.......................................................................................... 251
Downloading an Issuer Certificate ........................................................................................ 251
Warn Users When Accessing Websites with Untrusted Certificates ...................................... 254
Presenting Untrusted Certificates to a Browser .................................................................. 254
Set the Behavior when Encountering Untrusted Certificates ............................................ 254
Section B: Configuring SSL Rules through Policy
Section C: Viewing SSL Statistics
Viewing SSL History Statistics...................................................................................................... 261
Unintercepted SSL Data .......................................................................................................... 261
Unintercepted SSL Clients ...................................................................................................... 262
Unintercepted SSL Bytes ......................................................................................................... 262
Section D: Using STunnel
Configuring STunnel...................................................................................................................... 264
Viewing STunnel Results............................................................................................................... 266
Application Mix........................................................................................................................ 268
Viewing Session Statistics ....................................................................................................... 268
Viewing Protocol Details ........................................................................................................ 269
Access Logging......................................................................................................................... 269
Section E: Tapping Decrypted Data with Encrypted Tap
Viewing Encrypted Tap Results ............................................................................................ 272
Section F: Working with an HSM Appliance
Working with the SafeNet Java HSM .......................................................................................... 273
Before You Begin ...................................................................................................................... 273
Add an HSM ............................................................................................................................. 274
Add an HSM Keyring.............................................................................................................. 274
Add an HSM Keygroup .......................................................................................................... 275
Write HSM Policy ........................................................................................................................... 276
Section G: Advanced Topics

Chapter 10: Managing the WebEx Proxy

About Controlling the WebEx Application and File Sharing .................................................. 284
Enable HTTP Handoff.................................................................................................................... 285
Control Access to a WebEx Site with Policy ............................................................................... 286

4
 Control File Uploads with Policy ................................................................................................. 288
Control Desktop Sharing with Policy .......................................................................................... 291
WebEx Proxy Access Logging ...................................................................................................... 294
Review WebEx Proxy Sessions ..................................................................................................... 296

Chapter 11: Accelerating File Sharing

Configuring the ProxySG CIFS Proxy ......................................................................................... 301
About Windows Security Signatures .................................................................................... 301
Intercepting CIFS Services ...................................................................................................... 304
Configuring SMBv1 Options .................................................................................................. 305
Configuring SMBv2 Options .................................................................................................. 310
Enabling CIFS Access Logging .............................................................................................. 311
Reviewing CIFS Protocol Statistics........................................................................................ 311

Chapter 12: Managing Microsoft Outlook E-mail Traffic

Section A: The Outlook Proxies
Section B: Endpoint Mapper and MAPI Configuration
Reviewing Endpoint Mapper Proxy Statistics ..................................................................... 322
Configuring the MAPI Proxy ................................................................................................. 323
Reviewing MAPI Statistics ..................................................................................................... 324
Optimizing Encrypted MAPI Traffic ........................................................................................... 326
Join the Branch Peer to the Primary Domain ....................................................................... 328
Section C: Office 365 Exchange Online Traffic
Policy for Intercepting and Scanning Office 365 Traffic..................................................... 334
Identify Web Applications in Office 365 Traffic .................................................................. 334
Access Logging......................................................................................................................... 335
Inspect MAPI over HTTP Traffic ........................................................................................... 335
..................................................................................................................................................... 336

Chapter 13: Managing the File Transport Protocol (FTP) Proxy

Configuring the ProxySG Appliance for Native FTP Proxy .................................................... 342
Modifying the FTP Proxy Service .......................................................................................... 342
Configuring the FTP Proxy..................................................................................................... 343
Configuring FTP Clients for Explicit Proxy ......................................................................... 344

Chapter 14: Managing the Domain Name Service (DNS) Proxy

Chapter 15: Managing a SOCKS Proxy

IPv6 Support ............................................................................................................................. 352
Configuring the SOCKS Proxy ..................................................................................................... 353
Viewing SOCKS History Statistics ............................................................................................... 355

5
 Viewing SOCKS Clients .......................................................................................................... 355
Viewing SOCKS Connections ................................................................................................ 355
Viewing SOCKS Client and Server Compression Gain Statistics .................................... 356

Chapter 16: Managing Shell Proxies

Configuring the Telnet Shell Proxy Service Options................................................................. 362
Viewing Shell History Statistics.................................................................................................... 364

Chapter 17: Configuring and Managing an HTTPS Reverse Proxy

Section A: About the HTTPS Reverse Proxy
Section B: Configuring the HTTPS Reverse Proxy
About Mutual SSL Authentication ........................................................................................ 371
Section C: Configuring HTTP or HTTPS Origination to the Origin Content Server

Chapter 18: Using the ProxySG Appliance in an IPv6 Environment

Using the ProxySG Appliance in an ISATAP Network ............................................................ 379
IPv6 Support on the ProxySG Appliance.................................................................................... 382
Configuring an ADN for an IPv6 Environment......................................................................... 392
Optimizing ISATAP Traffic........................................................................................................... 393
Configuring IPv6 Global Settings................................................................................................. 394

Chapter 19: Geolocation

Prerequisite for Using Geolocation .............................................................................................. 398
Overview: Setting up, Using, and Removing Geolocation....................................................... 399
Enabling Geolocation ..................................................................................................................... 400
DNS Lookup.................................................................................................................................... 401
Downloading the Geolocation Database..................................................................................... 403
Identifying a Country by IP Address .......................................................................................... 404
Writing Geolocation Policy ........................................................................................................... 405
Client Geolocation (Reverse Proxy)....................................................................................... 405
Geolocation (Forward Proxy)................................................................................................. 405
Troubleshooting Geolocation........................................................................................................ 406
Access Log Errors ........................................................................................................................... 407
Removing Client Geolocation Settings ........................................................................................ 408

Chapter 20: Filtering Web Content

Section A: Web Content Filtering Concepts
About Application Filtering ................................................................................................... 411
Web Content Filtering Process Flow ..................................................................................... 412
About Blue Coat WebFilter and the WebPulse Service ............................................................ 413
About Dynamic Categorization ............................................................................................. 414
Considerations Before Configuring WebPulse Services..................................................... 419

6
Section B: Setting up a Web Content Filter
Enabling a Content Filter Provider .............................................................................................. 425
Specifying a Blue Coat Data Source ...................................................................................... 426
Downloading the Content Filter Database ................................................................................. 427
About Database Updates ........................................................................................................ 427
Downloading a Content Filter Database .............................................................................. 428
Viewing the Status of a Database Download....................................................................... 429
Expiry Date for the Database.................................................................................................. 430
Viewing the Available Categories or Testing the Category for a URL ............................ 430
Testing the Application and Operation for a URL.............................................................. 430
Section C: Configuring Blue Coat WebFilter and WebPulse
Disabling Dynamic Categorization ....................................................................................... 432
Specifying a Custom Time Period to Update Blue Coat WebFilter.................................. 433
Configuring Dynamic Categorization Requests for HTTP/HTTPS (CLI only).............. 437
Section D: Configuring Intelligence Services for Content Filtering
Verify Subscribed Bundles...................................................................................................... 439
Configure Intelligence Services.............................................................................................. 439
Download a New Version of the Database .......................................................................... 440
Monitor Content Filter Health Status.................................................................................... 440
Troubleshoot Health Monitoring Errors............................................................................... 441
Section E: Using Intelligence Services to Classify Applications
Enable Application Classification.......................................................................................... 443
Review Applications and Operations ................................................................................... 444
Download a New Version of the Application Classification Database ........................... 446
Review Application Attributes .............................................................................................. 446
Monitor Application Classification and Application Attributes Health Status.............. 449
Section F: Configuring a Local Database
Local Database Matching Example ....................................................................................... 452
Selecting and Downloading the Local Database........................................................................ 454
Section G: Configuring Internet Watch Foundation
Section H: Configuring a Third-Party Vendor
Section I: About Blue Coat Categories for YouTube
Setting the YouTube Server Key ............................................................................................ 458
Distinguishing Blue Coat Categories for YouTube in the Access Log ............................. 458
Section J: Using Quotas to Limit Internet Access
Scenario: Limit a User’s Daily Access to YouTube Videos ................................................ 459
Scenario: Limit a User’s Weekly Data Usage ....................................................................... 460
View Quota Statistics............................................................................................................... 460

7
 Reset Usage Quotas ................................................................................................................. 461
Section K: Applying Policy
Policy Examples Using the Application Control Objects................................................... 474
Section L: Troubleshooting

Chapter 21: Web Application Protection

Section A: Using Application Protection
Enabling Application Protection .................................................................................................. 488
Testing the Application Protections............................................................................................. 489
Verifying the Database Download............................................................................................... 489

Chapter 22: Analyzing the Threat Risk of a URL

How the Threat Risk Service Works with WebPulse.......................................................... 491
Threat Risk Levels Descriptions............................................................................................. 491
Configure Threat Risk Levels ....................................................................................................... 493
Requirements for Using Threat Risk Levels......................................................................... 493
Enable Threat Risk Levels....................................................................................................... 494
Write Threat Risk Policy ......................................................................................................... 495
Use Threat Risk Features ............................................................................................................... 498
Look up Threat Risks for a Web Page ................................................................................... 498
Download a New Version of the Database .......................................................................... 498
Monitor Threat Risk Statistics ................................................................................................ 499
Monitor Threat Risk Health Status ........................................................................................ 500
Troubleshoot Threat Risk Levels ........................................................................................... 501

Chapter 23: Configuring Threat Protection

Blue Coat WebPulse................................................................................................................. 506
Adding an ICAP Service for Content Scanning ......................................................................... 508

Chapter 24: Malicious Content Scanning Services

Section A: About Content Scanning
Section B: Configuring ICAP Services
Creating an ICAP Service .............................................................................................................. 533
Managing ICAP Health Checks ............................................................................................. 537
Monitoring ICAP Health Metrics .......................................................................................... 539
Configuring ICAP Feedback ......................................................................................................... 541
Customizing ICAP Patience Text ................................................................................................. 543
HTTP Patience Text ................................................................................................................. 543
FTP Patience Text ..................................................................................................................... 545
Section C: Securing Access to an ICAP Server

8
 Using Secure ICAP ......................................................................................................................... 548
Using a Crossover Cable................................................................................................................ 550
Configuring ICAP Using a Crossover Cable........................................................................ 550
Using a Private Network ............................................................................................................... 551
Section D: Monitoring Content Analysis and Sessions
Introduction to Content Analysis Request Monitoring ............................................................ 554
Section E: Creating ICAP Policy
Using ICAP Headers in Policy...................................................................................................... 573
Section F: Managing Virus Scanning

Chapter 25: Configuring Service Groups

Creating a Service Group .............................................................................................................. 582

Chapter 26: Managing Streaming Media

Section A: Concepts: Streaming Media
Limitation .................................................................................................................................. 591
About Microsoft Smooth Streaming...................................................................................... 591
About Adobe HDS ................................................................................................................... 591
About Apple HLS..................................................................................................................... 592
About Windows Media ........................................................................................................... 592
About Processing Streaming Media Content ............................................................................. 596
Limiting Bandwidth................................................................................................................. 598
About Streaming Media Authentication..................................................................................... 606
Apple HLS Authentication ..................................................................................................... 608
Section B: Configuring Streaming Media
Configuring the HTTP Streaming Proxy..................................................................................... 610
Configuring the Windows Media, Real Media, and QuickTime Proxies............................... 614
Limiting Bandwidth ....................................................................................................................... 617
"Viewing Streaming History Statistics" on page 623Configuring Bandwidth
Limitation—Fast Start (WM)............................................................................................ 617
Limiting Bandwidth for Smooth Streaming......................................................................... 618
Configuring the Multicast Network ............................................................................................ 619
Legacy Streaming Log Format ............................................................................................... 620
Reporter Streaming Log Format ............................................................................................ 621
Viewing Streaming History Statistics .......................................................................................... 623
Viewing Current and Total Streaming Data Statistics........................................................ 623
Section C: Additional Windows Media Configuration Tasks
Section D: Configuring Windows Media Player
Section E: Configuring RealPlayer

9
 Section F: Configuring QuickTime Player
Section G: Using the Flash Streaming Proxy
Configuring the Flash Streaming Proxy...................................................................................... 647
Configuring Client Browsers for Explicit Proxy.................................................................. 647
Intercepting the RTMP Service (Transparent Deployment) .............................................. 648
Intercepting the Explicit HTTP Service (Explicit Deployment) ........................................ 648
When VOD Content Gets Cached ......................................................................................... 651
Proxy Chaining......................................................................................................................... 651
CDN Interoperability Support ............................................................................................... 652
Section H: Supported Streaming Media Clients and Protocols

Chapter 27: Bandwidth Management

Configuring Bandwidth Allocation ............................................................................................. 665
Bandwidth Management Statistics............................................................................................... 667
Current Class Statistics............................................................................................................ 667
Total Class Statistics................................................................................................................. 667
Using Policy to Manage Bandwidth ............................................................................................ 669

Chapter 28: Configuring Access Logging

Configuring a Log for Uploading ................................................................................................ 683
Viewing Access-Log Statistics ...................................................................................................... 686
Viewing the Access Log Tail .................................................................................................. 686
Viewing the Log File Size........................................................................................................ 687
Viewing Access Logging Status ............................................................................................. 688

Chapter 29: Configuring the Access Log Upload Client

Importing an External Certificate................................................................................................. 693
Deleting an External Certificate ............................................................................................. 694
Creating an External Certificate List ..................................................................................... 694
Digitally Signing Access Logs....................................................................................................... 695
Introduction to Digitally Signing Access Logs .................................................................... 695
Configuring the Upload Client to Digitally Sign Access Logs .......................................... 695

Chapter 30: Creating and Editing an Access Log Facility

Creating a Log Facility ................................................................................................................... 708
Editing an Existing Log Facility.................................................................................................... 710
Associating a Log Facility with a Protocol.................................................................................. 712
Configuring Global Settings.......................................................................................................... 714

Chapter 31: Creating Custom Access Log Formats

Creating a Custom or ELFF Log Format ..................................................................................... 722
Creating Custom Log Formats Based on Reserved Log Formats ..................................... 723

10
Chapter 32: Access Log Formats
Action Field Values ........................................................................................................................ 732

Chapter 33: Statistics

Viewing the Traffic Mix Report .................................................................................................... 790
Viewing Bandwidth Details for Proxies or Services ........................................................... 791
Viewing Traffic Distribution .................................................................................................. 793
Viewing Per-Proxy or Per-Service Statistics......................................................................... 794
About Bypassed Bytes ............................................................................................................. 794
About the Default Service Statistics ...................................................................................... 795
Viewing NetFlow Statistics ........................................................................................................... 796
Viewing Traffic History ................................................................................................................. 797
Supported Proxies and Services ................................................................................................... 799
Viewing the Application Mix Report........................................................................................... 801
Viewing Bandwidth Details for Web Applications............................................................. 802
Viewing the Application History Report .................................................................................... 805
Viewing System Statistics .............................................................................................................. 807
Resources Statistics .................................................................................................................. 807
Contents Statistics .................................................................................................................... 810
Event Logging Statistics .......................................................................................................... 813
Failover Statistics...................................................................................................................... 814
Active Sessions—Viewing Per-Connection Statistics................................................................ 815
Example Scenarios Using Active Sessions for Troubleshooting ....................................... 815
Analyzing Proxied Sessions.................................................................................................... 816
Analyzing Bypassed Connections Statistics......................................................................... 828
Viewing Errored Sessions and Connections ........................................................................ 830

Chapter 34: Configuring an Application Delivery Network

Section A: ADN Overview
ADN Modes..................................................................................................................................... 842
Multiple Concentrators in a Transparent ADN Deployment............................................ 843
Discovery of Upstream Concentrators.................................................................................. 844
Section B: Configuring an ADN
Introduction to Configuring an ADN.......................................................................................... 851
Enabling Explicit ADN Connections ........................................................................................... 856
Advertising Server Subnets .................................................................................................... 857
Configuring the Tunnel Mode ............................................................................................... 858
Configuring IP Address Reflection .............................................................................................. 864
Specify an ADN Manager for the ProxyClient .................................................................... 867
Tuning the ADN Configuration for ProxyClient ................................................................ 868
Enabling File-Sharing Acceleration ....................................................................................... 871

11
 Section G: Securing the ADN
Securing a Managed ADN ............................................................................................................ 875
Enabling Device Authentication ............................................................................................ 875
Configuring Connection Security .......................................................................................... 877
Enabling Device Authorization.............................................................................................. 878
Section H: Configuring Load Balancing
Introduction to Load Balancing.................................................................................................... 882
Section I: Configuring Advanced ADN Settings
Configuring an ADN Node as an Internet Gateway................................................................. 886
Configuring the Byte-Cache Dictionary Size.............................................................................. 889
Manually Resizing the Byte Cache Dictionaries From the Statistics Tab ........................ 890
Manually Resizing Byte Cache Dictionaries from the Byte Caching Tab ........................ 891
Section J: Monitoring the ADN
Reviewing ADN History ............................................................................................................... 896
Reviewing ADN Active Sessions ................................................................................................. 898
Monitoring Adaptive Compression............................................................................................. 900
Section K: Related CLI Syntax to Configure an ADN
Section L: Policy
Section M: Troubleshooting

Chapter 35: WCCP Configuration

Configuring WCCP on the ProxySG Appliance ........................................................................ 919
Creating the WCCP Configuration on the ProxySG Appliance........................................ 919
Modifying the WCCP Configuration .................................................................................... 924
Disabling WCCP ...................................................................................................................... 925
Viewing WCCP Statistics and Service Group Status................................................................. 926

Chapter 36: TCP/IP Configuration

PMTU Discovery............................................................................................................................. 932

Chapter 37: Routing on the ProxySG Appliance

Distributing Traffic Through Multiple Default Gateways ....................................................... 937
ProxySG Appliance Specifics ................................................................................................. 937
Switching to a Secondary Default Gateway......................................................................... 937
Routing in Transparent Deployments ......................................................................................... 940
Outbound Routing................................................................................................................... 940
Inbound Routing ...................................................................................................................... 940
About Trust Destination MAC............................................................................................... 940
About Static Routes.................................................................................................................. 941
Routing Domains ..................................................................................................................... 943

12
 Using Return-to-Sender (RTS)................................................................................................ 943

Chapter 38: Configuring Failover

Configuring Failover Groups........................................................................................................ 949
Viewing Failover Statistics ............................................................................................................ 951

Chapter 39: Configuring DNS

Adding DNS Servers to the Primary or Alternate Group ........................................................ 957
Resolving Hostnames Using Name Imputing Suffixes............................................................. 961
Adding and Editing DNS Name Imputing Suffixes ........................................................... 961
Changing the Order of DNS Name Imputing Suffixes ...................................................... 961

Chapter 40: Virtual IP Addresses

Creating a VIP ................................................................................................................................. 964
Deleting a VIP ................................................................................................................................. 965

Chapter 41: Configuring Private Networks

Configuring Private Subnets......................................................................................................... 969
Configuring Private Domains....................................................................................................... 970

Chapter 42: Managing Routing Information Protocols (RIP)

Installing RIP Configuration Files................................................................................................ 973

Chapter 43: SOCKS Gateway Configuration

Section A: Configuring a SOCKS Gateway
Adding a SOCKS Gateway............................................................................................................ 983
Creating SOCKS Gateway Groups............................................................................................... 985
Configuring Global SOCKS Defaults........................................................................................... 988
Configuring the SOCKS Gateway Default Sequence ................................................................ 990
Section B: Using SOCKS Gateways Directives with Installable Lists
Creating a SOCKS Gateway Installable List ............................................................................... 997

Chapter 44: TCP Connection Forwarding

Configuring TCP Connection Forwarding ............................................................................... 1004
Copying Peers to Another ProxySG in the Cluster ........................................................... 1005
Removing a Peer..................................................................................................................... 1005

Chapter 45: Configuring the Upstream Network Environment

Section A: Overview
Section B: About Forwarding
Section C: Configuring Forwarding
Creating Forwarding Hosts and Groups .................................................................................. 1018
Creating Forwarding Hosts .................................................................................................. 1018

13
 Creating Forwarding Groups ............................................................................................... 1020
Configuring Global Forwarding Defaults................................................................................. 1023
Configuring the Forwarding Default Sequence ....................................................................... 1025
Section D: Using Forwarding Directives to Create an Installable List
Creating a Forwarding Installable List...................................................................................... 1034

Chapter 46: Using Policy to Manage Forwarding

Chapter 47: About Security

Controlling User Access with Identity-based Access Controls ............................................. 1044

Chapter 48: Controlling Access to the Internet and Intranet

Section A: Managing Users
Viewing Logged-In Users............................................................................................................ 1047
Section B: Using Authentication and Proxies
About Authentication Modes ..................................................................................................... 1055
Setting the Default Authenticate Mode Property.............................................................. 1056
About Origin-Style Redirection ........................................................................................... 1057
Selecting an Appropriate Surrogate Credential ................................................................ 1057
Configuring Transparent Proxy Authentication ............................................................... 1058
Manually Entering Top-Level Domains (TLDs)................................................................ 1058
Permitting Users to Log in with Authentication or Authorization Failures ................. 1059
Using Guest Authentication ................................................................................................. 1060
Using Default Groups............................................................................................................ 1062
Section C: Using SSL with Authentication and Authorization Services
Section D: Creating a Proxy Layer to Manage Proxy Operations
Section E: Forwarding BASIC Credentials

Chapter 49: Local Realm Authentication and Authorization

Creating a Local Realm ................................................................................................................ 1082
Changing Local Realm Properties.............................................................................................. 1083

Chapter 50: CA eTrust SiteMinder Authentication

Creating a SiteMinder Realm ..................................................................................................... 1098
Configuring SiteMinder Agents........................................................................................... 1098
Configuring SiteMinder Servers................................................................................................. 1100
Defining SiteMinder Server General Properties ...................................................................... 1102
Configuring Authorization Settings for SiteMinder ......................................................... 1103
Configuring General Settings for SiteMinder .................................................................... 1105

14
Chapter 51: Certificate Realm Authentication
Configuring Certificate Realms .................................................................................................. 1110
Creating a Certificate Realm................................................................................................. 1110
Configuring Certificate Realm Properties .......................................................................... 1110
Defining General Certificate Realm Properties ................................................................. 1113
Specifying an Authorization Realm........................................................................................... 1115

Chapter 52: Oracle COREid Authentication

Creating a COREid Realm........................................................................................................... 1125
Configuring Agents for COREid Authentication .................................................................... 1126
Configuring the COREid Access Server.................................................................................... 1128
Configuring the General COREid Settings ............................................................................... 1130

Chapter 53: SAML Authentication

About SAML.................................................................................................................................. 1134
Federation and Metadata ...................................................................................................... 1134
Assertions ................................................................................................................................ 1134
Profiles and Bindings............................................................................................................. 1135
Requirements for SAML Authentication .................................................................................. 1136
Checklist: Preparing the IDP ................................................................................................ 1136
An Overview of the Authentication Process ............................................................................ 1137
Set up SAML Authentication ...................................................................................................... 1139
Export the IDP Metadata File...................................................................................................... 1140
Prepare the Appliance.................................................................................................................. 1142
Configure the CCL ................................................................................................................. 1142
Create an HTTPS Reverse Proxy Service............................................................................ 1142
Configure SAML Attributes ................................................................................................. 1143
Configure General Settings for SAML ................................................................................ 1144
Create the SAML Realm .............................................................................................................. 1146
Configure SAML Authorization................................................................................................. 1148
Policy Conditions ................................................................................................................... 1148
Configure the IDP......................................................................................................................... 1150
Configure AD FS .................................................................................................................... 1150
Configure SiteMinder ............................................................................................................ 1153
Configure Oracle .................................................................................................................... 1156
Configure Shibboleth............................................................................................................. 1159
Prevent Dropped Connections When Policy is Set to Deny................................................... 1162
Backing Up Configuration: Considerations for SAML ........................................................... 1163
Save Keyrings Before Backing up the Configuration ....................................................... 1163
Import Saved Keyrings After Restoring the Configuration............................................. 1163
Re-Import the Appliance Certificate to the Trust List (AD FS) ....................................... 1163

15
 Chapter 54: Integrating the Appliance with Your Windows Domain
Integrate the ProxySG Appliance into the Windows Domain............................................... 1166
Join the ProxySG Appliance to the Windows Domain..................................................... 1167
Edit a Windows Domain....................................................................................................... 1168
Configure SNMP Traps for the Windows Domain ................................................................. 1170

Chapter 55: Integrating ProxySG Authentication with Active Directory Using IWA
About IWA Challenge Protocols.......................................................................................... 1172
About IWA Failover .............................................................................................................. 1172
Preparing for a Kerberos Deployment ...................................................................................... 1174
Enabling Kerberos in an IWA Direct Deployment............................................................ 1174
Enabling Kerberos in a BCAAA Deployment.................................................................... 1175
Configuring IWA on the ProxySG Appliance .......................................................................... 1176
Creating an IWA Realm ........................................................................................................ 1176
Configuring IWA Servers ..................................................................................................... 1178
Defining IWA Realm General Properties ........................................................................... 1183
Creating the IWA Authentication and Authorization Policies.............................................. 1185
Creating an IWA Authentication Policy ............................................................................. 1186
Creating a Guest Authentication Policy ............................................................................. 1188
Creating an IWA Authorization Policy .............................................................................. 1189
Configuring Client Systems for Single Sign-On....................................................................... 1191
Configure Internet Explorer for Single Sign-On................................................................ 1191
Configure Firefox for Single Sign-On.................................................................................. 1192
Using IWA Direct in an Explicit Kerberos Load Balancing/Failover Scenario................... 1192

Chapter 56: Kerberos Constrained Delegation

Chapter 57: LDAP Realm Authentication and Authorization

Creating an LDAP Realm on the ProxySG Appliance ............................................................ 1204
About LDAP Realms ............................................................................................................. 1204
Creating an LDAP Realm...................................................................................................... 1205
Configuring LDAP Properties on the ProxySG Appliance .................................................... 1206
Configuring LDAP Servers................................................................................................... 1206
Defining LDAP Base Distinguished Names....................................................................... 1208
Defining LDAP Search & Group Properties ...................................................................... 1210
Customizing LDAP Objectclass Attribute Values ............................................................ 1214
Defining LDAP General Realm Properties......................................................................... 1215

Chapter 58: Novell Single Sign-on Authentication and Authorization

Creating a Novell SSO Realm .................................................................................................... 1226
Novell SSO Agents ....................................................................................................................... 1227
Adding LDAP Servers to Search and Monitor for Novell SSO ............................................. 1229

16
 Querying the LDAP Novell SSO Search Realm ....................................................................... 1231
Configuring Authorization ......................................................................................................... 1232
Defining Novell SSO Realm General Properties...................................................................... 1233

Chapter 59: Policy Substitution Realm

Creating a Policy Substitution Realm ........................................................................................ 1243
Configuring User Information.................................................................................................... 1244
Creating a List of Users to Ignore............................................................................................... 1246
Configuring Authorization ......................................................................................................... 1247
Defining Policy Substitution Realm General Properties......................................................... 1248
Creating the Policy Substitution Policy..................................................................................... 1251

Chapter 60: RADIUS Realm Authentication and Authorization

Creating a RADIUS Realm .......................................................................................................... 1255
Defining RADIUS Realm Properties.......................................................................................... 1256
Defining RADIUS Realm General Properties........................................................................... 1258

Chapter 61: Configuring the ProxySG Appliance as a Session Monitor

Chapter 62: Sequence Realm Authentication

Creating a Sequence Realm ......................................................................................................... 1275
Adding Realms to a Sequence Realm ........................................................................................ 1276
Defining Sequence Realm General Properties ......................................................................... 1278

Chapter 63: Managing X.509 Certificates

Section A: PKI Concepts
Certificate Chains ................................................................................................................... 1283
Section B: Using Keyrings and SSL Certificates
Creating a Keyring ....................................................................................................................... 1291
Deleting an Existing Keyring and Certificate .................................................................... 1294
Providing Client Certificates in Policy ...................................................................................... 1295
Add Certificates to the ProxySG Appliance ............................................................................. 1296
Create a Keydata File............................................................................................................. 1296
Import Certificates onto the ProxySG Appliance.............................................................. 1297
Group Related Client Keyrings into a Keylist .......................................................................... 1298
Specify the Client Certificates to be Used in Policy................................................................. 1300
Specify the Client Certificates to be Used in Policy in the VPM ..................................... 1300
Specify the Client Certificates to be Used in Policy in CPL ............................................. 1301
Section C: Managing Certificates
Managing SSL Certificates .......................................................................................................... 1306
Creating Self-Signed SSL Certificates.................................................................................. 1306
Importing a Server Certificate .............................................................................................. 1307

17
 Using Certificate Revocation Lists ............................................................................................ 1309
Section D: Using External Certificates
Section E: Advanced Configuration
Managing CA Certificate Lists.................................................................................................... 1318
Creating a CA Certificate List: ............................................................................................. 1318
Updating a CA Certificate List............................................................................................. 1320
Configuring Download of CCL Updates from Blue Coat................................................ 1320
Managing Cached Intermediate Certificates ............................................................................ 1323
Turn off Intermediate Certificate Caching ......................................................................... 1323
View Cached Intermediate Certificates .............................................................................. 1323
Clear Cached Intermediate Certificates .............................................................................. 1325
Section F: Checking Certificate Revocation Status in Real Time (OCSP)
Creating and Configuring an OCSP Responder ...................................................................... 1331

Chapter 64: Managing SSL Traffic

Section A: SSL Client Profiles
Editing an SSL Client ................................................................................................................... 1341
Associating a Keyring, Protocol, and CCL with the SSL Client ...................................... 1341
Changing the Cipher Suite of the SSL Client ..................................................................... 1342
Section B: SSL Device Profiles
Section C: Notes and Troubleshooting

Chapter 65: Windows Single Sign-on Authentication

Creating a Windows SSO Realm ............................................................................................... 1353
Configuring Windows SSO Agents ........................................................................................... 1354
Configuring Windows SSO Authorization............................................................................... 1356
Defining Windows SSO Realm General Properties................................................................. 1358

Chapter 66: Using XML Realms

Creating an XML Realm .............................................................................................................. 1367
Configuring XML Servers ........................................................................................................... 1368
Configuring XML Options .......................................................................................................... 1370
Configuring XML Realm Authorization ................................................................................... 1371
Configuring XML General Realm Properties ........................................................................... 1373

Chapter 67: Forms-Based Authentication and Validation

Creating and Editing a Form ...................................................................................................... 1383
Setting Storage Options ............................................................................................................... 1384
About CAPTCHA Validation ..................................................................................................... 1388
Before Implementing CAPTCHA Validation .................................................................... 1388
Configure CAPTCHA Validation .............................................................................................. 1388

18
 Special Considerations .......................................................................................................... 1390
Sample CAPTCHA Validation Form .................................................................................. 1391

Chapter 68: Authentication and Authorization Errors

Chapter 69: Configuring Adapters and Virtual LANs

Changing the Default Adapter and Interface Settings ............................................................ 1422
About Multiple IP Addresses............................................................................................... 1422
Configuring a Network Adapter ......................................................................................... 1422
Improve Resiliency or Create a Bigger Pipe with an Aggregate Interface .................... 1428
Viewing Interface Statistics ......................................................................................................... 1433

Chapter 70: Software and Hardware Bridges

Configuring a Software Bridge ................................................................................................... 1439

Chapter 71: Configuring Management Services

Creating a Management Service................................................................................................. 1451
Creating a Notice and Consent Banner for the Management Console .......................... 1455
Managing the SSH Console......................................................................................................... 1456
Managing the SSH Host Key Pairs ...................................................................................... 1456
Creating a Notice and Consent Banner for SSH ................................................................ 1457
Managing SSH Client Keys................................................................................................... 1458
Managing the Telnet Console ..................................................................................................... 1460

Chapter 72: Preventing Denial of Service Attacks

Creating the CPL........................................................................................................................... 1470

Chapter 73: Authenticating a ProxySG Appliance

Obtaining a ProxySG Appliance Certificate ............................................................................. 1477
Automatically Obtaining an Appliance Certificate........................................................... 1477
Manually Obtaining an Appliance Certificate................................................................... 1477
Creating an SSL Device Profile for Device Authentication .................................................... 1482

Chapter 74: Monitoring the ProxySG Appliance

Section A: Using Director to Manage ProxySG Appliances
Automatically Registering the ProxySG Appliance with Director ....................................... 1487
Registration Requirements ................................................................................................... 1488
Registering the ProxySG Appliance with Director ........................................................... 1488
Section B: Monitoring the System and Disks
System Configuration Summary ................................................................................................ 1492
Viewing System Environment Sensors...................................................................................... 1493
Viewing Disk Status and Taking Disks Offline........................................................................ 1494
Viewing SSL Accelerator Card Information ............................................................................. 1495

19
 Section C: Configuring Event Logging and Notification
Selecting Which Events to Log ................................................................................................... 1497
Setting Event Log Size.................................................................................................................. 1498
Enabling Event Notification........................................................................................................ 1499
Syslog Event Monitoring....................................................................................................... 1500
Securely Retrieving Event Logs from the Appliance........................................................ 1502
Viewing Event Log Configuration and Content ...................................................................... 1505
Section D: Monitoring Network Devices (SNMP)
Configuring SNMP Communities.............................................................................................. 1513
Configuring SNMP for SNMPv1 and SNMPv2c ..................................................................... 1515
Adding Community Strings for SNMPv1 and SNMPv2c................................................ 1515
Configuring SNMP Traps for SNMPv1 and SNMPv2c.................................................... 1516
Configuring SNMP for SNMPv3................................................................................................ 1519
About Passphrases and Localized Keys ............................................................................. 1519
Configuring SNMP Users for SNMPv3 .............................................................................. 1519
Configuring SNMP Traps and Informs for SNMPv3 ....................................................... 1521
Section E: Configuring Health Monitoring
About the Health Monitoring Metric Types ............................................................................. 1527
Thresholds and Notifications for General Metrics............................................................ 1528
Thresholds and Notifications for Licensing Metrics......................................................... 1529
Notifications for Status Metrics............................................................................................ 1531
Thresholds and Notifications for Subscription Metrics.................................................... 1533
Quick Reference: Default Threshold Values and States ................................................... 1534
Changing Threshold and Notification Settings ................................................................. 1536
Viewing Health Monitoring Statistics................................................................................. 1538

Chapter 75: Verifying the Health of Services Configured on the ProxySG

Section A: Overview
Background DNS Resolution ...................................................................................................... 1544
Section B: About Blue Coat Health Check Components
Health Check Tests ....................................................................................................................... 1547
Section C: Configuring Global Defaults
Changing Health Check Default Settings ................................................................................. 1555
Configuring Health Check Notifications .................................................................................. 1559
Section D: Forwarding Host and SOCKS Gateways Health Checks
Section E: DNS Server Health Checks
Section F: Authentication Health Checks
Section G: Virus Scanning and Content Filtering Health Checks
Section H: Managing User-Defined Health Checks

20
 Section I: Health Check Topics
About Health Check Statistics .................................................................................................... 1583
Section J: Using Policy

Chapter 76: Maintaining the ProxySG Appliance

Performing Maintenance Tasks .................................................................................................. 1588
Upgrading the ProxySG Appliance ........................................................................................... 1593
Managing ProxySG Appliance Systems.................................................................................... 1594
Setting the Default Boot System........................................................................................... 1594
Locking and Unlocking ProxySG Appliance Systems...................................................... 1595
Replacing a ProxySG Appliance System ............................................................................ 1595
Deleting a ProxySG Appliance System............................................................................... 1595

Chapter 77: Diagnostics

Diagnostic Reporting (Service Information)............................................................................. 1601
Sending Service Information Automatically...................................................................... 1601
Managing the Bandwidth for Service Information ........................................................... 1602
Configure Service Information Settings.............................................................................. 1602
Creating and Editing Snapshot Jobs.................................................................................... 1605
Packet Capturing (PCAP—the Job Utility) ............................................................................... 1608
PCAP File Size ........................................................................................................................ 1608
PCAP File Name Format....................................................................................................... 1609
Common PCAP Filter Expressions...................................................................................... 1609
Configuring Packet Capturing ............................................................................................. 1610
Core Image Restart Options ........................................................................................................ 1616
Diagnostics: Blue Coat Customer Experience Program and Monitoring............................. 1617

Chapter 78: XML Protocol

Section A: Authenticate Request
Section B: Authenticate Response
Section C: Authorize Request
Section D: Authorize Response

21
22
Chapter 1: Introduction

This audience for this document is network administrators who are responsible
for managing Symantec Advanced Secure Gateway® appliances. This
document provides reference information and procedures to configure
Advanced Secure Gateway.
The information in this document supersedes information in the appliance’s
Management Console online help.

Supporting Documentation
Supporting documentation for Advanced Secure Gatewayis available on
BlueTouch Online (BTO):
https://bto.bluecoat.com/documentation/All-Documents/

Note: Release Notes are available on BTO on the Downloads page. Log in to BTO
with your username and password to access the release image and release
notes.

21
Advanced Secure Gateway Administration Guide

Section 1 Document Conventions

The following table lists the typographical and Command Line Interface (CLI)
syntax conventions used in this manual.

Table 1–1 Document Conventions

Conventions Definition

Italics The first use of a new or Blue Coat-proprietary term.

Courier font Screen output. For example, command line text, file names,
and Blue Coat Content Policy Language (CPL).
Courier Italics A command line variable that is to be substituted with a
literal name or value pertaining to the appropriate facet of
your network system.
Courier Boldface A Blue Coat literal to be entered as shown.
Arial Boldface Screen elements in the Management Console.
{ } One of the parameters enclosed within the braces must be
supplied
[ ] An optional parameter or parameters.
| Either the parameter before or after the pipe character can or
must be selected, but not both.

22
Section 2 Notes and Warnings
The following is provided for your information and to caution you against actions
that can result in data loss or personal injury:

Note: Supplemental information that requires extra attention.

Important: Critical information that is not related to equipment damage or

personal injury (for example, data loss).

WARNING! Used only to inform you of danger of personal injury or physical

damage to equipment. An example is a warning against electrostatic discharge
(ESD) when installing equipment.

23
Advanced Secure Gateway Administration Guide

Section 3 About Procedures

Many of the procedures in this guide begin:
❐ Select Configuration > TabName, if you are working in the Management Console,
or
❐ From the (config) prompt, if you are working in the command line interface (CLI).

Blue Coat assumes that you are logged into the first page of the Management
Console or entered into configuration mode in the CLI.
In most cases, procedures in this guide tell you how to perform a task in the
Management Console, even if there is a CLI equivalent.

24
Chapter 2: Accessing the Appliance

This section provides procedures for accessing the Advanced Secure Gateway
so that you can perform administrative tasks using the Management Console
and/or the command-line interface. It assumes that you have performed the
first-time setup using the Serial Console or the front panel and that you have
minimally specified an IP address, IP subnet mask, IP gateway, and DNS
server, and that you have tested the appliance and know that it is up and
running on the network. If you have not yet done this, refer to the hardware
guides for your appliance model.
This section includes the following topics:
❐ "Accessing the Advanced Secure Gateway Appliance Using the
Management Console" on page 26
❐ "Accessing the Advanced Secure Gateway Using the CLI" on page 41
❐ "Configuring Basic Settings" on page 43
❐ "Required Ports" on page 54

25
Advanced Secure Gateway Administration Guide

Section 1 Accessing the Advanced Secure Gateway Appliance Using the

Management Console
The Management Console is a graphical web interface that allows you to manage,
configure, monitor, and upgrade the appliance from any location. To determine
the browser and Java requirements for the Management Console, refer to KB
article 000031300:
http://bluecoat.force.com/knowledgebase/articles/Solution/000031300
Figure 2–1 ProxySG appliance Management Console

Note: When you access the Management Console home page, if you see a host
mismatch or an invalid certificate message, you must recreate the security
certificate used by the HTTPS-Console. For information on changing the security
certificate, see "Managing the HTTPS Console (Secure Console)" on page 1452.

Ways to Access the Management Console

The methods available to you for accessing the Management Console depend on
what you want to achieve—for example, you might want to manage multiple
Management Console instances—and environmental factors specific to your
deployment. See Table 2–1 for details.

Note: To determine if you have a minimum supported Java version installed,

refer to Knowledge Base article 000031300:
http://bluecoat.force.com/knowledgebase/articles/Solution/000031300

26
Table 2–1 Ways to Access the Management Console

Use Case(s) Environmental Requirements How to access the

Management Console

You want to run the Your deployment must have all of the See "Load the
Management Console following: Management Console
directly in a browser. • Any Advanced Secure Gateway version. Directly in a Browser" on
• A browser with NPAPI support. page 27.
• Browsers enabled with the minimum
supported version of Java to run the
Management Console.

You require an alternative Your deployment must have workstations with See "Run the
to running the the minimum supported version of Java to run Management Console
Management Console the Management Console (browsers need not using Java Web Start" on
directly in a browser be Java-enabled), and at least one of the page 28.
because: following:
• You know that the • Advanced Secure Gateway 6.6.5.x and
browser does not later and a browser without NPAPI
support NPAPI. support.
• Your browser is not • Any Advanced Secure Gateway version
configured to run and any browser version, provided you can
Java or JavaScript. access the Internet or can host the Launcher
applet internally.

You want to launch Your deployment has all of the following: See "Launch Multiple
multiple appliances. • Any browser version. Management Consoles"
• Workstations with the minimum supported on page 30.
version of Java to run Java Web Start;
browsers need not be Java-enabled.
• Access to the Internet.

Load the Management Console Directly in a Browser

Loading the Management Console in a browser is the legacy way to access the
management interface of an appliance. Accessing any Advanced Secure Gateway
version through a browser that supports NPAPI loads the legacy Management
Console directly in the browser by default.

Note: (Version 6.6.5.x and later) If the browser does not load the content
immediately, you can use Java Web Start instead (as described in "Run the
Management Console using Java Web Start" on page 28). A “Click here if your
browser does not support embedded applets” link appears at the bottom of the
Management Console; if you click the link, you are prompted to open or save a
Java Network Launch Protocol (JNLP) file. Otherwise, refresh the browser or wait
for the console to load the legacy Management Console.

27
Advanced Secure Gateway Administration Guide

Load the Management Console in a browser:

1. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is
192.168.0.6, type https://192.168.0.6:8082 in the address bar.

2. Enter the user name and password that you created during initial
configuration. Upon successful login, the browser displays the Proxy tab of
the Advanced Secure Gateway Management Console.

Note: The event log records all successful and failed login attempts.

Run the Management Console using Java Web Start

Using Java Web Start simulates the experience of running the Management
Console in a browser. In Advanced Secure Gateway 6.6.5.x and later, if you access
the Management Console using a browser that does not support NPAPI, the
browser presents a message including a link for you to download a JNLP file.
Alternatively—provided you can access the Internet—you can download the
JNLP file from BlueTouch Online (BTO).

Run the Management Console using Java Web Start:

1. (Optional; applicable if you can connect to the Internet) Download the JNLP
file from BTO, and then proceed to step 5.

28
2. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is
192.168.0.6, type https://192.168.0.6:8082 in the address bar.
The browser prompts you to enter your user name and password.

3. Enter the user name and password that you created during initial
configuration.
The browser displays a message stating that NPAPI is not supported.

4. In the message, click the link to download the JNLP file (mc.jnlp).
Alternatively, in the Management Console footer, click the “Click here if your
browser does not support embedded applets” link to download the file.
If you have already downloaded the JNLP file, you can run it instead of
downloading a copy; go to step 5.
Save the file to a convenient location on disk. To avoid downloading copies of
the JNLP file, note the location for future use.

29
Advanced Secure Gateway Administration Guide

5. Open the JNLP file. When prompted, enter your user name and password
again.

Upon successful login, the applet loads the Management Console.

Note: The event log records all successful and failed login attempts.

Launch Multiple Management Consoles

The Management Console Launcher allows you to manage and launch multiple
Management Console instances from a single interface.

Note: If none of the appliances in your deployment run version 6.6.5.x or later,
you must have access to the internet to download the launcher.JNLP file from
BTO.

Launch multiple Management Consoles:

1. If you have already downloaded the JNLP file, you can run it instead of
downloading a copy; go to step 4.
2. Perform the appropriate step for your deployment:
• If none of the appliances in your deployment run version 6.6.5.x or later,
use a workstation with access to the internet. Then, go to Blue Coat
Knowledge Base article 000032374 to download the JNLP file:
https://bluecoat.secure.force.com/knowledgebase/articles/Solution/
000032374
• Designate an appliance running Advanced Secure Gateway 6.6.5.x or later
as the one you will use to launch multiple consoles.
Log in to this appliance using steps 2 and 3 in "Run the Management
Console using Java Web Start" on page 28. When you are logged in, the
browser displays the Management Console banner. In the banner, click the
Launcher link.

3. Download the JNLP file (loader.jnlp) to a convenient location on disk. To

avoid downloading copies of the JNLP file, note the location for future use.

30
4. Run the JNLP file. The Management Console Launcher opens.
Figure 2–2 Management Console Launcher - Main dialog

5. Select an appliance in the list and click Launch.

When prompted, enter your console user name and password. After a few
moments, Java Web Start launches the Management Console.
To manage the list of appliances, see "Use the Management Console Launcher" on
page 31.

Use the Management Console Launcher

Use the Management Console Launcher to manage multiple Management
Console instances from a single interface. On the main Launcher dialog, click the
Manage Devices link to display the Device Connection Manager dialog. See
Figure 2–3.
Figure 2–3 Management Console Launcher - Device Connection Manager dialog

31
Advanced Secure Gateway Administration Guide

Manage multiple instances through the Management Console Launcher:

1. Perform the following tasks as required:
• Add or remove appliance using Launcher - See "Add or Remove a Device"
on page 32.
• Change an appliance’s network properties or description - See "Modify a
Device’s Properties" on page 33.
• Back up or restore the list of managed appliances - See "Import or Export a
List of Devices" on page 33.
• Change the order in which the appliances appear in the list - See "Re-order
the List of Devices" on page 34.
2. Launch a Management Console. On the main Launcher dialog, select the
instance and click Launch.

Add or Remove a Device

Use Launcher to add or remove appliances for convenient management of
multiple appliances across your organization.

Add or remove a device:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3.
2. To add an appliance, specify the device properties:

Note: If you ran Launcher using the Launcher link in the Management
Console banner, the IP address and port fields are pre-populated with the
appliance’s console IP address and port.

a. Select the protocol (HTTP or HTTPS) and type the IP address in the
field.
b. In the Port field, type the port number of the appliance’s Management
Console.
c. (Recommended) In the Description field, enter a description for the
appliance to help identify it.
d. Click Add as New. The appliance you added appears in the list of
devices.
e. (Recommended) Test connectivity to the appliance you added. Select
the appliance in the list and click Test.
If the test is successful, a green checkmark appears beside the Test button.
If the test is unsuccessful, a red “X” appears beside the Test button. Check
the settings you entered and modify them if needed (see "Modify a
Device’s Properties" on page 33). Then, test the connection again.

32
3. To remove an appliance, select it in the list and click Delete. The appliance is
deleted from the list.
4. Click Done. Return to Launcher. The dialog displays the updated list of devices.

Note: You can also add appliances from the main Launcher dialog. The steps are
similar to the ones outlined previously.

Modify a Device’s Properties

If a managed appliance has changed network settings or other details, update its
details in the Launcher.

Modify a device’s properties:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3 on page 31.
2. Select a device.
3. Change or edit the protocol, IP address, port, or description as needed.
4. Click Update.
5. (If applicable) Modify other devices as needed.
6. Click Done. Return to Launcher. The dialog displays the list of devices.

Import or Export a List of Devices

The import/export function in the Launcher allows you to:
❐ Create a list of devices in comma-separated values (CSV) format outside of
Launcher, and then import it through the Launcher.
❐ Back up (export) the list of managed appliances.
❐ Restore (import) a list of appliances.

Note: Deleting installed applications and applets in the Java Control Panel
removes the list of appliances from Launcher; thus, to prevent inadvertent
deletion, export the list periodically or when you make significant changes to
it.

Prepare a list of devices for import:

1. Create/modify a CSV file. Enter one device per row with the following
properties:
• First cell: Type “TRUE” for HTTPS and “FALSE” for HTTP (not including
the quotation marks).
• Second cell: Enter the device IP address.
• Third cell: Enter the port number for the device’s HTTP/S console.

33
Advanced Secure Gateway Administration Guide

• Fourth cell: Enter a description for the device.

2. Save the file to a convenient location on disk. Note the location for when you
are ready to import the file.

Import/export devices:
1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list.
2. To import a list of devices:
a. Click the Import link at the top right of the dialog. See Figure 2–3 on
page 31.
b. In the dialog that opens, browse to the location of the CSV file to
import and select the file.
c. Specify what to do if devices already exist in the Launcher list:
• - This is selected by default. If devices exist in
Merge with current list
Launcher already, they are combined with the list of devices you
import.
• Replace the current list - If devices exist in Launcher already, the list of
devices you import replaces the existing list.
d. Click Done. Return to Launcher. The list of devices is imported.
3. To export the list of devices:
a. Click the Export link at the top right of the dialog. See Figure 2–3 on
page 31.
b. In the dialog that opens, browse to the location where you want to
save the CSV file. Enter a name for the file and save it.
4. Click Done. Return to Launcher. The list of devices is exported.

Re-order the List of Devices

You can change the order of devices of the list to make it easier to manage. For
example, if you are managing a large list of devices, you might want to move the
ones you monitor more frequently to the top of the list.

Change the order of the devices on the list:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a
“Device Connection Manager” list. See Figure 2–3 on page 31.
2. Select a device and use the arrows to move it up or down in the list.
3. (If applicable) Move other devices as needed.
4. Click Done. Return to Launcher. The dialog displays the list of devices.

34
About the Management Console Banner
After you log in to the Advanced Secure Gateway appliance, the Management
Console displays a banner at the top of the page.

This guide covers the functions of the Advanced Secure Gateway Proxy tab.
The Proxy Management Console banner provides the following information:
❐ Appliance identification— the appliance name, hardware serial number, and
the software version.
❐ Appliance health status— Visible when the Proxy tab is selected. The health
state is represented by a text box and a color that corresponds to the health of
the system (OK-green, Warning- yellow or Critical -red). The system health
changes when one or more of the health metrics reaches a specified threshold
or returns to normal. The health state indicator is polled and updated every 10
seconds on the Advanced Secure Gateway.
To obtain more information about the health state, click the Health: status link
— OK, Warning, Critical. The Statistics > Health page displays; it lists the
current condition of the system’s health monitoring metrics. See "Verifying the
Health of Services Configured on the ProxySG" on page 1541 for more
information about the health monitoring metrics.
❐ License status and version— Your Advanced Secure Gateway license includes
all the component licenses for the Proxy and Content Analysis features that
you have purchased. To view a list of the license components and their
expiration date, go to the Maintenance > Licensing > View tab.
❐ Blue Coat product documentation and customer support links. You must have
a Blue Touch Online account to access documentation and to request support.
To log out of the Management Console, click the Log Out link.
❐ Proxy and Content Analysis tabs. Advanced Secure Gateway appliances
include both a module and a Content Analysis module. Use the tabs to switch
from one to the next. For information on configuring ICAP services to use the
internal Content Anlaysis service, see Chapter 24: "Malicious Content
Scanning Services" or the help icon (?) in the Content Anlaysis module.

Viewing the Benefits of Deploying the Advanced Secure Gateway

Appliance
In addition to the Overview tab, which focuses on threat activities of the
Advanced Secure Gateway appliance as a whole, the Statistics > Summary page
displays the role of the Advanced Secure Gateway appliance in boosting the

35
Advanced Secure Gateway Administration Guide

performance of traffic within your network using its optimization, policy control,
and caching techniques. The Summary page visually demonstrates the overall
performance and efficiency of your network.
If you have just completed initial setup and have not configured the Advanced
Secure Gateway to intercept any traffic, the Summary page will not display much
information. For example, you cannot view bandwidth efficiency for traffic being
intercepted by the Advanced Secure Gateway.

Note: To view performance statistics, retrieve your license and create/enable

services on the Advanced Secure Gateway. For information on enabling
services, see Chapter 7: "Managing Proxy Services" on page 129. For licensing
details, see Chapter 3: "Licensing" on page 57.

When the Advanced Secure Gateway appliance is deployed and configured to

meet your business needs, the Summary page monitors and reports information on
your network traffic and applications. The on-screen information is automatically
refreshed every 60 seconds.

Viewing Efficiency and Performance Metrics

The Statistics > Summary > Efficiency tab displays the bandwidth gain achieved
within your network in the Savings panel, and the performance of each interface
in the Interface Utilization panel on the Advanced Secure Gateway. These metrics
represent the last hour of traffic, and are updated every 60 seconds.
The Savings panel displays the top 5 services that are intercepted by the
Advanced Secure Gateway, in your network. For detailed information on each
service, click the service and view the details in the Statistics > Traffic History page.

❐ Service: A service represents the type of traffic that is being intercepted; the top
5 services are ranked in descending order of bytes saved.
❐ Bytes Saved Last Hour:Bytes saved display bandwidth savings in the last 60
minutes. It represents data that did not traverse the WAN because of object
and byte caching, protocol optimization, and compression. It is calculated as:
Client Bytes - Server Bytes,
where Client Bytes is the data rate calculated to and from the client on the
client-side connection, and Server Bytes is the data rate calculated to and
from the server on the server-side connection.

36
❐ Percent Savings: A percentage value of bytes saved, calculated as:
{(Client Bytes - Server Bytes)/ Client Bytes} * 100

In the Savings panel shown above, the Percent Savings for FTP is 50% and
bandwidth savings is 2x, which is calculated as Client Bytes/Server Bytes.

Note: The graph in the percent savings column represents savings over the
last hour, while the label reflects the percent savings in the last minute. For
more information on bandwidth savings, click on any row and navigate to the
Statistics > Traffic History page. By default, the traffic history page displays
bandwidth usage and bandwidth gain statistics for the corresponding service
over the last hour.

The Interface Utilization panel displays statistics on interface use, reveals network
performance issues, if any, and helps determine the need to expand your network.

❐ Interface:
The interfaces are labeled with an adapter number followed by an
interface number. For example, on 2-port bridge cards, the interface number is
0 for WAN and 1 for LAN connections; 4-port bridge cards have 0 and 2 for
WAN and 1 and 3 for LAN.
❐ Link state:
Indicates whether the interface is in use and functioning. It also
displays the duplex settings and includes the following information:
• Up or Down: Up indicates that the link is enabled and can receive and
transmit traffic. Down indicates that the link is disabled and cannot pass
traffic.
• Auto or Manual: Indicates whether the link is auto-negotiated or manually
set
• 10Mbps, 100 Mbps or 1Gbps: Displays the capacity of the link.
• FDX or HDX: Indicates whether the interface uses full duplex or half duplex
connection, respectively. In some cases, if a duplex mismatch occurs when
the interface is auto-negotiated and the connection is set to half-duplex,
the display icon changes to a yellow warning triangle. If you view a
duplex mismatch, you can adjust the interface settings in the Configuration
> Network > Adapters tab.

37
Advanced Secure Gateway Administration Guide

❐ Transmit Rate and Receive Rate: Displays number of bits processed per second,
on each interface.
The graphs in the transmit rate and receive rate columns represent interface
activity over the last hour, while the value in the label represents interface
activity over the last minute.
❐ Errors: Displays the number of transmission errors, if any, in the last hour.
Interfaces with input or output errors are displayed in red.
For more information on an interface, click on any row; the Statistics > Network >
Interface History page displays.

Monitoring System Resources and Connectivity Metrics

The Statistics > Summary > Device tab displays a snapshot of the key system
resources, identification specifics, and the status of external devices that are
connected to the Advanced Secure Gateway appliance.
The identification panel provides information on the name of the Advanced
Secure Gateway, IP address, hardware serial number, software version and the
build (release) ID. You can copy and paste the information on this panel, into an
email for example, when communicating with Blue Coat Support.

This information is also displayed on the Management Console banner and under
Configuration > General > Identification. To assign a name to your Advanced Secure
Gateway, see "Configuring the Advanced Secure Gateway Appliance Name" on
page 44.

38
The Statistics area displays the current percentages of CPU usage and memory
utilization, and the number of concurrent users. Concurrent users represents the
number of unique IP addresses that are being intercepted by the Advanced Secure
Gateway. For more information on these key resources, click the link; the
corresponding panel under Statistics > System > Resources displays.
❐ The Statistics panel also displays whether the Advanced Secure Gateway is
enabled to act as Client Manager for ProxyClient and Unified Agent users.
The status information displayed for the remote clients include the following
options:

Feature Status Description

ProxyClient and Client Manager This Advanced Secure Gateway serves as a
Unified Agent Enabled; <number> Client Manager. Also displayed is the
Active Clients number of active clients that are connected
to this Client Manager.

Disabled This Advanced Secure Gateway is not

configured as a Client Manager.

The Connectivity area displays the status of external devices and services that the
Advanced Secure Gateway appliance relies on, for effective performance. The
status indicates whether the appliance is able to communicate with the external
devices and services that are configured on it.

The external devices or services, that can be configured on the Advanced Secure
Gateway, include:
❐ WCCP capable routers/switches
❐ External ICAP devices (such as Blue Coat ProxyAV or Content Analysis
appliances)
❐ DNS Servers
❐ Authentication realms
Only those external devices or services that are configured on the Advanced
Secure Gateway are displayed on this panel. If, for example, ICAP is not yet
enabled on the Advanced Secure Gateway, ICAP is not listed in the connectivity
panel.
The connectivity status for these external devices is represented with an icon —
Ok, Warning, or Critical. The icon and the text portray the most severe health
status, after considering all the health checks configured, for the device or service.

39
Advanced Secure Gateway Administration Guide

With the exception of WCCP, click on any row to view the health status details in
the Statistics > Health Checks tab. The Statistics > Health Checks tab provides
information on the general health of the Content Analysis services configured on
the Advanced Secure Gateway, allows you to perform routine maintenance tasks
and to diagnose potential problems. For more information on health checks, see
"Verifying the Health of Services Configured on the ProxySG" on page 1541.
To view details on the status of WCCP capable devices in your network, click on
the WCCP service row, the Statistics> Network > WCCP tab displays. The Statistics >
Network > WCCP tab provides information on the configured service groups and
their operational status. For more information on how to configure WCCP on the
Advanced Secure Gateway, see Chapter 33: "WCCP Configuration" on page 813.
For more detailed information about WCCP, refer to the WCCP Reference Guide.

Logging Out of the Management Console

To exit the current session, click the Log out link on the Management Console
banner.
You may be logged out of the Advanced Secure Gateway automatically when a
session timeout occurs. This security feature logs the user out when the
Management Console is not actively being used. For more information, see
"Changing the Advanced Secure Gateway Timeout" on page 47.
Thirty seconds before the session times out, the console displays a warning
dialog. Click the Keep Working button or the X in the upper-right corner of the
dialog box to keep the session alive.

If you do not respond within the 30-second period, you are logged out and lose all
unsaved changes. To log in again, click the You need to log in again to use the console
hyperlink in the browser (legacy Management Console only). To log out
completely, close the browser window.

40
Section 2 Accessing the Advanced Secure Gateway Using the CLI
You can connect to the Advanced Secure Gateway command-line interface via
Secure Shell (SSH) using the IP address, username, password that you defined
during initial configuration. The SSH management console service is configured
and enabled to use SSHv2 and a default SSH host key by default. If you wish to
access the CLI, you can use SSHv2 to connect to the Advanced Secure Gateway.
An SSH host key for SSHv2 and an SSH management service are configured by
default. If you want to use SSHv1 or Telnet without additional configuration.

Note: You can also access the CLI using Telnet or SSH v1. However, these
management services are not configured by default. For instructions on
configuring management services, see Chapter 71: "Configuring
Management Services" on page 1449.

To log in to the CLI, you must have:

❐ the account name that has been established on the Advanced Secure Gateway
❐ the IP address of the Advanced Secure Gateway
❐ the port number (22 is the default port number)
Advanced Secure Gateway supports different levels of command security:
❐ Standard, or unprivileged, mode is read-only. You can see but not change
system settings and configurations. This is the level you enter when you first
access the CLI.
❐ Enabled, or privileged, mode is read-write. You can make immediate but not
permanent changes to the Advanced Secure Gateway, such as restarting or
shutting down the system. This is the level you enter when you first access the
Management Console.
❐ Configuration mode allows you to make permanent changes to the Advanced
Secure Gateway configuration. To access Configuration mode, you must be in
Enabled mode.
When you log in to the Management Console using your username and
password, you are directly in configuration mode.
However, if you use the CLI, you must enter each level separately:
Username: admin
Password:
> enable
Enable Password:
# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)
For detailed information about the CLI and the CLI commands, refer to the
Command Line Interface Reference.

41
Advanced Secure Gateway Administration Guide

Note: Most tasks can be performed in both the Management Console and the
CLI. This guide covers procedures for the Management Console; refer to the
Command Line Interface Reference for related CLI tasks. Tasks that are available only
in the Management Console or only in the CLI are noted as such.

42
Section 3 Configuring Basic Settings
This sections describes how to configure basic settings, such as the Advanced
Secure Gatewayappliance name, time settings, and login parameters. It includes
the following topics:
❐ "How Do I...?" on page 43
❐ "Configuring the Advanced Secure Gateway Appliance Name" on page 44
❐ "Changing the Login Parameters" on page 45
❐ "Viewing the Appliance Serial Number" on page 48
❐ "Configuring the System Time" on page 49
❐ "Synchronizing to the Network Time Protocol" on page 52

How Do I...?
To navigate this section, identify the task to perform and click the link:

How do I...? See...

Assign a name to identify the Advanced "Configuring the Advanced Secure

Secure Gateway? Gateway Appliance Name" on page 44

Change the logon parameters? "Changing the Login Parameters" on page

45

Locate the Appliance Serial Number? "Viewing the Appliance Serial Number" on
page 48

Configure the local time on the "Configuring the System Time" on page 49
Advanced Secure Gateway?

Synchronize the Advanced Secure "Synchronizing to the Network Time

Gateway to use the Network Time Protocol" on page 52
Protocol (NTP)?

Change the log-in username and "Changing the Administrator Account

password? Credentials" on page 45

Configure a console realm name to "Changing the Advanced Secure Gateway

identify the Advanced Secure Gateway Realm Name" on page 46
that I am accessing (before I log in to the
Management Console)?

Configure the time for console log out on "Changing the Advanced Secure Gateway
the Advanced Secure Gateway? Timeout" on page 47

43
Advanced Secure Gateway Administration Guide

Section 4 Configuring the Advanced Secure Gateway Appliance Name

You can assign any name to a Advanced Secure Gateway. A descriptive name
helps identify the system.

To set the Advanced Secure Gateway name:

1. Select Configuration > General > Identification.
2. In the Appliance name field, enter a unique name for the appliance.
3. Click Apply.

44
Section 5 Changing the Login Parameters
You can change the console username and password, the console realm name
which displays when you log in to the appliance, and the auto-logout time. The
default value is 900 seconds.
The Management Console requires a valid administrator username and password
to have full read-write access; you do not need to enter a privileged-mode
password as you do when using the CLI. A privileged-mode password, however,
must already be set.

Note: To prevent unauthorized access to the Advanced Secure Gateway, only

give the console username and password to those who administer the system.

Changing the Administrator Account Credentials

During the initial configuration of your Advanced Secure Gateway appliance, a
console administrator username and password was created. This is a special
account that can always be used to administer the appliance from either the web-
based Management Console or the Command Line Interface. You can change the
username and the password of this administrator account.

Note: Changing the console account’s username or password causes the

Management Console to refresh, requiring you to log in again using the new
credentials. Each parameter must be changed and individually refreshed. You
cannot change both parameters at the same time.

To change the username:

1. Select Configuration > Authentication > Console Access > Console Account.

2. Edit the username of the administrator that is authorized to view and revise
console properties. Only one console account exists on the Advanced Secure
Gateway. If you change the console account username, that username
overwrites the existing console account username. The console account
username can be changed to anything that is not null and contains no more
than 64 characters.

45
Advanced Secure Gateway Administration Guide

3. Click Apply. After clicking Apply, an Unable to Update configuration error is

displayed. This is expected: although the username change was successfully
applied, the configuration could not be fetched from the Advanced Secure
Gateway appliance because the old username was offered in the fetch request.
4. Refresh the screen. You are challenged for the new username.

To change the password:

The console password and privileged-mode password were defined during initial
configuration of the system. The console password can be changed at any time.
The privileged-mode, or enabled-mode, password can only be changed through
the CLI or the serial console.
1. Select Configuration > Authentication > Console Access > Console Account.
2. Click Change Password.
3. Enter and re-enter the console password that is used to view and edit
configuration information. The password must be from 1 to 64 characters
long. As you enter the new password, it is obscured with asterisks. Click OK.

Note: This does not change the enabled-mode password. You can only
change the enabled-mode password through the CLI.

4. Refresh the screen, which forces the SGOS software to re-evaluate current
settings. When challenged, enter the new password.
5. (Optional) Restrict access by creating an access control list or by creating a
policy file containing <Admin> layer rules. For more information, see
"Limiting Access to the ProxySG" on page 75.

Changing the Advanced Secure Gateway Realm Name

When you have multiple Advanced Secure Gateway appliances in your network,
you can configure a console realm name to identify the appliance that you are
accessing.
When you log in to the Management Console, using a browser, the browser’s
pop-up dialog displays. This dialog identifies the Advanced Secure Gateway that
is requesting the username and password.
If configured, the realm name displays on the pop-up dialog. The default realm
name is usually the IP address of the Advanced Secure Gateway. You can,
however, change the display string to reflect your description of the Advanced
Secure Gateway.

To change the realm name:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Enter a new realm name in Console realm name.
3. Click Apply.
The next time you log in to the Management Console, the new realm name
displays on the browser’s pop-up dialog.

46
 Realm Name

Changing the Advanced Secure Gateway Timeout

The timeout is the length of time a Web or CLI session persists before you are
logged out. The default timeout for these options is as follows:
❐ Enforce Web auto-logout—15 minutes
❐ Enforce CLI auto-logout—5 minutes

To change the timeout:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Configure the timeout by doing one of the following:
• Set values for the Web or CLI auto-logout. Acceptable values are between
1 and 1440 minutes.

• Deselect the auto-timeout to disable it.

3. Click Apply.

47
Advanced Secure Gateway Administration Guide

Section 1 Viewing the Appliance Serial Number

The Advanced Secure Gateway serial number assists Blue Coat Systems
Customer Support when analyzing configuration information, including
heartbeat reports. The appliance serial number is visible on the Management
Console banner.

48
Section 2 Configuring the System Time
To manage objects, the Advanced Secure Gateway must know the current
Coordinated Universal Time (UTC), which is the international time standard and
is based on a 24-hour clock. The Advanced Secure Gateway accesses the Network
Time Protocol (NTP) servers to obtain accurate UTC time and synchronizes its
time clock.
By default, the Advanced Secure Gateway connects to an NTP server in the order
they are listed on the NTP tab and acquires the UTC time. You can view UTC time
under UTC in the Configuration > General > Clock > Clock tab. If the appliance cannot
access any of the listed NTP servers, you must manually set the UTC time.
You can, however, also record time stamps in local time. To record time stamps in
local time, you must set the local time based on your time zone. The Advanced
Secure Gateway appliance ships with a limited list of time zones. If a specific time
zone is missing from the included list, you can update the list at your discretion.
The list can be updated by downloading the full time zone database from http://
download.bluecoat.com/release/timezones.tar. Also, the time zone database
might need to be updated if the Daylight Savings rules change in your area.

49
Advanced Secure Gateway Administration Guide

To set local time:

1. Select Configuration > General > Clock > Clock.

2. Click Set Time zone. The Time Zone Selection dialog displays.

3. Select the time zone that represents your local time. After you select the local
time zone, event logs record the local time instead of GMT. To add additional
time zones to the list, update the appliance's time zone database, as described
in the following procedure.
4. Click OK to close the dialog.
5. Click Apply.

50
To update the database:
1. Select Configuration > General > Clock > Clock.
2. Enter the URL from which the database will be downloaded or click Set to
default.

3. Click Install.

To acquire the UTC:

1. Ensure that Enable NTP is selected.
2. Click Acquire UTC Time.

51
Advanced Secure Gateway Administration Guide

Section 3 Synchronizing to the Network Time Protocol

The Network Time Protocol (NTP) is used to synchronize the time of a computer
client or server to another server or reference time source, such as a radio or
satellite receiver or modem. There are more than 230 primary time servers,
synchronized by radio, satellite and modem.
The Advanced Secure Gateway ships with a list of NTP servers available on the
Internet, and attempts to connect to them in the order they appear in the NTP
server list on the NTP tab. You can add others, delete NTP servers, and reorder the
NTP server list to give a specific NTP server priority over others.
The Advanced Secure Gateway appliance uses NTP and the Coordinated
Universal Time (UTC) to keep the system time accurate.
You can add and reorder the list of NTP servers the appliance uses for acquiring
the time. (The reorder feature is not available through the CLI.)

52
To add an NTP server:
1. Select Configuration > General > Clock > NTP.

2. Click New. The Add List Item dialog displays.

3. Choose one of the following:
• Domain name: Enter a domain name of an NTP server that resolves to an
IPv4 or IPv6 address.
• IP address: Enter an IPv4 or IPv6 address of an NTP server.
4. Click OK to close the dialog.
5. Click Apply.

To change the access order:

NTP servers are accessed in the order displayed. You can organize the list of
servers so the preferred server appears at the top of the list. This feature is not
available through the CLI.
1. Select Configuration > General > Clock > NTP.
2. Select an NTP server to promote or demote.
3. Click Promote entry or Demote entry as appropriate.
4. Click Apply.

53
Advanced Secure Gateway Administration Guide

Section 4 Required Ports

Depending on your appliance configuration, you must open certain ports and
protocols on your firewalls for the appliance to function as intended, or to allow
connectivity to various components and data centers. The following tables
present basic configurations, and some commonly used options.

Basic Ports
This table presents the non-configurable ports which must be available.

Port Protocol Direction Description

123 UDP Out NTP*
53 TCP/UDP Out DNS
443 TCP Out Heartbeats, Service information uploading, Licensing
check
444 TCP Out Appliance certificate update
* NTP may be disabled; in that case, the port is not required.

Management and Administration Ports

This table presents ports required for management and administrative functions,
when the listed features are enabled.

Port Protocol Direction Description

22 TCP Out Director registration
514 UDP Out Syslog
161 UDP In SNMP
162 UDP Out SNMP traps
25 TCP Out SMTP for email alerts
8082 TCP Out HTTPS Java Management Console
8081 TCP Out HTTP Console

Networking Ports
This table presents ports required for networking, when the listed features are
enabled.

Port Protocol Direction Description

520 UDP In/Out Routing Information Protocols (RIP)
2048 UDP Out WCCP

IWA Direct Ports

This table presents ports required for IWA Direct authentication realms.

54
Port Protocol Direction Description
88 TCP/UDP Out Kerberos, used in IWA Direct authentication realms
445 TCP Out SMB, used in IWA Direct authentication realms
389 TCP Out LDAP, used in IWA Direct authentication realms

Application Data Network (ADN) and Proxy Client Ports

This table presents ports required for ADNs and Proxy Client, when the listed
features are enabled.

Port Protocol Direction Description

3030 TCP In/Out Connection Forwarding
3034 TCP In/Out ADN Management
3035 TCP In/Out ADN Data Tunnel
3036 TCP In/Out ADN Management (Secure)
3037 TCP In/Out ADN Data Tunnel (Secure)

8084 TCP In Proxy Client

Other Ports
This table presents other ports which are required when the indicated feature is in
use.

Port Protocol Direction Description

16101 TCP Out IWA-BCAAA authentication
1812 TCP Out Radius authentication
8443 TCP In/Out SafeNet Java HSM

55
Advanced Secure Gateway Administration Guide

56
Chapter 3: Licensing

This section describes ProxySG licensing behavior and includes the following
topics:
❐ "About Licensing" on page 57
❐ "Disabling the Components Running in Trial Period" on page 63
❐ "Registering and Licensing the Appliance" on page 63
❐ "Enabling Automatic License Updates" on page 71
❐ "Viewing the Current License Status" on page 72

About Licensing
Each ProxySG requires a license to function. The license is associated with an
individual serial number and determines what software features are available
and the number of concurrent users that are supported.
When you configure a new hardware appliance, the Blue Coat configuration
wizard automatically installs a trial license that allows you to use all software
features with support for an unlimited number of concurrent users for 60 days.
(Trial periods are not applicable to virtual or
The following sections describe the licensing options:
❐ "License Expiration" on page 62
❐ "License Types" on page 60
❐ "License Expiration" on page 62

Note: The information in this chapter does not apply to the Secure Web
Gateway Virtual Appliance (SWG VA). For licensing and upgrade information
specific to the SWG VA, refer to the Secure Web Gateway Initial Configuration
Guide.

License Editions
The license edition determines what features are available. ProxySG supports
two license editions:
❐ Proxy Edition License—Supports all security and acceleration features. The
Proxy Edition allows you to secure Web communications and accelerate the
delivery of business applications.
❐ MACH5 Edition License—Supports acceleration features and Blue Coat
Cloud Service; on-box security features are not included in this edition. The
MACH5 base license allows acceleration of HTTP, FTP, CIFS, DNS, MAPI,
and streaming protocols.

57
 During the setup process, you indicate how you will deploy the appliance, which
determines trial license edition is installed. If you indicate that you will be using
the appliance as an acceleration node, a MACH5 trial license is installed. For other
deployment types, the wizard prompts you to select Proxy edition.
Proxy Edition and MACH5 license edition can run on any platform. The only
differences are the supported software features and the default configuration
settings. These differences are described in the following sections:
❐ "Differences in Default Configuration Settings"
❐ "MACH5 Feature Set" on page 59
❐ "Switching Between the License Editions" on page 60

Differences in Default Configuration Settings

Because the different license editions are intended for different deployments,
some of the default configuration settings are different between license editions.
The Proxy Edition is meant to provide security and is thus more restrictive in
allowing traffic through whereas the MACH5 edition is geared for application
acceleration and is therefore more permissive. The difference in the defaults are as
follows:
❐ Default policy on the ProxySG: This setting determines whether, by default,
all traffic is allowed access or denied access to requested content.
• MACH5 Edition: Allow
• Proxy Edition: Deny
❐ Trust destination IP provided by the client: (only applicable for transparent
proxy deployments) This setting determines whether or not the ProxySG will
perform a DNS lookup for the destination IP address that the client provides.
• MACH5 Edition: Enabled. The proxy trusts the destination IP included in
the client request and forwards the request to the OCS or services it from
cache.
• Proxy Edition: Disabled
❐ HTTP tolerant request parsing: The tolerant HTTP request parsing flag causes
certain types of malformed requests to be processed instead of being rejected.
• MACH5 Edition: Enabled. Malformed HTTP requests are not blocked.
• Proxy Edition: Disabled
❐ Transparent WAN intercept on bridge cards: This setting indicates whether
the proxy should intercept or bypass packets on the WAN interface.
• MACH5 Edition: Bypass transparent interception
• Proxy Edition: Allow transparent interception
❐ Resource overflow action: This setting indicates whether the proxy should
bypass or drop new connections when resources are scarce.
• MACH5 Edition: Bypass
• Proxy Edition: Drop

58
MACH5 Feature Set
The MACH5 license edition provides a subset of the full feature set provided by
the Proxy Edition license. The following table describes feature support on an
appliance running a MACH5 license:

Table 3–1 MACH5 Feature Support

Feature MACH5 Support

Access Logging Supported; CIFS, Endpoint Mapper, FTP,

HTTP, TCP Tunnel, Windows Media, Real
Media/QuickTime, SSL, HTTPS Forward
Proxy, MAPI and Flash

ADN Supported

Authentication On-box authentication supported for

administrative access (IWA, LDAP, RADIUS,
SiteMinder, COREid, and local realms only).
User authentication is not supported on-box
except when combined with Blue Coat Cloud
Service. When using the Web Security Module
of the Blue Coat Cloud Service, LDAP and
IWA are supported to provide user
authentication details for cloud-based policy
enforcement.

Bandwidth Management Supported

Content Filtering Not supported on-box; Use Blue Coat Cloud

Security Services for Content Filtering.

Content Analysis (ICAP) Not supported

Forwarding Forwarding hosts: Supported

SOCKS: Not supported

HTTP Compression Supported

Instant Messaging Not supported

Peer-to-Peer Not supported

Policy Controls Acceleration-based policy controls: Supported

Exception pages: Not supported

ProxyClient Acceleration: Supported

Content Filtering: Not Supported

59
 Table 3–1 MACH5 Feature Support (Continued)

Feature MACH5 Support

Proxy Services CIFS, FTP, HTTP, MAPI and Streaming

(Windows Media, Real Media and QuickTime)
are Supported. Flash proxy is also supported,
however you must purchase and install an
add-on license to use this service.
SSL Termination is also supported. Some
appliance models include an SSL license; other
models require that you purchase and install
an add-on license.

Threat Protection Services Not supported

Unified Agent Not supported

Switching Between the License Editions

This section describes the effects of switching between the license editions.
❐ Upgrading from the MACH5 Edition to the Proxy Edition—You can upgrade
from the MACH5 Edition license to the Proxy Edition license at any time, as
long as you use the same hardware. Upon upgrade, the entire license file is
regenerated. This is because the defaults must be readjusted to reflect the
change in functionality, and must include some proxy-specific configurations,
such as advanced services and access logging logs and formats, which are
added during the upgrade.

Note: The existing configuration is not changed during the upgrade.

All the MACH5 Edition functionality is supported in the Proxy Edition, so an

upgrade does not affect CLI or policy commands.
❐ Downgrading from a Proxy Edition to a MACH5 Edition—You must install a
new license to switch from a Proxy Edition license to a MACH5 Edition
license. This license downgrade can be performed only by restoring the
appliance to its factory defaults; as a result, your existing configuration will be
deleted and you will have to reconfigure the appliance.

License Types
The following license types are available:
❐ Trial—The 60-day license that ships with new physical appliances. All
licensable components for the trial edition are active and available to use. In
addition, the Base SGOS user limit is unlimited. When a full license is
installed, any user limits imposed by that license are enforced, even if the trial
period is still valid.
❐ Demo—A temporary license that can be requested from Blue Coat to extend
the evaluation period.

60
 ❐ Permanent—A license for hardware platforms that permanently unlocks the
software features you have purchased. When a permanent license is installed,
any user limits imposed by that license are enforced, even if the trial period is
still valid.
❐ Subscription-based—A license that is valid for a set period of time. After you
have installed the license, the ProxySG appliance will have full functionality,
and you will have access to software upgrades and product support for the
subscription period.

Note: When a full license (permanent or subscription-based) or demo license is

installed during the trial period, components previously available in the trial
period, but not part of that license, remain available and active for the remainder
of the trial period. However, if the license edition is different than the trial edition
you selected, only functionality available in the edition specified in the license
remains available for trial. If you do not want the trial components to be available
after you install a full license, you can disable them. See "Disabling the
Components Running in Trial Period" on page 63 for instructions.

Licensing Terms
ProxySG Appliances
Within sixty (60) days of the date from which the user powers up the ProxySG
(“Activation Period”), the Administrator must complete the ProxySG licensing
requirements as instructed by the ProxySG appliance to continue to use all of the
features. Prior to the expiration of the Activation Period, the ProxySG software
will deliver notices to install the license each time the Administrator logs in to
manage the product. Failure to install the license prior to the expiration of the
Activation Period may result in some ProxySG features becoming inoperable until
the Administrator has completed licensing.

ProxyClient/Unified Agent
The Administrator may install ProxyClient or Unified Agent only on the number
of personal computers licensed to them. Each personal computer shall count as
one “user” or “seat.” The ProxyClient or Unified Agent software may only be
used with Blue Coat ProxySG appliances. The Administrator shall require each
user of the Blue Coat ProxyClient software to agree to a license agreement that is
at least as protective of Blue Coat and the Blue Coat ProxyClient or Unified Agent
software as the Blue Coat EULA.

Virtual Appliances, MACH5 or Secure Web Gateway (SWG) Edition

The Virtual Appliances (MACH5 or Secure Web Gateway edition) are licensed on
either a perpetual or subscription basis for a maximum number of concurrent
users. Support for the Virtual Appliances will be subject to the separate support
agreement entered into by the parties if the Administrator licenses the Virtual
Appliances on a perpetual basis. The Virtual Appliances will (a) not function
upon expiration of the subscription if the Administrator licenses the Virtual
Appliances on a subscription basis; or (b) if the traffic exceeds the maximum

61
 number of concurrent users/connections, features may not function beyond the
maximum number of concurrent users/connections. This means that, in these
cases, the network traffic will only be affected by the default policy set by the
Administrator (either pass or deny). Such cessation of functionality is by design,
and is not a defect in the Virtual Appliances. The Administrator may not install
the same license key or serial number on more than one instance of the Virtual
Appliance. The Administrator may move the Virtual Appliance along with its
license key and serial number to a different server, provided that server is also
owned by the Administrator and the Administrator permanently deletes the prior
instance of the Virtual Appliance on the server on which it was prior installed.
The Virtual Appliances require a third party environment that includes software
and/or hardware not provided by Blue Coat, which the Administrator will
purchase or license separately. Blue Coat has no liability for such third party
products.

License Expiration
When the base license expires, the appliance stops processing requests and a
license expiration notification message is logged in the Event Log (see "Viewing
Event Log Configuration and Content" on page 1505 for details on how to view
the event log).
In addition, for services set to Intercept:
❐ In a transparent deployment, if the default policy is set to Allow, the appliance
acts as if all services are set to Bypass, passing traffic through without
examining it. If default policy is set to Deny, traffic to these services is denied
with an exception. For details, see "Exceptions Due to Base License
Expiration" .
❐ In an explicit deployment, regardless of the default policy setting, traffic to
these services is denied with an exception. For details, see "Exceptions Due to
Base License Expiration" .

Exceptions Due to Base License Expiration

In some cases, the following exceptions occur when the base license expires:
❐ HTTP (Web browsers)—An HTML page is displayed stating the license has
expired.
❐ SSL—An exception page appears when an HTTPS connection is attempted,
but only if the appliance is deployed explicitly or in the case of transparent
proxy deployments, SSL interception is configured.
❐ FTP clients—If the FTP client supports it, a message is displayed stating the
license has expired.
❐ Streaming media clients—If the Windows Media Player, RealPlayer, or
QuickTime player version supports it, a message is displayed stating the
license has expired.
❐ Unified Agent/ProxyClient—After the license has expired, remote clients
cannot connect to the Internet or ADN network. (Unified Agents do not
support the ADN network.)

62
 You can still perform configuration tasks through the CLI, SSH console, serial
console, or Telnet connection. Although a component is disabled, feature
configurations are not altered. Also, policy restrictions remain independent of
component availability.

Disabling the Components Running in Trial Period

You have the option to disable access to features that are running in trial period;
however, you cannot selectively disable trial period features. You must either
enable all of them or disable all of them.

Note: Because licensing trial periods are not offered on the VA, this option is not
available on virtual appliances.

To disable trial period components:

1. Select Maintenance > Licensing > View.
2. Select the Trial Components are enabled option.
3. Click Apply.
4. Click Refresh Data. All licenses that are in trial period switch from Yes to No.
Users cannot use these features, and no dialogs warning of license expiration
are sent.
Also notice that this option text changes to Trial Components are disabled: Enabled.
Repeat this process to re-enable trial licenses.

Registering and Licensing the Appliance

Before you can register and license your appliance, you must have the following:
❐ The serial number of your appliance. See "Locating the System Serial
Number" on page 64.
❐ A BlueTouch Online account. See "Obtaining a BlueTouch Online Account" on
page 64.
You can then register the appliance and install the license key. The following
sections describe the available options for completing the licensing process:
❐ If you have not manually registered the appliance, you can automatically
register the appliance and install the software license in one step. See
"Registering and Licensing Blue Coat Appliance and Software" on page 64.
❐ If you have a new appliance that previously has been registered, the license is
already associated with the appliance. In this case you just need to retrieve the
license. See "Installing a License on a Registered System" on page 65.
❐ If you have older hardware that previously has been registered or if the
ProxySG does not have Internet access, you must install the license manually.
See "Manually Installing the License" on page 66.

63
 ❐ After the initial license installation, you might decide to use another feature
that requires a license. The license must be updated to support the new
feature.

Locating the System Serial Number

Each ProxySG serial number is the appliance identifier used to assign a license
key file. The ProxySG contains an EEPROM with the serial number encoded. The
appliance recognizes the serial number upon system boot-up. The appliance serial
number is located in the information bar at the top of the Management Console.
Serial numbers are not pre-assigned on the Virtual Appliance. You retrieve the
serial number from the Blue Coat Licensing Portal, and enter the serial number
during initial configuration. Refer to the MACH5 or Secure Web Gateway Virtual
Appliance Initial Configuration Guide for more information.

Obtaining a BlueTouch Online Account

Before you can register your ProxySG and retrieve the license key, you must have
a Blue Coat BlueTouch Online user account.
If you do not have a BlueTouch Online account or have forgotten your account
information, perform the following procedure.

To obtain a BlueTouch Online account:

1. Select the Maintenance > Licensing > Install tab.
2. In the License Administration field, click Register/Manage. The License
Configuration and Management System Web page displays.
3. Perform one of the following:
• To obtain a new account, click the link for Need a BlueTouch Online User ID.
Under Login Assistance (BlueTouch Online), click Request Login User ID/Password.
Fill out the Web form; BlueTouch Online information will be sent to you.
• To obtain your current information for an existing account, click the Forgot
your password link.

Registering and Licensing Blue Coat Appliance and Software

If you have not manually registered the appliance, you can automatically register
the appliance and install the software license in one step as described in the
following procedure.

To register the appliance and software:

1. In a browser, go to the following URL to launch the Management Console:
https://appliance_IP_Address:8082

2. Enter the access credentials specified during initial setup.

3. Click Management Console. The License Warning tab is displayed.
4. Make sure the Register hardware with Blue Coat automatically option is selected.

64
 5. Enter your BlueTouch Online credentials and click Register Now. This opens a
new browser page where you complete the registration process. When the
hardware is successfully registered, the Registration Status field on the License
Warning tab will display the Hardware auto-registration successful
message. You can close the new browser tab or window that displays the
License Self-service page.
6. Click Continue.

Installing a License on a Registered System

If the ProxySG is a new system and the appliance has been registered, retrieve the
associated license by completing this procedure.

To retrieve the software license:

1. Select the Maintenance > Licensing > Install tab.
2. Click Retrieve. The Request License Key dialog is displayed.

3a

3b

3. Enter information:
a. Enter your BlueTouch Online account login information.
b. Click Request License. The console displays the Confirm License Install
dialog.
c. Click OK to begin license retrieval (the dialog closes).
4. (Optional) Click Show results to verify a successful retrieval. If any errors occur,
check the ability for the appliance to connect to Internet.
5. Click Close to close the Request License Key dialog.
6. To validate the license, restart the appliance.
In the Management Console, select Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.

65
 Manually Installing the License
Perform manual license installation if:
❐ The ProxySG serial number is not associated with a software license (you have
registered the hardware separately)
❐ The ProxySG appliance is unable to access the licensing portal.
Beyond the initial setup, you must ensure that your Advanced Secure
Gateway appliance has access to the licensing server, as the Content Analysis
subscription services constantly validate the licenses you’ve purchased.

Note: Locate the email from Blue Coat that contains the activation code(s) for
your software. You require these activation codes, as well as your appliance serial
number, to complete the licensing process on the Blue Coat Licensing Portal.

Manually retrieve and install the license:

1. In the Management Console, select Maintenance > Licensing > Install.
2. Click Register/Manage. The licensing portal opens in a browser window and
prompts you for your BlueTouch Online login information.
3. Enter your login credentials and click Login. The Licensing Portal prompts you
to enter your activation code.
4. Enter the activation code and follow the prompts to complete the process.
When prompted to accept the license agreement, read and accept the terms.
The software license is now associated with the appliance.
5. (If necessary) Repeat the previous steps for your other activation codes.
6. To validate the license, restart the appliance.
In the Management Console, select Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.

66
Download and manually install the license:
Tip: Follow these steps if the appliance does not have access to the Internet. In the
activation email, click the link to the Licensing Portal. The browser opens the
portal on the main page.
1. Select > License Download. The portal prompts you for your appliance serial
number.

67
 2. Follow the prompts to enter your serial number and download the license file.

3. Save the license file to a location that your appliance can access.
4. In the Management Console, select Maintenance > Licensing > Install, and then
select the appropriate option from the License Key Manual Installation drop-down
list:

Note: A message is written to the event log when you install a license through
the ProxySG.

• Remote URL—Choose this option if the file resides on a Web server;

then click Continue. The console displays the Install License Key dialog.
Enter the URL path and click Install. When installation is complete,
click OK.
• Local File—Choose this option if the file resides in a local directory;
then click Continue. The Open window displays.
Navigate to the license file and click Open. When installation is
complete, click OK.
5. To validate the license, restart the appliance.
In the Management Console, select Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.

68
Section 1 Adding an Add-on License
If you purchased a supplemental license to enable add-on features, you must
update the license by logging into the Blue Coat Licensing Portal and
generating the license activation code. To do this, you must have the code for
your ordered add-on feature that was sent in the e-mail from Blue Coat and
the hardware serial number of the appliance that is to run the add-on feature.

To add a supplemental license:

1. Obtain the e-mail sent by Blue Coat that contains the license activation code(s)
for the add-on license.
2. Log on to the Blue Coat Licensing Portal through BTO:
https://bto.bluecoat.com/
3. Click Licensing.
4. Click the License Your Blue Coat Products link. The browser opens the licensing
portal. If the portal prompts you to use your BTO credentials again, enter
them. The browser displays the portal home page.
5. In the Enter Activation Code field, enter the add-on product code from the e-
mail; click Next. The Licensing Portal displays the Software Add-On
Activation page.
6. In the Appliance Serial Number field, enter the serial number. Click Submit.
7. The portal displays the license agreement; read and accept the agreement.

69
 The portal displays a screen with license details for the software add-on. You
can click Back and proceed to the next section.

Adding the Add-on License to the Appliance

You must retrieve the updated license to the appliance.

To update the license:

1. From the Management Console, select the Maintenance > Licensing > Install tab.
2. Click Retrieve. The appliance retrieves the license.
3. To verify a successful license update, select the Licensing > View tab; the console
displays the new license in the General License Information section.

70
Section 2 Enabling Automatic License Updates
The license automatic update feature allows the ProxySG to contact the Blue Coat
licensing Web page 31 days before the license is to expire. If a new license has
been purchased and authorized, the license is automatically downloaded. If a new
license is not available on the Web site, the ProxySG continues to contact the Web
site daily for a new license until the current license expires. Outside the above
license expiration window, the ProxySG performs this connection once every 30
days to check for new license authorizations. This feature is enabled by default.

To configure the license auto-update:

1. Select the Maintenance > Licensing > Install tab.
2. Select Use Auto-Update.
3. Select Apply.
4. You must log in to your License Management account:
https://services.bluecoat.com/eservice_enu/licensing/mgr.cgi

5. Click Update License Key.

71
Section 3 Viewing the Current License Status
You can view the license status in the Management Console in the following
ways:
❐ Select Statistics > Configuration > Maintenance. The license status displays as a link
in the upper right hand-corner. Hovering over the license link displays
information, such as the expiration date of the trial period. Click the link to
switch to the View license tab.
❐ Select Maintenance > Licensing > View. The tab displays the license components
with expiration dates.
❐ Select Maintenance > Health Monitoring. The tab displays thresholds for license
expiration dates.

Current high-
level license
data
For more
details, select
a license
component
and click View
Details.

If you have the

license, this
section
displays
Intelligence
Services
bundles.

Each licensable component is listed, along with its validity and its expiration
date.
• To view the most current information, click Refresh Data.
• Highlight a license component and click View Details. A dialog displays
more detailed information about that component.
• If the trial period is enabled and you click Maintenance > Licensing > View, the
Management Console displays an option to disable the trial components.
If the trial period is disabled, the Management Console displays an option
to enable the trial components.

72
See Also
❐ "About Licensing" on page 57
❐ "Disabling the Components Running in Trial Period" on page 63
❐ "Locating the System Serial Number" on page 64
❐ "Obtaining a BlueTouch Online Account" on page 64
❐ "Registering and Licensing Blue Coat Appliance and Software" on page 64

73
74
Chapter 4: Controlling Access to the ProxySG

This section describes how to control user access to the ProxySG. It includes the
following topics:
❐ "Limiting Access to the ProxySG" on page 75
❐ "About Password Security" on page 76
❐ "Limiting User Access to the ProxySG—Overview" on page 77
❐ "Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 80
❐ "Maximum Security: Administrative Authentication and Authorization
Policy" on page 81

Limiting Access to the ProxySG

You can limit access to the ProxySG by:
❐ Restricting physical access to the system and by requiring a PIN to access
the front panel.
❐ Restricting the IP addresses that are permitted to connect to the ProxySG
CLI.
❐ Requiring a password to secure the Setup Console.
These safeguards are in addition to the restrictions placed on the console
account (a console account user password) and the Enable password.
By using every possible method (physically limiting access, limiting
workstation IP addresses, and using passwords), the ProxySG is very secure.
This section discusses:
❐ "Requiring a PIN for the Front Panel"
❐ "Limiting Workstation Access" on page 76
❐ "Securing the Serial Port" on page 76

Requiring a PIN for the Front Panel

On systems that have a front panel display, you can create a four-digit PIN to
protect the system from unauthorized use. The PIN is hashed and stored. You
can only create a PIN from the command line.
To create a front panel PIN, after initial configuration is complete:
From the (config) prompt:
SGOS#(config) security front-panel-pin PIN
where PIN is a four-digit number.

75
 To clear the front-panel PIN, enter:
SGOS#(config) security front-panel-pin 0000

Limiting Workstation Access

During initial configuration, you have the option of preventing workstations with
unauthorized IP addresses from accessing the ProxySG for administrative
purposes. This covers all access methods - Telnet, SNMP, HTTP, HTTPS and SSH.
If this option is not enabled, all workstations are allowed to access the ProxySG
administration points. You can also add allowed workstations later to the access
control list (ACL). (For more information on limiting workstation access, see
"Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 80.)

Securing the Serial Port

If you choose to secure the serial port, you must provide a Setup Console
password that is required to access the Setup Console in the future.
Once the secure serial port is enabled:
❐ The Setup Console password is required to access the Setup Console.
❐ An authentication challenge (username and password) is issued to access the
CLI through the serial port.
To recover from a lost Setup Console password, you can:
❐ Use the Front Panel display to either disable the secure serial port or enter a
new Setup Console password.
❐ Use the CLI restore-defaults factory-defaults command to delete all
system settings. For information on using the restore-defaults factory-
defaults command, see "Factory-Defaults" on page 1591.

❐ Use the reset button (if the appliance has a reset button) to delete all system
settings. Otherwise, reset the to its factory settings by holding down the left
arrow key on the front-panel for 5 seconds. The appliance will be reinitialized.
To reconfigure the appliance or secure the serial port, refer to the hardware guides
for your appliance.

About Password Security

In the ProxySG, the console administrator password, the Setup Console
password, and Enable (privileged-mode) password are hashed and stored. It is
not possible to reverse the hash to recover the plain text passwords.
In addition, the show config and show security CLI commands display these
passwords in their hashed form. The length of the hashed password depends on
the hash algorithm used so it is not a fixed length.
Passwords that the ProxySG uses to authenticate itself to outside services are
encrypted using triple-DES on the appliance, and using RSA public key
encryption for output with the show config CLI command. You can use a third-
party encryption application to create encrypted passwords and copy them into

76
 the ProxySG using an encrypted-password command (which is available in
several modes and described in those modes). If you use a third-party encryption
application, verify it supports RSA encryption, OAEP padding, and Base64
encoded with no new lines.
These passwords, set up during configuration of the external service, include:
❐ Access log FTP client passwords (primary, alternate)—For configuration
information, see "Editing the FTP client" on page 700.
❐ Archive configuration FTP password—For configuration information, see
Chapter 5: "Backing Up the Configuration" on page 85.
❐ RADIUS primary and alternate secret—For configuration information, see
Chapter 60: "RADIUS Realm Authentication and Authorization" on page
1253.
❐ LDAP search password—For configuration information, see "Defining LDAP
Search & Group Properties" on page 1210.
❐ Content filter download passwords—For configuration information, see
"Downloading the Content Filter Database" on page 427.

Limiting User Access to the ProxySG—Overview

When deciding how to give other users read-only or read-write access to the
ProxySG, sharing the basic console account settings is only one option. The
following summarizes all available options:

Note: If Telnet Console access is configured, Telnet can be used to manage the
ProxySG with behavior similar to SSH with password authentication.
SSL configuration is not allowed through Telnet, but is permissible through SSH.
Behavior in the following sections that applies to SSH with password
authentication also applies to Telnet. Use of Telnet is not recommended because it
is not a secure protocol.

❐ Console account—minimum security

The console account username and password are evaluated when the
ProxySG is accessed from the Management Console through a browser and
from the CLI through SSH with password authentication. The Enable
(privileged-mode) password is evaluated when the console account is used
through SSH with password authentication and when the CLI is accessed
through the serial console and through SSH with RSA authentication. The
simplest way to give access to others is sharing this basic console account
information, but it is the least secure and is not recommended.
To give read-only access to the CLI, do not give out the Enable (privileged-
mode) password.
❐ Console access control list—moderate security

77
 Using the access control list (ACL) allows you to further restrict use of the
console account and SSH with RSA authentication to workstations identified
by their IP address and subnet mask. When the ACL is enforced, the console
account can only be used by workstations defined in the console ACL. Also,
SSH with RSA authentication connections are only valid from workstations
specified in the console ACL (provided it is enabled).
After setting the console account username, password, and Enable
(privileged-mode) password, use the CLI or the Management Console to
create a console ACL. See "Moderate Security: Restricting Management
Console Access Through the Console Access Control List (ACL)" on page 80.
❐ Per-user RSA public key authentication—moderate security
Each administrator’s public keys are stored on the appliance. When
connecting through SSH, the administrator logs in with no password
exchange. Authentication occurs by verifying knowledge of the
corresponding private key. This is secure because the passwords never go
over the network.
This is a less flexible option than CPL because you cannot control level of
access with policy, but it is a better choice than sharing the console credentials.
❐ Blue Coat Content Policy Language (CPL)—maximum security
CPL allows you to control administrative access to the ProxySG through
policy. If the credentials supplied are not the console account username and
password, policy is evaluated when the ProxySG is accessed through SSH
with password authentication or the Management Console. Policy is never
evaluated on direct serial console connections or SSH connections using RSA
authentication.
• Using the CLI or the Management Console GUI, create an authentication
realm to be used for authorizing administrative access. For administrative
access, the realm must support BASIC credentials—for example, LDAP,
RADIUS, Local, or IWA with BASIC credentials enabled.
• Using the Visual Policy Manager, or by adding CPL rules to the Local or
Central policy file, specify policy rules that: (1) require administrators to
log in using credentials from the previously-created administrative realm,
and (2) specify the conditions under which administrators are either
denied all access, given read-only access, or given read-write access.
Authorization can be based on IP address, group membership, time of
day, and many other conditions. For more information, refer to the Visual
Policy Manager Reference.
• To prevent anyone from using the console credentials to manage the
ProxySG, set the console ACL to deny all access (unless you plan to use
SSH with RSA authentication). For more information, see "Moderate
Security: Restricting Management Console Access Through the Console
Access Control List (ACL)" on page 80. You can also restrict access to a
single IP address that can be used as the emergency recovery workstation.

78
 The following chart details the various ways administrators can access the
ProxySG console and the authentication and authorization methods that apply to
each.

Table 4–1 ProxySG Console Access Methods/Available Security Measures

Security Measures Available Serial SSH with SSH with RSA Management
Console Password Authentication Console
Authentication

Username and password X X

evaluated (console-level
credentials)

Console Access List evaluated X X X (if console

(if console credentials are
credentials are offered)
offered)

CPL <Admin> Layer evaluated X (see Note 1 X (see Note 2

below) below)

Enable password required to X X X

enter privileged mode (see Note
2 below)

CLI line-vty timeout X X X

command applies.

Management Console Login/ X

Logout

Notes
❐ When using SSH (with a password) and credentials other than the console
account, the enable password is actually the same as the login password. The
privileged mode password set during configuration is used only in the serial
console, SSH with RSA authentication, or when logging in with the console
account.
❐ In this case, user credentials are evaluated against the policy before executing
each CLI command. If you log in using the console account, user credentials
are not evaluated against the policy.

79
Section 1 Moderate Security: Restricting Management Console Access
Through the Console Access Control List (ACL)
The ProxySG allows you to limit access to the Management Console and CLI
through the console ACL. An ACL, once set up, is enforced only when console
credentials are used to access either the CLI or the Management Console, or when
an SSH with RSA authentication connection is attempted. The following
procedure specifies an ACL that lists the IP addresses permitted access.

To create an ACL:
1. Select Configuration > Authentication > Console Access > Console Access.

2b

2a

2. (Optional) Add a new address to the ACL:

a. Click New. The Add List Item dialog displays.
b. In the IP/Subnet fields, enter a static IP address. In the Mask fields, enter
the subnet mask. To restrict access to an individual workstation, enter
255.255.255.255.

c. Click OK to add the workstation to the ACL and return to the Console
Access tab.

3. Repeat step 2 to add other IP addresses.

4. To impose the ACL defined in the list box, select Enforce ACL for built-in
administration. To allow access to the CLI or Management Console using
console account credentials from any workstation, clear the option. The ACL
is ignored.

Important: Before you enforce the ACL, verify the IP address for the
workstation you are using is included in the list. If you forget, or you find
that you mis-typed the IP address, you must correct the problem using the
serial console.

80
 5. Click Apply.

Maximum Security: Administrative Authentication and Authorization Policy

The ProxySG permits you to define a rule-based administrative access policy. This
policy is enforced when accessing:
❐ the Management Console through HTTP or HTTPS
❐ the CLI through SSH when using password authentication
❐ the CLI through telnet
❐ the CLI through the serial port if the secure serial port is enabled
These policy rules can be specified either by using the VPM or by editing the
Local policy file. Using policy rules, you can deny access, allow access without
providing credentials, or require administrators to identify themselves by
entering a username and password. If access is allowed, you can specify whether
read-only or read-write access is given. You can make this policy contingent on IP
address, time of day, group membership (if credentials were required), and many
other conditions.
Serial-console access is not controlled by policy rules. For maximum security to
the serial console, physical access must be limited.
SSH with RSA authentication also is not controlled by policy rules. You can
configure several settings that control access: the enable password, the console
ACL, and per-user keys configured through the Configuration > Services > SSH > SSH
Client page. (If you use the CLI, SSH commands are under Configuration> Services >
SSH-Console.)

Defining Administrator Authentication and Authorization Policies

Administrative authentication uses policy, (either Visual Policy or CPL in the local
policy file) to authenticate administrative users to the appliance. This is done with
two layers in policy: one to define the realm that is used to authenticate users
(Admin Authentication layer) and the other to define security rights for authenticated
users or groups (Admin Access layer).

Note: If you choose a realm that relies on an external server and that server is
unavailable, the appliance will not be able to authenticate against that realm.

For best security, the following authentication realms are recommended by Blue
Coat for administrative authentication to the appliance.
❐ IWA-BCAAA (with TLS -- not SSL) with basic credentials
❐ Local
❐ .509 certificate based (including certificate realms; refer to the Common Access
Card Solutions Guide for information)
❐ LDAP with TLS (not SSL)
❐ IWA-Direct with basic credentials

81
 ❐ RADIUS
The following realms can be configured for administrative authentication, but
pass administrative credentials in clear text. These realms should not be used for
administrative authentication:
❐ Windows SSO
❐ Novell SSO
❐ IWA-BCAAA without SSL or TLS
❐ LDAP without SSL or TLS

The following realms do not support administrative authentication:

❐ IWA-BCAAA/IWA-Direct realms that do not accept basic credentials
❐ SiteMinder
❐ COREid
❐ SAML (Policy Substitution)
❐ XML

Note: Other authentication realms can be used, but will result in administrative
credentials being sent in clear text.

Configure Administrative Authentication with a Local Realm

The process to provide read-only access for administrators includes the following
steps:
❐ Create a local authentication realm.
❐ Create a list that includes usernames and passwords for members whom you
wish to provide read-only access in the Management Console.
❐ Connect the list to the local realm.
❐ Create policy to enforce read-only access to members included in the list.
Use the steps below to complete the tasks detailed above.
1. Create a local realm:
a. Select the Configuration > Authentication > Local > Local Realms tab.
b. Click New to add a new realm. In this example the realm is named
MC_Access.

2. Using the Command Line Interface (CLI), create a list of users who need read-
only access. The list must include a username and password for each user.
a. Enter configuration mode in the CLI; this example creates a list called
Read_Access.
#(config)security local-user-list create Read_Access

82
 b. Edit the list to add user(s) and to create usernames and passwords.
This example adds a user named Bob Kent.
#(config)security local-user-list edit Read_Access
#(config)user create Bob_Kent
#(config)user edit Bob_Kent
#(config)password 12345

3. Connect the user list (created in Step 2) to the local realm (created in Step 1).
a. In the Configuration > Authentication > Local > Local Main tab, select
MC_Access from the Realm name drop-down menu.

b. Select Read_Access from the Local user list drop-down menu.

4. Use the for creating policy to enforce read-only access to the users in your list:
a. Launch the VPM.
b. Create an Admin Authentication Layer (or add a new rule in an existing
layer). This layer determines the authentication realm that will be used
to authenticate users who access the Management Console of the
ProxySG.

c. In the Action column, right click and select Set. In the Set Action dialog
that displays, click New and select Authenticate. The Add Authentication
Object displays.

83
 d. In the Add Authenticate Object dialog that displays, select the local realm
you created in Step 1.
e. Create an Admin Access Layer.
f. In the Source column, right click and select Set. In the Set Source Object
dialog that displays, click New and select User. The Add User Object
dialog displays.

g. Enter the name of the user for whom you want to provide read-only
access.
h. Click OK in both dialogs.

i. In the Action column, right click and select Allow Read-only Access.
5. Click Install Policy.
The user can now log in the Management Console as a user with read-only
access. Repeat step 4 and use Allow Read/Write access to define user access
with read/write privileges

84
Chapter 5: Backing Up the Configuration

This chapter describes how to back up your configuration and save it on a

remote system so that you can restore it in the unlikely event of system failure
or replacement. ProxySG appliance configuration backups are called archives.

Important: You should archive the system configuration before performing

any software or hardware upgrade or downgrade.

System archives can be used to

❐ Restore the appliance to its previous state in case of error.
❐ Restore the appliance to its previous state because you are performing
maintenance that requires a complete restoration of the system
configuration. For example, upgrading all the disk drives in a system.
❐ Save the system configuration so that it can be restored on a replacement
appliance. This type of configuration archive is called a transferable archive.
❐ Propagate configuration settings to newly-manufactured ProxySG
appliances. This process is called configuration sharing.

Topics in this Chapter

The following topics are covered in this chapter:
❐ Section A: "About Configuration Archives" on page 86
❐ Section B: "Archiving Quick Reference" on page 88
❐ Section C: "Creating and Saving a Standard Configuration Archive" on page
92
❐ Section D: "Creating and Saving a Secure (Signed) Archive" on page 94
❐ Section E: "Preparing Archives for Restoration on New Devices" on page 97
❐ Section F: "Uploading Archives to a Remote Server" on page 108
❐ Section G: "Restoring a Configuration Archive" on page 113
❐ Section H: "Sharing Configurations" on page 115
❐ Section I: "Troubleshooting" on page 117

85
Section A: About Configuration Archives
This section describes the archive types and explains archive security and
portability.
This section includes the following topics:
❐ "About the Archive Types and Saved Information" on page 86
❐ "About Archive Security" on page 86
❐ "About Archive Portability" on page 87
❐ "What is not Saved" on page 87

About the Archive Types and Saved Information

Three different archive types are available. Each archive type contains a different
set of configuration data:
❐ Configuration - post setup: This archive contains the configuration on the current
system—minus any configurations created through the setup console, such as
the IP address. It also includes the installable lists but does not include SSL
private key data. Use this archive type to share an appliance’s configuration
with another. See "Sharing Configurations" on page 115 for more information.
❐ Configuration - brief: This archive contains the configuration on the current
system and includes the setup console configuration data, but does not
include the installable lists or SSL private key and static route information.

Note: An installable list is a list of configuration parameters that can be

created through a text editor or through the CLI inline commands and
downloaded to the ProxySG appliance from an HTTP server or locally from
your PC.

❐ Configuration - expanded:This is the most complete archive of the system

configuration, but it contains system-specific settings that might not be
appropriate if pushed to a new system. It also does not include SSL private
key data. If you are trying to create the most comprehensive archive, Blue
Coat recommends that you use the configuration-expanded archive.
Options in the Management Console enable you to create standard, secure, and
transferable versions of the three archive types.

About Archive Security

The ProxySG appliance provides two methods for creating archives, signed and
unsigned. A signed archive is one that is cryptographically signed with a key
known only to the signing entity—the digital signature guarantees the integrity of
the content and the identity of the originating device.

86
 To create signed archives, your appliance must have an SSL certificate guaranteed
by a CA. You can then use a trusted CA Certificate List (CCL) to verify the
authenticity of the archive.
Use signed archives only when security is high priority. Otherwise, use unsigned
archives. For information about creating secure archives, see "Creating and Saving
a Secure (Signed) Archive" on page 94.

About Archive Portability

To retain the option to transfer the configuration from the source appliance to
another appliance, the configuration cannot be restored unless you save the SSL
keyrings, and the configuration-passwords-key in particular.
The configuration-passwords-key keyring must be saved. This keyring is used to
encrypt and decrypt the passwords (login, enable, FTP, etc.) and the passwords
cannot be restored without it. This is because the purpose of public/private key
authentication is to disallow decryption by a device other than the device with the
private key. To restore any encrypted data from an archive, you must have the
corresponding SSL keyring.
See "Creating a Transferable Archive" on page 99 for more information about
creating transferable archives.

What is not Saved

Archiving saves the ProxySG appliance configuration only. Archives do not save
the following:
❐ Cache objects
❐ Access logs
❐ Event logs
❐ License data (you might need to reapply the licenses)
❐ Software image versions
❐ SSL key data
❐ Content-filtering databases
❐ Exception pages
❐ (If the data source is set to Intelligence Services) Blue Coat WebFilter (BCWF)
username and password. See "Specifying a Blue Coat Data Source" on page
426 for information on specifying the data source for content filtering and
application classification.
To archive the BCWF username and password, switch the data source to
Webfilter before saving the configuration file.

87
Section B: Archiving Quick Reference
This section provides a table of quick reference tasks and describes the high-level
archive creation and restoration tasks.
This section includes the following topics:
❐ "Archiving Quick Reference Table" on page 89
❐ "Overview of Archive Creation and Restoration" on page 90

88
Section 1 Archiving Quick Reference Table
The following table lists common archive management tasks and where to get
more information.

Table 5–1 Archiving Task Table

If You Want to... Go To...

Understand the archive and restoration "Overview of Archive Creation and

process Restoration" on page 90

Find out what is not archived "What is not Saved" on page 87

Learn about the archive types "About the Archive Types and Saved
Information" on page 86

Learn about secure archives "About Archive Security" on page 86

Learn about transferable archives "About Archive Portability" on page 87

A transferable archive is a configuration
archive that can be imported to a new
device.

Create a standard archive "Creating and Saving a Standard

Configuration Archive" on page 92

Create a secure archive "Creating and Saving a Secure (Signed)

Archive" on page 94

Create a transferable archive "Creating a Transferable Archive" on

page 99

Upload an archive to a remote server "Uploading Archives to a Remote

Server" on page 108

Schedule archive creation You cannot schedule archive creation

from the ProxySG appliance. To
schedule archive creation, use Blue Coat
Management Center , or Blue Coat
Director. Refer to the documentation on
BTO.

Understand file name identifiers "Adding Identifier Information to

Archive Filenames" on page 111

Restore an archive "To install the archived configuration:"

on page 113

Share Configurations "Sharing Configurations" on page 115

Troubleshoot archive configuration "Troubleshooting" on page 117

89
Overview of Archive Creation and Restoration
The following list describes all of the possible steps required to create and restore
an unsigned, signed, or transferable configuration archive. You do not have to
perform all of these steps to complete a standard, unsigned archive. Non-
standard archiving steps are indicated by the word “Optional.”
1. Optional (for transferable archives only)—Record the configuration-
passwords-key data on the source ProxySG appliance, as described in "Option
1: Recording SSL Keyring and Key Pair Information" on page 99. If you need
to restore the archive onto a different appliance, you must have this data.
Do not lose the password used to encrypt the private key. If you do, you will
not be able to recover your private keys.
2. Optional (for transferable archives only)—Record any other SSL keyring data
you want to save.
3. Determine the type of archive to create—secure or standard. See "About
Archive Security" on page 86.
If you are creating an standard archive, go to Step 5. Otherwise, go to Step 4.
4. Optional (for secure archives only)—Verify that the source ProxySG appliance
has an appliance certificate, as described in "Using the Appliance Certificate to
Sign the Archive" on page 94. If it does not have an appliance certificate:
a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR.
To get more information about appliance certificates, see "Managing X.509
Certificates" on page 1281.
5. Archive the configuration:
• Standard, unsigned archive—"Creating and Saving a Standard
Configuration Archive" on page 92.
• Secure archive—"Creating and Saving a Secure (Signed) Archive" on page
94
• Transferable archive—"Creating a Transferable Archive" on page 99.
6. Store the archive in a secure location.
7. If you are restoring the archive to another device, import the configuration-
passwords-key onto the target device, as described in "Restoring an Archived
Key Ring and Certificate" on page 105.
8. Restore the archive, as described in "Restoring a Configuration Archive" on
page 113.

90
Figure 5–1 on page 91 describes the archive creation process.

Figure 5–1 Flow Chart of Archive Creation Process

91
Section C: Creating and Saving a Standard Configuration Archive
Use the Management Console to create a standard archive of the system
configuration. This is the simplest method of archive creation. This type of archive
cannot be transferred to another appliance unless you save the SSL keyrings as
described in Section E: "Preparing Archives for Restoration on New Devices" on
page 97.

To create a standard configuration archive:

1. Access the Management Console of the ProxySG appliance you want to back
up:
https://Appliance_IP:8082

2. Select Configuration > General > Archive. The Archive Configuration tab displays.

3b

3a

3. Select a configuration type:

a. In the View Current Configuration section, select Configuration - expanded
from the View File drop-down list.
b. View the configuration you selected by clicking View.
A browser window opens and displays the configuration.

Note: You can also view the file by selecting Text Editor in the Install
Configuration panel and clicking Install.

4. Save the configuration.

You can save the file two ways:
• Use the browser Save As function to save the configuration as a text file on
your local system. This is advised if you want to re-use the file.
• Copy the contents of the configuration. (You will paste the file into the
Text Editor on the newly-manufactured system.)

To restore a standard archive:

1. Select Configuration > General > Archive.
2. Select Local File and click Install.

92
3. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.

93
Section D: Creating and Saving a Secure (Signed) Archive
This section describes how to use the Management Console to save a secure
(signed) archive of the system configuration. A signed archive is an archive
signed with a digital signature that can only be read by the device that created it,
thus guaranteeing the integrity and authenticity of the archive. To create signed
archives, your appliance must have an SSL certificate guaranteed by a CA.
Signed archives have a .bcsc extension and contain the following files:
❐ show configuration output
❐ PKCS#7 detached signature
This section includes the following topics:
❐ "Using the Appliance Certificate to Sign the Archive" on page 94
❐ "Creating Signed Configuration Archives" on page 95
❐ "Modifying Signed Archives" on page 96

Before Reading Further

If you are not familiar with SSL authentication, read the following before
proceeding:
❐ "About Archive Security" on page 86
❐ The device authentication information in "Authenticating a ProxySG
Appliance" on page 1473.
❐ The X.509, CCL, and SSL information in "Managing X.509 Certificates" on
page 1281.

Using the Appliance Certificate to Sign the Archive

If your appliance has a built-in appliance certificate, you can use it, and the
corresponding appliance-ccl CCL, to sign the archive.

To determine if your device has an appliance certificate:

1. Use an SSH client to establish a CLI session with the ProxySG appliance.
2. Enter enable mode:
# enable

3. Enter the following command:

# show ssl certificate appliance-key

The appliance certificate displays if the appliance has one. Otherwise, the
following error is displayed:
Certificate "appliance-key" not found

4. If the appliance does not have an appliance certificate, create one as follows:

94
 a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR (this process results in a digital certificate).
d. Import the keyring and certificate as described in "Restoring an
Archived Key Ring and Certificate" on page 105.
For more information about appliance certificates, see "Managing X.509
Certificates" on page 1281.

Creating Signed Configuration Archives

This section describes how to save a signed configuration archive to the computer
you are using to access the Management Console.

To create and save a signed configuration archive to your computer:

1. Access the Management Console of the ProxySG appliance you want to back
up:
https://Appliance_IP:8082

2. Select the Configuration > General > Archive > Archive Storage tab.

3. From the Sign archives with keyring drop-down list, select a signing keyring to
use or accept the default (appliance-key).
4. Click Apply.

Note: If you do not click Apply, a pop-up displays when you click Save that
indicates that all unsaved changes will be saved before storing the archive
configuration. The unsaved changes are the Sign archives with keyring option
changes you made in Step 3.

5. From the Save archive drop-down list, select the archive type (Blue Coat
recommends Configuration - expanded).
6. Click Save.

95
 A new browser window displays, prompting you to open or save the
configuration to the local disk of the device you are using to access the
ProxySG appliance.

To restore a signed archive:

1. Connect to the appliance Management Console of the target appliance, that is
the ProxySG appliance that you are installing the configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 6.6.2.2

You can also verify the version from the appliance CLI:
# enable
# show version

3. Select Configuration > General > Archive.

4. In the Install Configuration panel, check the setting of the Enforce installation of
signed archives option. If this option is selected, only signed archives can be
restored.
5. Select a CCL to use to verify the archive from the Verify signed archive with CCL
drop-down list. If you used the appliance-key keyring, select appliance-ccl.
6. Select Local File and click Install.

Modifying Signed Archives

If you modify a signed archive, you must subsequently restore it as an unsigned
archive.
If you created a signed archive and want to verify its authenticity before
modifying it, use OpenSSL or another tool to verify the signature before making
modifications. (The use of OpenSSL is beyond the scope of this document.)
Because a signed archive contains the output of the show configuration
command, you can extract the show configuration command output, modify it as
required, and treat the archive as unsigned thereafter.

96
Section E: Preparing Archives for Restoration on New Devices
While a configuration archive will back up the appliance configuration, that
configuration cannot be transferred to another device unless you save the SSL
keyrings on the appliance—especially the configuration-passwords-key keyring.
The process of creating the archive and saving the associated SSL keyrings is
called creating a transferable archive.

Note: You must also save the SSL keyrings if you plan to restore an encrypted
archive after a reinitialization. When you reinitialize the appliance, new keys get
created, and you will therefore not be able to restore the configuration unless you
first restore the configuration-passwords-key.

This section includes the following topics:

❐ "About the configuration-passwords-key" on page 97
❐ "Creating a Transferable Archive" on page 99
❐ "Option 1: Recording SSL Keyring and Key Pair Information" on page 99
❐ "Option 2: Changing Encrypted Passwords to Clear Text" on page 105
❐ "Restoring an Archived Key Ring and Certificate" on page 105

About the configuration-passwords-key

The configuration-passwords-key is an SSL keyring. SSL is a method of securing
communication between devices. SSL uses a public key to encrypt data and
private key to decrypt data. These keys (stored in “keyrings”) are unique to the
device. This ensures that date encrypted with a device’s public key can only be
decrypted by the corresponding private key.
On ProxySG appliances, the configuration-passwords-key SSL keyring is used to
encrypt and decrypt the following passwords on the appliance:
❐ Administrator console passwords (not needed for shared configurations)
❐ Privileged-mode (enable) passwords (not needed for shared configurations)
❐ The front-panel PIN (recommended for limiting physical access to the system)
❐ Failover group secret
❐ Access log FTP client passwords (primary, alternate)
❐ Archive configuration FTP password
❐ RADIUS primary and alternate secret
❐ LDAP search password
❐ SNMP read, write, and trap community strings
❐ RADIUS and TACACS+ secrets for splash pages
Because every appliance has a different configuration-passwords-key, you will
receive a decryption error if you try to restore an archive to another device.

97
 To ensure that the archive can be transferred to another appliance, you must do
one of the following:
❐ Restore the original configuration-passwords-key keyring
While it is possible to reset each of the passwords using the Management
Console, it is easier to save the original keyring so that you can import it to the
new appliance (before restoring the configuration). Restoring the keyring
allows all previously configured passwords to remain valid after archive
restoration.
❐ Change the encrypted passwords to clear text so that they can be regenerated.

Note: To save an SSL keyring, you must be able to view it. If the key is marked
no-show, you cannot save it.

98
Section 1 Creating a Transferable Archive
This section describes the steps required to create a transferable archive.

To create a transferable archive:

1. Record the configuration-passwords-key data on the source ProxySG
appliance, as described in "Option 1: Recording SSL Keyring and Key Pair
Information" on page 99. If you need to restore the archive onto a different
appliance, you must have this data.
Do not lose the password used to encrypt the private key. If you do, you will
not be able to recover your private keys.
2. Record any other SSL keyring data you want to save.
3. Store the keyring data and archive in a secure location.
4. Create the archive as described in "Creating and Saving a Standard
Configuration Archive" on page 92.

To restore a transferable archive:

1. Connect to the appliance Management Console of the target appliance, that is
the ProxySG appliance that you are installing the configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 5.3.0.2 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

3. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 105.
4. Select Configuration > General > Archive.
5. Select Local File and click Install.
6. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.

Option 1: Recording SSL Keyring and Key Pair Information

For security reasons, Blue Coat recommends that you do not change encrypted
passwords to clear text. Instead, preserve the configuration-passwords-key
keyring on the source device (the appliance that you created the archive from)
and import that keyring to the target device before you restore the archive.
You can also use the following procedure to save any other keyrings required to
reload SSL-related configuration that references those keyrings.

99
 To record the configuration-passwords-key keyring on the source appliance:
1. Copy the following template to a text file and use it to record the certificate
information so that you can import and restore it later. This template allows
you to import a certificate chain containing multiple certificates, from the CLI.
Alternatively, you can simply copy the SSL data into a blank text file.

Note: The following example is shown in smaller text to preserve the

structure of the commands.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
!
end-inline
inline keyring show default "end-inline"
!
end-inline
!
inline certificate default "end-inline"
!
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Do not specify your passwords; the system will prompt you for them when
you restore the keys. You can modify the template to include other keyrings
and certificates.
2. From the CLI, access the config prompt (using the serial console or SSH):
# config terminal

3. Enter the following commands:

#(config) ssl
#(config ssl) view keyring

A listing of existing keyrings (and certificates) is displayed.

For example (your keyrings might be different):
#(config ssl) view keyring
Keyring ID: appliance-key
Private key showability: no-show
Signing request: present
Certificate: absent

100
 Keyring ID: configuration-passwords-key
Private key showability: show
Signing request: absent
Certificate: absent

Keyring ID: default

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:04 2007 GMT
Certificate valid to: Dec 03 20:11:04 2009 GMT
Certificate thumbprint:
9D:B2:36:E5:3D:B7:88:21:CB:0A:08:39:2C:A1:4B:CB

Keyring ID: passive-attack-protection-only-key

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:07 2007 GMT
Certificate valid to: Dec 03 20:11:07 2009 GMT
Certificate thumbprint:
0B:AD:07:A7:CF:D9:58:03:89:5B:67:35:43:B9:F2:C9

4. Enter the following command:

#(config ssl) view keypair des3 configuration-passwords-key

Note: The aes128 and aes256 encryption options are also supported.

5. When prompted, enter an encryption key password:

Encryption key: *****
Confirm encryption key: *****

This password is used to encrypt the private-key before displaying it. After
confirming the password, the ProxySG appliance displays the encrypted
private-key associated with that keyring.

Important: Do not lose the password used to encrypt the private key. If you
do, you will not be able to recover your private keys.

For example:
#(config ssl)view keypair des3 configuration-passwords-key
Encryption password: *****
Confirm encryption password: *****
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D542F10E3FFF899F

101
 aFqxQNOD+321IXdQjCGmT+adeQqMiQDAyCOvWd+aJ+OmDjITpd7bwijcxWA89RB8
y65NSia0UmTClY9MM4j6T/fXhBspEu7Wyc/nM+005pJldxTmZgPig6TiIiOlXtMI
ymCLolxjAr+vFSx7ji6jUT13JxZHfksNd9DS06DHLr6hJNERDi9dGog561zlwBo8
zvs0x4PqB+mq05qewmReMs9tnuLkGgBXguH+2Nw9hI0WKEa9KPFWrznD/+zEZbEo
nM+VOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBn0uBOMR4a3C+F/W/v0p71jJ9o
JL6Ao/S46A4UgPkuswGMYXo1kG3K2J/Ev4nMBua6HSZgM87DxvMSiCZ1XxlKlBqv
F9P+l1o3mdR3g2LzK1DLTvlcA9pEPbW65gmnpGj/WLqhEyNPm+DkplxMtMESxNqM
4attb8fXAEcRI+1iUWpjxnycqlm+dcFqq6/bLixYSQ4HGXFLx5qTot+FtIvB5h3g
KwQusgaLVTiesn9K7BQK4wjXJKlDclIrog+ET1fkxtj2oA5/7HN10Ar0ogBxsZLj
0LS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRfiWe3e/eJvazIaErEk40NvIaaXP1j9p
ENzK2dw9WS7xtcU5kAcdoiX1lFONauKDVUkHwhvqz3KnMt1p81fkdUpiD1xaVfMg
s2FApgjAsYciEJxDUfPLzYV1vpOpx6DW3t0D0AlEKkPVNmd9RzlnXjk2CPTdPErC
pKN+EIKs2kqpRE6hHu37zzN06ipPNu2cCSHI/ozc0X4=
-----END RSA PRIVATE KEY-----

6. Copy the configuration-passwords-key and paste it into the template (copied

in step 1) beneath the line inline keyring show configuration-passwords-key
"end-inline".

7. If a certificate is associated with a keyring, enter the following command:

#(config ssl) view certificate keyring-name

For example:
#(config ssl)view certificate appliance-key
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwHhcNMDcxMjA0MjAxMTA3WhcNMDkxMjAzMjAxMTA3WjBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ/F/Sn3CzYvbFPWDD03g9Y/
O3jwCrcXLU8cki6SZUVl9blgZBTgBY3KyDl2baqZNl2QGwkspEtDI45G3/K2GRIF
REs3mKGxY7fbwgRpoL+nRT8w9qWHO393pGrlJKFldXbYOzn3p31EXUuGRfXkIqeA
919uvOD5gOX0BEzrvDRnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEASgIR9r2MuRBc
ltHq/Lb5rIXn13wFZENd/viO54YOiW1ZixlpCBbDIkef3DdJZLxVy3x7Gbw32OfE
3a7kfIMvVKWmNO+syAn4B2yasy0nxbSyOciJq1C42yPJ+Bj1MuYDmgIvMP6ne5UA
gYYhe/koamOZNcIuaXrAS2v2tYevrBc=
-----END CERTIFICATE-----

8. Copy the certificate and paste it into the template (copied in step 1) beneath
the inline certificate cert_name "end-inline" line).
9. Optional—For each named keyring that you want to restore, repeat steps 4
to 8.

102
 Note: The appliance-key keyring's private key is not viewable, and cannot be
transferred to another ProxySG appliance. The default and passive-attack-
protection-only-key keys typically do not need to be restored either.

10. Save the template with the configuration-passwords-key and other SSL key
data on a secure server.
11. Save the password information (that you used to encrypt the keys) in a secure
place, for example, a restricted access cabinet or safe.
After saving this data, create a configuration archive as described in "Creating a
Transferable Archive" on page 99. When you are ready to restore the archive, you
must first restore the SSL data on the target appliance as described in "Restoring
an Archived Key Ring and Certificate" on page 105.

Example: Completed SSL Data Template

The following example shows how the template might look after completing the
procedure in "To record the configuration-passwords-key keyring on the source
appliance:" on page 100.
The template allows you to import a certificate chain containing multiple
certificates, from the CLI. When you restore the data to the appliance, you will be
prompted for the encryption password that you used to encrypt the keys.

Note: The commands in the following example are bounded by the document
text area and wrap to the next line. They are not shown here as they would
appear in the CLI. See Step 1 in "Option 1: Recording SSL Keyring and Key Pair
Information" on page 99 to view an example of how the commands should
appear.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A9902D7F

1lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsB
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3N
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzE
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT

103
 X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline keyring show default "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A99AAAA

2lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsC
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3G
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzW
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline certificate default "end-inline"
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFjnHtzANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTwwHhcNMDcxMDI1MTkxNzExWhcNMTcxMDI1MTkxNzExWjBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UEdwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANF9BL25FOJuBIFVyvjo3ygu
ExUM0GMjF1q2TRrSi55Ftt5d/KNbxzhhz3i/DLxlwh0IFWsjv9+bKphrY8H0Ik9N
Q81ru5HlXDvUJ2AW6J82CewtQt/I74xHkBvFJa/leN3uZ+D+fiZTXO15m9+NmZMb
zzGGbCWJRzuqp9z1DVNbqgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAwMUYIa1KFfI0
J+lS/oZ+9g9IVih+AEtk5nVVLoDASXuIaYPG5Zxo5ddW6wT5qvny5muPs1B7ugYA
wEP3Eli+mwF49Lv4NSJFEkBuF7Sgll/R2Qj36Yjpdkxu6TPX1BKmnEcpoX9Q1Xbp
XerHBHpMPwzHdjl4ELqSgxFy9aei7y8=
-----END CERTIFICATE-----
end-inline

104
 !
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Option 2: Changing Encrypted Passwords to Clear Text

Important: Blue Coat strongly recommends recording your SSL keyring and
key pair data because changing encrypted passwords to clear text is highly
insecure. Use the following procedure at your own risk.

You can edit the configuration to change encrypted passwords to clear text if you
choose to keep the existing configuration-passwords-key keyring intact on the
new appliance. You do not need to change hashed passwords to clear text—when
you restore the archive, new hashed-passwords are automatically generated using
the target ProxySG appliance’s configuration-passwords-key keyring.

Important: This procedure is not valid for signed archives. Signing guarantees
that the archive has not been modified.

To change encrypted passwords to clear text:

Manually search for every instance of encrypted-password, remove the
encrypted- prefix, and change the encrypted password to clear text. For example:
security encrypted-password "$1$rWzR$BT5c6F/RHLPK7uU9Lx27J."
In the previous example, if the actual password is bluecoat, then you must edit
the entry as follows:
security password "bluecoat"

Note: Hashed passwords do not have to be changed to clear text. When you
restore the archive, they are restored as specified on the source device. The
difference between hashing and encryption is that encryption enables
information to be decrypted and read, while hashing is a mathematical
function used to verify the validity of data. For example, a system might not
need to know a user’s password to verify that password. The system can run a
hash function on the password and confirm that the mathematical result
matches that specified for the user.

Restoring an Archived Key Ring and Certificate

Use the following procedure to import key pair and certificate data (saved in
"Option 1: Recording SSL Keyring and Key Pair Information" on page 99) onto the
system you are restoring the archive to.

105
 Note: You can also import a certificate chain containing multiple certificates.
Use the inline certificate command to import multiple certificates through
the CLI. See "Example: Completed SSL Data Template" on page 103 for more
information.

If you are importing a keyring and one or more certificates onto a ProxySG
appliance, first import the keyring, followed by its related certificate. The
certificate contains the public key from the keyring, and the keyring and
certificate are related.

Importing the configuration-passwords-keyring:

1. Retrieve your saved configuration-passwords-key data.
2. Select Configuration > SSL > Keyrings > SSL Keyrings.
3. Examine the existing keyrings. If a configuration-passwords-key keyring
already exists, select the keyring and click Delete and Apply.
4. Click Create. The Create Keyring dialog displays.

5a

5b
5c

5d

5e

5. Configure the keyring options:

a. In the Keyring Name field, enter configuration-passwords-key.
b. Select Show keypair.

c. Select Import Existing Private Key.

d. Paste the configuration-passwords-key data into the Private Key text
field.
e. Select Private Key Password and enter the configuration-passwords-key
password into the field. This is the password you saved when you
archived the keyring.
6. Click OK.

106
7. Click Apply.
The configuration-passwords-key does not have a certificate. However, if one or
more keyrings has a certificate, you must import it and associate it with a keyring.

To import a certificate and associate it with a keyring:

1. Copy the certificate onto the clipboard.
2. Select Configuration > SSL > Keyrings and click Edit/View.
3. From the drop-down list, select the keyring that you just imported.
4. Click Import in the Certificate field.
5. Paste the certificate into the Import Certificate dialog that appears. Be sure to
include the ----BEGIN CERTIFICATE---- and -----END CERTIFICATE----
statements.
6. Click OK.

107
Section F: Uploading Archives to a Remote Server
This section describes how to create an archive and upload it to a remote server.
Archives can be uploaded using HTTPS, HTTP, FTP, or TFTP. If you are concerned
about security, use HTTPS.
This section includes the following topics:
❐ "Creating and Uploading an Archive to a Remote Server" on page 109
❐ "Adding Identifier Information to Archive Filenames" on page 111

108
Section 2 Creating and Uploading an Archive to a Remote Server
Use the following procedure to create a signed or unsigned archive and upload it
to a secure, remote host.

To create and upload an archive to a remote server:

Note: This procedure creates only Configuration - expanded archives. You

cannot choose another type.

1. If you use HTTPS, you must specify an SSL device profile to use for the SSL
connection.
An SSL device profile, which can be edited, contains the information required
for device authentication, including the name of the keyring with the private
key and certificate this device uses to authenticate itself. The default keyring is
appliance-key. (For information on private keys, public keys, and SSL device
profiles, see "Managing X.509 Certificates" on page 1281.)
2. Obtain write permission to a directory on a secure, remote host. This is where
the archive will be stored.
3. Access the Management Console of the ProxySG appliance you want to back
up:
https://Appliance_IP:8082

4. Select Configuration > General > Archive.

5. Select the Archive Storage tab.

7a
7b
7c
7d
7e

6. For signed archives, ensure that a keyring has been selected in the Sign archive
with keyring option.

7. In the Remote Upload section, configure the upload settings:

109
 a. From the Protocol drop-down list, select an upload protocol.

Note: For maximum security, Blue Coat recommends using HTTPS.

b. Optional: Add filename prefixes to identify the archive.

The prefixes add unique, time-based variables to the filename. For
example:
%H%A

In the preceding example, the %H%A prefix adds the hour (in 24-hour
format) and the full weekday name. Various combinations can be used.
See "Adding Identifier Information to Archive Filenames" on page 111 for
a list of allowed substitution values.
c. Optional, for HTTPS—Select an SSL device profile to use for the SSL
connection.
See "Uploading Archives to a Remote Server" on page 108 for more
information about device profiles.
d. Enter the remote server host name or IP address and port number. The
remote server can have an IPv4 or IPv6 address, or be a domain name
that resolves to an IPv4 or IPv6 address.
e. Enter the remote server upload path (not required for TFTP).

110
 f. Enter the user name associated with the remote host (not required for
TFTP).
g. Optional—Change the HTTP, HTTPS, or FTP password.
8. Click Upload.

Adding Identifier Information to Archive Filenames

Use the following prefix substitutions to add unique ID information to archive
filenames. Specify these prefixes when using the Remote Upload option.

Table 5–2 Filename Specifiers

Specifier Description
%% Percent sign.
%a Abbreviated weekday name.
%A Full weekday name.
%b Abbreviated month name.
%B Full month name.
%C The ProxySG appliance name.
%d Day of month as decimal number (01 – 31).
%H Hour in 24-hour format (00 – 23).
%i First IP address of the ProxySG appliance, displayed in x_x_x_x format,
with leading zeros removed.
%I Hour in 12-hour format (01 – 12).
%j Day of year as decimal number (001 – 366).
%l The fourth (last) octet in the ProxySG appliance IP address (For example,
for the IP address 10.11.12.13, %l would be 13)
%m Month as decimal number (01 – 12).
%M Minute as decimal number (00 – 59).
%p Current locale’s A.M./P.M. indicator for 12-hour clock.
%S Second as decimal number (00 – 59).
%U Week of year as decimal number, with Sunday as first day of week (00 –
53).

%w Weekday as decimal number (0 – 6; Sunday is 0).

%W Week of year as decimal number, with Monday as first day of week (00 –
53).

%y Year without century, as decimal number (00 – 99).

111
 Table 5–2 Filename Specifiers (Continued)

%Y Year with century, as decimal number.

%Z Time-zone name or abbreviation; no characters if time zone is unknown.

112
Section G: Restoring a Configuration Archive
To restore a configuration archive, you must:
❐ Perform pre-restoration tasks, for example, restoring the SSL configuration.
❐ For signed archives—Select a CCL to use to verify the archive.
❐ Restore the archive.

To install the archived configuration:

1. Download a content filter database, if you previously had one and it was lost.
If you restore the archive and it includes content filtering policy, the database
must exist so that categories referenced within policy can be matched with the
currently installed database.
2. Connect to the appliance Management Console of the target appliance, that is
the ProxySG appliance that you are installing the configuration onto.
https://Appliance_IP:8082

3. In the Management Console, click the Home link and look for the software
version in the banner to verify that the appliance is running the same software
version that was used to create the archive. The banner displays a version
such as:
SGOS 6.6.2.1 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

4. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 105.
5. Select Configuration > General > Archive.

6. Optional, for signed archives—Select a CCL to use to verify the archive from
the Verify signed archive with CCL drop-down list. If you used the appliance-key
keyring, select appliance-ccl.

113
 7. Optional, for signed archives—In the Install Configuration panel, check the
setting of the Enforce installation of signed archives option. If this option is
selected, only signed archives can be restored.

Note: Depending on the CA that was used to sign the certificate used for the
archive signature, you might have to import a CA certificate and create an
appropriate CCL. For details, see Chapter 63: "Managing X.509 Certificates"
on page 1281.

8. Install the configuration using one of the following methods:

• Local File: If you saved the file to your system, select Local File and click
Install. Browse to the location of the archive and click Open. The
configuration is installed, and the results screen displays.
• Text File: If you copied the contents of the file, select Text Editor and click
Install. Copy the contents of the text file into the Edit and Install the
Configuration dialog and click Install. The configuration is installed, and
the results screen displays.
• Remote Download: If you uploaded the archive to a remote URL, select
Remote URL and click Install. Enter the full path to the archive into the
Install Configuration dialog and click Install. The configuration is installed,
and the results screen displays.
The username and password used to connect to the server can be
embedded into the URL. For FTP, the format of the URL is:
ftp://username:password@ftp-server

where ftp-server is either the IP address or the DNS-resolvable hostname

of the FTP server.
If you do not specify a username and password, the ProxySG appliance
assumes that an anonymous FTP is desired and thus sends the following
as the credentials to connect to the FTP server:
username: anonymous
password: proxy@

Note: A message is written to the event log when you install a

configuration on the ProxySG appliance.

114
Section H: Sharing Configurations
To ease initial configuration, you can take a configuration from a running
appliance and use it to configure another appliance. This process is called
configuration sharing. You can take a post-setup configuration file (one that does not
include those configuration elements that are established in the setup console)
from an already-configured ProxySG appliance and push it to a newly-
manufactured or restored system that is to have the same or similar configuration.

Note: Blue Coat Director allows you to push a configuration from one
ProxySG appliance to multiple appliances at the same time. For more
information on using Director, refer to the Blue Coat Director Configuration
and Management Guide.

If you push a configuration archive to an appliance that is already configured, the

archive is applied to the existing configuration, changing any existing values. This
means, for instance, that if the new configuration creates a realm called RealmA
and the existing configuration has a realm called RealmB, the combined
configuration includes two realms, RealmA and RealmB.

Configuration Sharing Requirements

To share configurations, you must download a content filter database, if the
configuration includes content filtering.
You can use either the Management Console or the CLI to create a post-setup
configuration file on one ProxySG appliance and push it to another.

Note: You cannot push configuration settings to a newly-manufactured

system until you have completed initial setup of the system.

To create a configuration archive of the source device’s settings using the CLI:
1. Use an SSH client to establish a CLI session with the already configured
ProxySG appliance.
2. From the enable prompt (#), enter the following command:
show configuration post-setup

This displays the configuration on the current system, minus any

configurations created through the setup console, such as the hostname and IP
address. It also includes the installable lists.
3. Save the configuration. You can save the file two ways:
• Copy the contents of the configuration to the clipboard.
• Save it as a text file on an FTP server accessible to the ProxySG appliance.
This is advised if you want to re-use the file.

115
 4. On the newly-manufactured ProxySG appliance, retrieve the configuration file
by doing one of the following:
• If you saved the configuration to the clipboard, go to the (config) prompt
and paste the configuration into the terminal.
• If you saved the configuration on a remote server:
At the enable command prompt, enter the following command:
# configure network “url”

See "Uploading Archives to a Remote Server" on page 108 for more

information about formatting the URL for FTP.

116
Section I: Troubleshooting
When pushing a shared configuration or restoring an archived configuration,
keep in mind the following issues:
❐ If the content-filtering database has not yet been downloaded, any policy that
references categories is not recognized.
❐ Unless you restore the SSL configuration-passwords-key keyring from the
source device, archives can only be restored onto the same device that was the
source of the archive. This is because the encrypted passwords in the
configuration (login, enable, FTP, etc.) cannot be decrypted by a device other
than that on which it was encrypted.
❐ Do not take an expanded archive from an operational ProxySG appliance and
install it onto another ProxySG appliance. Expanded archives contain system-
specific settings (for example, hostnames, IP addresses, and connection
forwarding settings) that will cause conflicts.
❐ To use signed archives, your appliance must have an SSL certificate
guaranteed by a CA. If your appliance has a built-in appliance certificate, you
can use it and the corresponding appliance-ccl CCL to sign the archive.
Devices manufactured before July 2006 do not support appliance certificates.
If your appliance does not have a built-in appliance certificate, you must do
the following:
• Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
• Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
• Have the CA sign the CSR.
To determine if your appliance has a built-in certificate, see "Using the
Appliance Certificate to Sign the Archive" on page 94.

See Also
For more information about appliance certificates, see Chapter 63:
"Managing X.509 Certificates" on page 1281.

117
118
Chapter 6: Explicit and Transparent Proxy

Whether you select explicit or transparent proxy deployment is determined by

factors such as network configuration, number of desktops, desired user
experience, and desired authentication approach.

Note: While you must configure proxying to do authentication, verify the

proxy is configured correctly and is functioning before adding authentication to
the mix. Many network or other configuration problems can appear similar to
authentication errors.

Topics in this Section

❐ "About the Explicit Proxy" on page 119
❐ "About the Transparent Proxy" on page 125
❐ "Transparent Proxies" on page 126
❐ "Configuring IP Forwarding" on page 127

About the Explicit Proxy

In an explicit proxy configuration, every client system (user agent or browser)
must be explicitly configured to use a proxy server. You can either manually
configure each client with the IP address and port number of the proxy service
(the ProxySG) or you can configure the client to download the proxy settings
from a Web server. The proxy settings are contained in a file called a Proxy
Auto-Configuration (PAC) file.
After the client is configured for explicit proxy, all user requests are sent to the
ProxySG rather than to the OCS. The ProxySG appliance will then determine
whether to allow or deny the request based on proxy service and policy
configuration settings. For allowed transactions, the appliance will either
service the request locally (for example, by returning cached objects) or, if
necessary, it will send a request to the OCS on behalf of the client.

Note: Explicit proxy allows a redundant configuration using IP address

failover among a cluster of machines. For information on creating a redundant
configuration for failover, see Chapter 38: "Configuring Failover" on page 947.

To configure browsers for explicit proxy, see:

❐ "Manually Configure Client Browsers for Explicit Proxy" on page 120
❐ "Creating an Explicit Proxy Server with PAC Files" on page 120

119
 Manually Configure Client Browsers for Explicit Proxy
If you are using an explicit proxy deployment, you must set up each client Web
browser to use the ProxySG as its proxy server. Typically, the browser proxy
configuration requires the IP address or hostname of the ProxySG appliance and
the port on which the ProxySG will listen for traffic. The default port is 8080. The
required hostname format (that is, whether you must provide a fully qualified
DNS hostname or a short hostname) depends on the DNS configuration on your
client systems.
Use the following table to help you locate the browser proxy settings:
Browser Proxy Configuration Settings

Internet Explorer Tools > Internet Options > Connections > LAN
Settings

Firefox Tools > Options > Advanced > Network > Settings >
Manual Proxy Configuration

Chrome Settings > Show advanced settings> Change proxy

settings > LAN settings

Safari (Macintosh) Apple menu > System Preferences >Internet &

Wireless > Network > Advanced > Proxies

Safari (Windows) Settings menu > Preferences > Advanced >

Proxies > Change Settings > LAN settings

Creating an Explicit Proxy Server with PAC Files

If your network does not use transparent proxy, clients on the network must
configure their browsers to use either an explicit proxy server or a Proxy Auto-
Configuration (PAC) file.
Two PAC files ship with the ProxySG:
❐ default PAC file
❐ accelerated PAC file
They can be accessed using HTTP, port 80 or 8080. For example:
❐ http://Appliance_IP_Address:8080/proxy_pac_file for the default PAC file
❐ http://Appliance_IP_Address:8080/accelerated_pac_base.pac for the
accelerated PAC file.
As an alternative to port 8080, you can specify the port that is being
intercepted for the explicit HTTP proxy service. For example, if port 80 is
being intercepted and has the explicit attribute enabled, you can specify:
http://

Note: NEVER use the ProxySG management port (8081/8082) to host the PAC
file.

120
 For additional information about PAC files, see the following:
http://www.proxypacfiles.com/proxypac/
Note: Only the accelerated_pac_base.pac file can be edited. Any text editor can
be used to edit and customize the accelerated PAC file to meet your needs. After
editing the file, you can load a PAC file only through the CLI:
#(config)inline accelerated-pac 123
-paste PAC file here-
123
Then set the browser to use the following URL as the automatic configuration
script: http://Appliance_IP_Address:8080/accelerated_pac_base.pac

Example of an Accelerated PAC File

function FindProxyForURL(url, host)
{
if (shExpMatch(url, "*\.company\.com\.cn*") ||
(host == "ftp.company.com") ||
(host == "images.company.com") ||
(host == "graphics.company.com"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (url.substring(0, 4) == "mms:")
{
return "PROXY www.xxx.yyy.zzz:1755; DIRECT";
}
else if (url.substring(0, 5) == "rtsp:")
{
return "PROXY www.xxx.yyy.zzz:554; DIRECT";
}
else if (shExpMatch(url, "*streaming\.company\.com*"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (isPlainHostName(host) ||
shExpMatch(host, "*\.company\.com") ||
dnsDomainIs(host, ".trouble-site.com"))
{
return "DIRECT";
}
else
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
}
Explanation for this PAC file (above). This PAC file tells the browser to:

121
 ❐ Use the proxy over port 8080 for URLs containing:
• .company.com.cn anywhere within the URL
• ftp.company.com as the host
• images.company.com as the host
• graphics.company.com as the host
❐ Use the proxy over port 1755 for any URL using the scheme mms://
(Windows Media).
❐ Use the proxy over port 554 for any URL using the scheme rtsp:// (Windows
Media).
❐ Use the proxy over port 8080 for any URL containing
“streaming.company.com” anywhere within the URL.
❐ Go DIRECT (that is, not use a proxy) for any URL that:
• is a simple, one name host name (in other words, not fully qualified)
• is any internal, fully qualified host (for example, host.company.com)
• is any host in the trouble-site.com domain
❐ Otherwise, attempt to use the proxy on port 8080 (the default rule).
The “; DIRECT” after the proxy’s information means that any time the browser
cannot reach the ProxySG, the browser is allowed to fall-back and “go direct.”
This is helpful for laptop/mobile users who will not have to adjust their browser
connection settings manually, since (typically) they can not reach their company
ProxySG from a remote location (and therefore need their browser to “go direct”).

Methods to Load or Install a PAC File on a ProxySG

You can either input the content of the PAC file directly on your appliance or you
can put the PAC file on an internal web server and reference the PAC file name on
your ProxySG.

To install the PAC file directly on the appliance:

1. Go to the ProxySG CLI.
2. From enable mode, enter:
inline accelerated-pac EOF
<enter your pac file contents here>
EOF

To reference a PAC file on an internal web server:

1. Ensure the read permissions are set on the web server so the ProxySG can read
the text PAC file.
2. From the ProxySG command line, enter:
config t
#(config)accelerated-pac <path to the PAC file including file name>
#load accelerated-pac

122
To configure the browser to use the PAC script:
It’s common for modern browsers to have a field where the PAC URL can be
entered. Some browsers (Internet Explorer is one example) have an additional
option to retrieve a PAC URL via DHCP option 252 (which may need to be added
to some DHCP servers). Internet Explorer calls this “Automatically detect
settings."
A PAC URL is typically in the form:
http://mycompany.com/accelerated_pac_base.pac
For this to work, your ProxySGTCP port 80 must be configured to accept explicit
connections. Internet Explorer can retrieve this URL via DHCP option 252 if your
DHCP server is configured to send option 252, and the host is using DHCP (as
opposed to a host configured with a static IP address.)
The default name of the accelerated PAC file (as served by the ProxySG) is
accelerated_pac_base.pac.
If you prefer, you can use policy to have the ProxySG return the PAC file if an
alternate name is requested. For example, suppose you configure your browsers
with the PAC file name http://proxy.company.com/mypacfile. You will need to
add policy to your ProxySG to redirect this request to the name
accelerated_pac_base.pac, as follows:
<Proxy>
url.path.exact="/pacfile" action.redirect_pac(yes)
define action redirect_pac
request_redirect(307,".*","http://<proxysIP>/
accelerated_pac_base.pac")
end
You also need to have the HTTP port 80 defined as “explicit” on your ProxySG.
You can avoid this policy, and avoid the need for the browser to make two
requests for the PAC file, by naming the file accelerated_pac_base.pac.

To configure PAC files to be sent when using the "WPAD" method:

Another approach is to add the hostname “wpad” to your internal DNS. When
browsers open and attempt to “detect proxy settings,” they issue an HTTP GET
request to the host named wpad.yourcompanydomain.com. In DNS, if you point
wpad.company.com to the IP address of your ProxySG, and add local policy, the
browser will successfully install the PAC file.
1. Your DNS deployment: Add a DNS record to resolve the WPAD hostname
with the local domain to the ProxySG IP address. For example, if the local
domain is example.com, add a record resolving wpad.example.com to the
ProxySG IP address.
2. To receive the wpad.example.com requests, enable an explicit HTTP proxy
service for port 80 on the ProxySG (Configuration > Services > Proxy Services).

Note: You can also use port 8080, but port 80 is preferred because it doesn’t
require that you specify a port for the PAC-URL in the users’ browsers.

123
 3. Configure a redirect policy to convert the client’s http://wpad.example.com/
wpad.dat request into a request for http://Proxy_IP_Address_or_hostname/
accelerated_pac_base.pac to the proxy.
Example policy:
<Proxy>
ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)

define action ReturnRedirect1

request_redirect( 302, ".*", "http://wpad.example.com/
accelerated_pac_base.pac" )
end

Additional PAC File Tips and Information

❐ Not all applications know how to parse PAC files correctly. Internet Explorer,
Firefox, Chrome, and most other browsers can use PAC files, but other
applications don’t always know what to do.
❐ Using TCPView.exe from http://www.sysinternals.com will show you where
the browser is connecting. For example, you may expect the PAC file to tell the
browser to connect via the ProxySG, but TCPView shows that the browser is
connecting “direct.” This utility can help you troubleshoot your PAC file.
❐ Typically, if there's a problem with the PAC script syntax, a typo, or if the PAC
script cannot be found, browsers will just go “direct.” This is where TCPView
can come in handy as well.
❐ Browsers cache the PAC file. Making any changes to the PAC file won’t be
reflected in the browser unless you clear the browsers cache and close all open
browser windows. The only time the browser can be convinced to re-read the
PAC file is if it’s:
a. opening a new browser session, and
b. it’s not already cached
❐ PAC file syntax is Javascript. You will need to use Shell expressions instead of
Regular expressions for text comparisons. Internet Explorer allows you to use
the alert(); Javascript function to pop-up an alert. This can be handy when
troubleshooting PAC-file logic.
❐ Although it is perfectly valid to use the hostname of the proxy server within
the PAC file’s PROXY directive, using an IP address will minimize the need
for the browser to do a DNS lookup. Those clients with a small DNS cache or
low timeout value, may see a performance boost if only the Proxy’s IP address
were used within the PAC file’s PROXY string.
❐ A browser must parse the PAC file’s Javascript for EVERY URL the browser
finds within the HTML page you have browsed.
❐ For a web page that contains a large number of URLs, a poorly written PAC
file may cause browser performance problems.

124
 ❐ It’s best to write your PAC files as small and efficiently as possible. Fast and
efficient Javascript will perform better within the browser, especially on
“busy” web pages.

Serving Multiple PAC files

For steps to configure your ProxySG to serve multiple PAC files, refer to Blue Coat
Knowledge Base Articles 000010223 and 000010223.

About the Transparent Proxy

When transparent proxy is enabled, the client (browser) does not know the traffic
is being processed by a machine other than the OCS. The browser believes it is
talking to the OCS, so the request is formatted for the OCS and the proxy
determines for itself the destination server based on information in the request,
such as the destination IP address in the packet, or the Host: header in the
request.
To enable the ProxySG to intercept traffic sent to it, you must create a service and
define it as transparent. The service is configured to intercept traffic for a specified
port, or for all IP addresses on that port. A transparent HTTP proxy, for example,
typically intercepts all traffic on port 80 (all IP addresses).
To ensure that the appropriate traffic is directed to the ProxySG, deploy hardware
(such as a Layer-4 switch or a WCCP router) or a ProxySG software bridge that
redirects selected traffic to the appliance. Traffic redirection is managed through
polices you create on the redirection device.
For detailed information on explicit proxies, continue with the next section; for
detailed information on transparent proxies, continue with "Transparent Proxies"
on page 126.

125
Transparent Proxies
Configure transparent proxy in the following ways:
❐ Through hardware: See "Configuring Transparent Proxy Hardware" on page
126.
❐ Through bridging: "Bridging" on page 126.
❐ Through using the ProxySG as a gateway: See "Configuring IP Forwarding"
on page 127.
In addition to the transparent proxy configuration, you must create a proxy
service for the transparent proxy and enable the service. At this time, you can also
set other attributes for the service, including the destination IP address and port
range. For information on creating or editing a proxy service for transparent
configuration, see Chapter 7: "Managing Proxy Services" on page 129.

Configuring Transparent Proxy Hardware

For transparent proxy to work, you must use one of the following:
❐ A bridge, either hardware or software
❐ Layer-4 switch
❐ WCCP

Bridging
Network bridging through the ProxySG provides transparent proxy pass-through
and failover support. This functionality allows ProxySGs to be deployed in
environments where L4 switches and WCCP-capable routers are not feasible
options.
The ProxySG provides bridging functionality by two methods:
❐ Software—A software, or dynamic, bridge is constructed using a set of
installed interfaces. Within each logical bridge, interfaces can be assigned or
removed. Note that the adapters must of the same type. Although the
software does not restrict you from configuring bridges with adapters of
different types (10/100 or GIGE), the resultant behavior is unpredictable.
For instructions on setting up a software bridge, see "Configuring a Software
Bridge" on page 1439.
❐ Hardware—The Blue Coat Pass-Through card is a 10/100 dual interface
Ethernet device that enables a bridge, using its two adapters, so that packets
can be forwarded across it. However, if the system crashes, the Pass-Through
card becomes a network: the two Ethernet cables are connected so that traffic
can continue to pass through without restriction.
When the Pass-Through card is installed on the ProxySG, a bridge is
automatically created and traffic going through the bridge is intercepted
according to the proxy-service setting. Note that:
• Forwarding traffic behavior: By default, the bridge forwards packets that
are not to be intercepted.

126
 • Proxy request behavior: Requests are proxied on either adapter, so if you
connect one side of the bridge to your Internet connection, there might be
a number of issues.

Configuring a Layer-4 Switch

In transparent proxy acceleration, as traffic is sent to the origin content server, any
traffic sent on port 80 is redirected to the ProxySG by the Layer 4 switch. The
benefits to using a Layer 4 switch include:
❐ Built-in failover protection. In a multi-ProxySG setup, if one fails, the Layer 4
switch can route to the next ProxySG.
❐ Request partitioning based on IP address instead of on HTTP transparent
proxying. (This feature is not available on all Layer 4 switches.)
❐ ProxySG bypass prevention. You can configure a Layer 4 device to always go
through the ProxySG even for requests to a specific IP address.
❐ ProxySG bypass enabling. You can configure a Layer 4 device to never go
through the ProxySG.
For information on configuring a layer-4 switch, refer to the manufacturer’s
documentation.

Configuring a WCCP-Capable Router

WCCP is a Cisco®-developed protocol that allows you to establish redirection of
the traffic that flows through routers.
The main benefits of using WCCP are:
❐ Scalability—With no reconfiguration overhead, redirected traffic can be
automatically distributed to up to 32 ProxySGs.
❐ Redirection safeguards—If no ProxySGs are available, redirection stops and
the router forwards traffic to the original destination address.
For information on using WCCP with a ProxySG, see "WCCP Configuration" on
page 913.

Configuring IP Forwarding
IP Forwarding is a special type of transparent proxy. The ProxySG is configured to
act as a gateway and is configured so that if a packet is addressed to the ProxySG
adapter, but not its IP address, the packet is forwarded toward the final
destination. If IP forwarding is disabled, the packet is rejected as being mis-
addressed.
By default, IP forwarding is disabled to maintain a secure network.

Important: When IP forwarding is enabled, be aware that all ProxySG ports are
open and all the traffic coming through them is not subjected to policy, with the
exception of the ports that have explicitly defined through the Configuration >
Services > Proxy Services tab.

127
 To enable IP forwarding:
1. Select the Configuration > Network > Routing > Gateways tab.
2. Select the Enable IP forwarding option at the bottom of the pane.
3. Click OK; click Apply.

128
Chapter 7: Managing Proxy Services

This chapter discusses proxy services and service groups and their roles in
intercepting traffic.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Proxy Services Concepts" on page 130
❐ Section B: "Configuring a Service to Intercept Traffic" on page 137
❐ Section C: "Creating Custom Proxy Services" on page 140
❐ Section D: "Proxy Service Maintenance Tasks" on page 146
❐ Section E: "Global Options for Proxy Services" on page 150
❐ Section F: "Exempting Requests From Specific Clients" on page 164
❐ Section G: "Trial or Troubleshooting: Restricting Interception From Clients
or To Servers" on page 169
❐ Section H: "Reference: Proxy Services, Proxy Configurations, and Policy" on
page 172

129
Section A: Proxy Services Concepts
This section describes the purposes of Blue Coat ProxySG proxy services.
❐ "About Proxy Services"
❐ "About Proxy Service Groups" on page 131
❐ "About the Default Listener" on page 132
❐ "About Multiple Listeners" on page 133
❐ "About Proxy Attributes in the Services" on page 134

About Proxy Services

In Blue Coat terminology, proxy service defines:
❐ The combinations of IP addresses and ports that the proxy matches against.
❐ Whether to intercept or bypass matched traffic; if intercepted, which proxy to
use to process the traffic.
• When a service is set to Intercept, the ProxySG appliance listens on the port
for traffic and upon detection, terminates the connection, performs an
action (such as a policy check), and initiates a new connection to the traffic
destination.
• When a service is set to Bypass, the traffic pass through the ProxySG
appliance. Proxy Edition: By default, services are set to Bypass.
❐ A collection of attributes that control what type of processing the ProxySG
appliance performs on the intercepted traffic.

Important: Upon an upgrade to SGOS 6.x, all services existing before the
upgrade are preserved.

❐ For a ProxySG appliance running an Acceleration Edition license:

• A transparent TCP tunnel connection listening on port 23 is created in
place of the default Telnet service.
• Instant messaging, HTTPS reverse proxy, SOCKS, and Telnet services are
not created and are not included in trend data.
• All defined services are set to Intercept by default
A proxy service listener specifies where a ProxySG service listens for traffic. Four
attributes comprise the listener:
❐ Source address—Most of the time, this attribute is set to all source addresses,
which means any IPv4 or IPv6 address that originates the request. You can
also specify specific IP addresses and subnets. For example, you want to
exclude a network segment, so you specify a subnet and set to Bypass.

130
 ❐ Destination address—

• All addresses, which means any IPv4 or IPv6 destination.

• Transparent—Acts on connections without awareness from the client or
server. Only connections to IPv4 or IPv6 destination addresses that do not
belong to the ProxySG appliance are intercepted. This setting requires a
bridge, such as that available in the ProxySG appliance; a Layer-4 switch,
or a WCCP-compliant router. You can also transparently redirect requests
through a ProxySG appliance by setting the workstation’s gateway to the
appliance IP address.
• Explicit—Requires Web browser and service configuration. It sends
requests explicitly to a proxy instead of to the origin content servers. Only
destination addresses that match one of the IPv4 or IPv6 addresses on the
ProxySG appliance are intercepted.
• Destination IP address or subnet/prefix length—This listener type ensures
that only destination addresses matching the IPv4/IPv6 address or
subnet/prefix length are intercepted.
❐ Port—A specific port or port range. All default ProxySG services are configured
to their industry-standard ports. For example, the explicit HTTP service is
configured to listen on ports 80 and 8080.
❐ Action—The aforementioned action to take on traffic detected by this service:
Intercept or Bypass.

Note: For a complete list of supported proxy services and listeners, see
"Reference: Proxy Services, Proxy Configurations, and Policy" on page 172.

About Proxy Service Groups

The ProxySG appliance groups services into predefined service groups based on
the type of traffic that service carries. Service groups enable you to:
❐ Quickly locate a specific service and view its attributes.
❐ Create a custom service group and add custom services or existing services to
that group.

Predefined Service Groups and Services

Table 7–1, "Service Groups and Services" lists all service groups and their
associated services.

Note: This list applies to new installations or the result of restoring the appliance
to factory defaults after the ab upgraded from a lower version. Upon upgrading
to the current version, the Services tab retains existing services, service group
names, and policies.

131
 Table 7–1 Service Groups and Services

Services Group Services Group Description Predefined Service Types

Name (or Examples)
Standard The most commonly intercepted • HTTP/HTTPS—external
services. (transparent and explicit)
and internal
• Endpoint Mapper (for
MAPI protocol—Microsoft
Exchange)
• CIFS (file sharing)
• Streaming (MMS, RTSP)
• Instant Messaging (AOL,
MSN, Yahoo)
• FTP
• DNS
• SOCKS
Bypass Services that contain encrypted • Cisco VPN
Recommended data and therefore recommended • Blue Coat ADN/WanOp
to not be ADN-optimized; also
• Blue Coat management
includes other interactive services.
• Oracle over SSL
• Other encrypted services
Tunnel Services that employ the TCP • Citrix, IMAP, LDAP, Lotus
Recommended Tunnel proxy to provide basic Notes, and various other
application-independent common business
acceleration. applications
Default See "About the Default Listener".

Note: The HTTPS Reverse Proxy service is also available but not created by
default. For information about configuring the HTTPS Reverse Proxy, see
Chapter 17: "Configuring and Managing an HTTPS Reverse Proxy" on page 365.

About the Default Listener

The Default listener detects any traffic that does not match any other listeners on
any of the services.
Upon upgrading to SGOS 6.x from a version to 5.5.x, the Default listener displays
under the Custom service group; if SGOS 6.x was installed on a new ProxySG
appliance, the Default listener resides in the Standard service group.

132
About Multiple Listeners
A listener identifies network traffic based on a source IP address or range,
destination IP address or range, or both. Multiple listeners can be defined for a
proxy service or console service. Each service has a set of default actions to apply
to the traffic identified by the listeners it owns.
The destination IP address of a connection can match multiple proxy service
listeners. Multiple matches are resolved using the most-specific match algorithm
used by routing devices. A listener is more specific if it has a larger Destination IP
subnet prefix. For example, the subnet 10.0.0.0/24 is more specific than
10.0.0.0/16, which is more specific than 10.0.0.0/8.
When a new connection is established, the ProxySG appliance first finds the most
specific listener destination IP. If a match is found, and the destination port also
matches, the connection is then handled by that listener. If the destination port of
the listener with the most specific destination IP does not match, the next most-
specific destination IP is found; this process continues until either a complete
match is found or no more matching addresses are found. If a destination IP
address is not specified, the closest matching explicit proxy service listener has
priority over a subnet match. In that instance, the explicit proxy service listener
handles the connection instead of the subnet listener. Explicit port 80 listeners
with a destination host IP identical to the ProxySG appliance have priority over
other explicit listeners.
For example, assume the following services were defined as given in the
following table.

Table 7–2 Example Configuration for Most Specific Match Algorithm

Proxy Service Listener

Service Name Proxy Source IP Address Destination IP Address Port Range

New York Data Center HTTP 192.168.20.22 10.167.10.0/24 80

New York CRM HTTP 10.167.10.2 80

HTTP Service HTTP <Transparent> 80

An HTTP connection initiated to server 10.167.10.2 could match any of the three
listeners in the above table. The most specific match algorithm finds that a listener
in the New York CRM service is the most specific and since the destination port of
the connection and the listener match, the connection is handled by this service.
The advantage of the most specific match algorithm becomes evident when at
some later point another server is added in the New York Data Center subnet. If
that server needs to be handled by a different service than the New York Data
Center service, a new service with a listener specific to the new server would be
added. The administrator does not need to be concerned about rule order in order
to intercept traffic to this particular server using the new, most specific service
listener.

133
 As another example, assume the following service and listeners were defined:
Table 7–3 Second Example Configuration for Most Specific Match Algorithm

Listener Name Proxy Destination IP Address Port Range

L1 HTTP Explicit 80

L2 HTTP 10.0.0.0/8 80

Consider the following scenario: an HTTP connection to a ProxySG appliance

matches to all listeners in the above table. L2 is a subnet match with the ProxySG
appliance, however, the destination IP address is not specified within the listener
configuration. When there is only a subnet and explicit proxy service listener
match, the explicit listener (L2) is the better match. Among explicit listener
matches, a port 80 IP address listener has priority. Only listeners with a specific
destination IP address are considered a better match to explicit listeners.

About Proxy Attributes in the Services

In addition to the listener information, each service contains one or more settings
that affect how the ProxySG appliance proxies the traffic. The following sections
provide an overview of those settings. The proxy configuration topics provide
more information about these attributes.

About Authenticate-401
Available on the Explicit HTTP and External HTTP services.
When this option is selected, all transparent and explicit requests received on the
port always use transparent authentication (cookie or IP, depending on the policy
configuration).
If you have deployed Authentication in the way recommended by Blue Coat—
where only the ProxySG appliance nearest the user performs the authentication
tasks—configuring Authenticate-401 is not necessary. However, multiple,
explicitly-configured ProxySG appliances in a proxy chain are all attempting to
perform authentication tasks can cause issues with browsers. By forcing one of
the proxies (recommended: the one furthest away from the client) to use 401-style
authentication instead of the standard proxy 407-style authentication, the browser
can better handle the multiple authentication challenges.

About Protocol Detection

Applies to the HTTP, HTTPS, SOCKS, and TCP Tunnel services.
Protocol detection identifies HTTP, SOCKS CONNECT requests, and TCP
tunnels. You can enable protocol detection on the aforementioned services or
implement it using policy. Policy can further be used to negate protocol detection
for SSL requests. Defining a policy for protocol detection enhances granularity by
matching on a richer set of conditions rather than the specific service; policy
always overrides manual settings.

134
 If protocol detection is enabled, the appliance inspects the first bytes sent from
the client and determines if a corresponding application proxy is available to
hand off the connection. For example, an HTTP request identified on a TCP
tunnel has full HTTP policy applied to it, rather than just simple TCP tunnel
policy. In particular, this means that:
❐ The request arrives as a client protocol HTTP rather than a TCP Tunnel.
❐ The URL used while evaluating policy is an http:// URL of the tunneled
HTTP request, not a tcp:// URL to which the tunnel was connecting.
❐ Forwarding policy is applied based on the new HTTP request; therefore, the
selected forwarding host selected support HTTP. A forwarding host of type
TCP cannot handle the request, which forces the request to be blocked.
Enabling protocol detection helps accelerate the flow of traffic. However, the TCP
session must be fully established with the client before either the application
proxy or the TCP tunnel proxy contacts the origin server. In some cases, like in the
active-mode FTP data connections, enabling protocol detection might cause a
delay in setting up the connection.
To avoid this connection delay, either use a protocol specific proxy, such as the
FTP proxy, or disable protocol detection.
If protocol detection is disabled, traffic flows over a TCP tunnel without
acceleration provided by a protocol-specific proxy.

Note: Protocol detection is disabled by default.

About ADN Optimizations

Applies to the HTTP, HTTPS, CIFS, Endpoint Mapper, FTP, SSL, and TCP Tunnel proxies.
Controls whether ADN optimizations—byte caching and/or compression—are
enabled on a specific service. Note that enabling these ADN optimizations does
not guarantee accelerated connections. It depends on ADN routing (for explicit
deployments) and network configuration (for transparent deployments).
Byte caching is an optimization that replaces byte sequences in traffic flows with
reference tokens. The byte sequences and the token are stored in a byte cache on a
pair of ProxySG appliances (for example, one at the branch, the other at the data
center). When a matching byte sequence is requested or saved, the ProxySG
appliance transmits the token instead of the byte sequence.
GZIP compression removes extraneous/predictable information from traffic before
it is transmitted. The information is decompressed at the destination’s ProxySG
appliance.

About Early Intercept

Opening a TCP connection involves a three-way handshake involving packets: the
client contacts the server, the server acknowledges the client, and the client
acknowledges the server.

135
 ❐ With early intercept, the ProxySG appliance returns a server acknowledgement
back to the client and waits for the client acknowledgement, which completes
the TCP 3-way handshake, before the appliance connects upstream to the
server. Furthermore, proxies that support object caching (such as HTTP), the
ProxySG appliance serves from the cache—a server connection is not
necessary.
❐ With delayed intercept, the ProxySG appliance attempts to connect upstream
immediately after receiving the client's initial connection request, but waits to
return the server acknowledgement until determining whether or not the
upstream connection succeeds. This provides greater transparency, as the
client receives either an RST or no response, which mirrors what is sent from a
server when connections fail.
For every proxy listener except CIFS and TCP Tunnel services, early intercept is
hard-coded to enabled.
❐ For CIFS, the listener is hard-coded as delayed intercept because of a specific
issue with the way clients attempt to connect to ports 139 and 445
simultaneously. Without a full transparency in our response to the TCP three-
way handshakes, client connections might break.
❐ For TCP Tunnel, you have the option to select either (disabled by default). For
the TCP Tunnel service, the Early Intercept option is selectable and disabled by
default. When this option is disabled, the proxy delays responding to the
client until after it has attempted to contact the server. For maximum
transparency, disable this option. If reduced latency is more important, enable
it.

136
Section B: Configuring a Service to Intercept Traffic
This section describes:
❐ "Changing the State of a Service (Bypass/Intercept)" on page 138
❐ "Moving a Service" on page 146
❐ "Deleting a Service or Service Group" on page 147
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 147
❐ "Importing a Service from the Service Library" on page 148
To learn more details about Blue Coat services, see "Proxy Services Concepts" on
page 130.

137
Section 1 Changing the State of a Service (Bypass/Intercept)
There are two service states:
❐ Bypass—Traffic for this service passes through the ProxySG appliance without
receiving an optimization or policy checking (as applicable).
❐ Intercept—The ProxySG appliance intercepts traffic for this service and applies
optimization or policy checks (as applicable).
Depending on the type of installation performed on the ProxySG appliance, the
state of existing services varies.
Upgrade from a previous SGOS release—Supported services remain in their
original service groups and retain their bypass/intercept states.
❐ New installation or you invoke a re-initialization—All services are set to
Bypass unless during a new installation process, the person performing the
installation might have set some services, such as External HTTP, to Intercept
You cannot change the state of entire predefined group; you must set each service
required for your deployment to Intercept.
Changing the state of a service to Intercept is only the first step in configuring a
protocol proxy. To achieve your corporate deployment goals, you must also
configure the proxy settings and define policy, both of which determine how the
ProxySG appliance processes the intercepted traffic. These aspects are discussed in
each proxy section later in this guide.
For more conceptual information about services, see "About Proxy Services" on
page 130.

To change the state of a service:

1. In the Management Console, select the Configuration > Services > Proxy Services >
Proxy Services tab.

2: Click to
expand a group

3 (optional)

2. Click the group name to expand the group. For example, you want to
intercept the CIFS services.
3. Optional: Select the Default Action for traffic that does not match any current
service.

138
 Source IP->Destination IP/Port Select action

4. From the drop-down for the service or an individual service port, select to
Bypass or Intercept.

5. Repeat for other services, as required.

6. Click Apply.

Next Tasks
As previously mentioned, setting a service to Intercept is one step in controlling
specific traffic types. There are other options for the services themselves, plus
proxy configurations and policy definitions. You can also create custom services
and service groups.

Proxy Configuration/Policy Definitions

"Reference: Service/Proxy Matrices" on page 174

Other Service Options

❐ "Moving a Service" on page 146
❐ "Deleting a Service or Service Group" on page 147
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 147
❐ Section C: "Creating Custom Proxy Services" on page 140
❐ Section E: "Global Options for Proxy Services" on page 150

139
Section C: Creating Custom Proxy Services
This section describes how to create a new proxy service. Follow this procedure if
you need to create a proxy service for a custom application.
You can also create custom proxy service groups and populate them with custom
services or move default services to them. For example, this ProxySG appliance
serves a specific purpose and you want a custom group that contains only those
services. This procedure discusses creating a service group, creating a new
service, and placing that service in the custom group.

Note: If you only need to change the state of the proxy service (Bypass/Intercept),
you can do so from the main Proxy Services tab. You do not need to enter New/
Edit mode to change this setting.

Before you begin, you must understand the goal of your deployment, how the
application proxy operates, and the IP addresses (source and/or destination) and
ports to intercept. Some proxy services, such as DNS, are simple—comprised only
of IP addresses and ports. Others, such as HTTP, have more attributes to consider.
For a high-level description of these options, see "About Proxy Attributes in the
Services" on page 134.
For specific proxy descriptions, see

To create a new proxy service:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2
3

2. At the bottom of the tab, click New Service Group. The New Service Group dialog
displays.
3. In the Service Group field, name the custom service group.

140
4. Click OK. The new service group displays under Custom Service Groups.

5. Click New Service. The New Service dialog displays.

6a

6b

6c

6d

6. Configure service attributes, including applicable proxy settings:

a. In the Name field, enter a name that describes the service.
b. From the Service Group drop-down list, select which group displays the
service on the main page. You can add the service to a default group or
any already-created custom group.
c. Proxy settings—From the Proxy drop-down list, select the supported
proxy that is compatible with the application protocol.
The Proxy settings sub-options are dynamic (including TCP/IP Settings),
based on the selected proxy. See "About Proxy Attributes in the Services"
on page 134 for overviews of these options; for more detailed information,
see the chapter that explains each proxy in more detail.

141
 Note: The Detect Protocol setting is disabled by default. You must select
this check box for filtering to be recognized.

d. Application Delivery Network Settings—(Not available for all proxies).

Enable ADN—This setting does not guarantee acceleration for this service—
it also depends on ADN routing (for explicit deployments) or network
setup (for transparent deployments).
Enable byte caching —This acceleration technique replaces byte sequences
in traffic flows with reference tokens and stores them in a byte cache on a
pair of ProxySG appliances at each end of the WAN. When a matching
byte sequence is requested again, the ProxySG appliance transmits a token
instead of the byte sequence.
Enable compression—Uses a variety of algorithms to remove extraneous/
predictable information from the traffic before it is transmitted. The
information is reconstituted at the destination based on the same
algorithms.

Note: To get the maximum benefit of ADN, both byte caching and
compression should be enabled. In cases where byte caching may be
causing issues for an ADN deployment, you can turn off the Enable byte
caching option and just use compression (or vice versa). If you know the
traffic for this proxy is already compressed or encrypted, you can conserve
resources by clearing the Enable byte caching and Enable compression
options. For additional information about byte caching and compression,
see "ADN Acceleration Techniques" on page 839.

Enable thin client processing—Applies special treatment to application traffic

from thin client applications (such as RDP, VNC, and Citrix). This
processing improves responsiveness of thin client actions. For example,
end-users will notice that the desktop displays significantly faster. In
addition, thin client data is not retained in the byte cache as long as other
types of data because this data is are more temporal in nature; the byte
cache, therefore, can be used more efficiently for other types of traffic that
can better leverage it.
This option is available for TCP Tunnel proxies only, and is only available
when ADN is enabled and byte caching and/or compression is enabled.
Retention priority and thin client processing are mutually exclusive
settings; you cannot enable both options for a service.

142
 Note: For thin client processing to be most effective, you must deactivate
the thin client’s software-based encryption and compression.

Retention priority—You can control how long data is stored in the byte cache
dictionary by assigning a retention priority to a particular service. If you
want to keep certain types of data in the dictionary for as long as possible,
set a high retention priority for the service. Or for data that isn’t likely to
get much benefit from byte caching, you can set a low retention priority for
the related service. Most services are set to normal priority by default. This
option is available only if byte caching is enabled for the service.
You can use this option to preserve the most relevant content in the byte
cache in the face of continually incoming, competing byte cache data. For
example, when an application is being used for backup, you may want to
set the retention priority to high so that competing traffic doesn’t evict the
backup data. However, if an application is being used for data replication,
you may want to set the service’s retention priority to low as the data most
likely will only be hit in the next short duration.

7. Create a listener, or the IP address(es) and ports that this application protocol
uses. In the Listeners area, click New. The New Listener dialog displays.

143
 8a

8b

8c

8d

8. Configure the new listener attributes:

a. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 and IPv6).
You can also restrict this listener to a specific IP address (IPv4 or IPv6)
or user subnet (for IPv4) or prefix length (for IPv6).
b. Select a Destination address from the options. The correct selection
might depend on network configuration. For overviews of the options,
see "About Proxy Services" on page 130.
c. In the Port Range field, enter a single port number or a port range on
which this application protocol broadcasts. For a port ranges, enter a
dash between the start and end ports. For example: 8080-8085
d. In the Action area, select the default action for the service: Bypass
configures the service to ignore any traffic matching this listener.
Intercept configures the service to intercept and proxy the associated
traffic.
e. Click OK to close the dialog. The new listener displays in the Listeners
area.
9. Click Ok add the new service to the selected service group.
10. Click Apply.

144
See Also
❐ "Moving a Service"
❐ "Importing a Service from the Service Library"

145
Section D: Proxy Service Maintenance Tasks
This section provides various tasks for managing existing services.
❐ "Moving a Service"
❐ "Deleting a Service or Service Group" on page 147
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 147
❐ "Importing a Service from the Service Library" on page 148

Moving a Service
The predefined services are not anchored to their default groups. You can move a
service to any other predefined or custom group.

Note: You must move the entire service; that is, you cannot move individual
service listeners.

To move a service to another service group:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2a

2b

2c

2. Move the service:

a. Select a service.
b. Click Move Service. The Move Service dialog displays.
c. From the drop-down list, select an existing service group (custom or
pre-defined).
d. Click OK.

146
 3. Click Apply.

Deleting a Service or Service Group

You can delete a service within a predefined service group but you cannot delete
an empty predefined service group itself. However, you can delete a custom
service group if it is empty.
You can add back a default service you deleted from the service library by using
the Import Service feature. See "Importing a Service from the Service Library" on
page 148.

To delete a service:
1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. Select the service or custom service group to delete.

3. Click Delete. A confirmation prompt displays.
4. Click Yes. The selected service or custom service group is deleted.
5. Click Apply.

Bypassing All Proxy Services (Troubleshooting)

The Bypass All Proxies feature is intended as an interim solution while
application-breaking problems are repaired. When Force Bypass is invoked,
transparent proxy connections are bypassed and explicit proxy connections are
rejected.

Note: Downgrading to a version that does not support force bypass while
running in bypass mode will result in restoration of proxy services.

To bypass all proxy services:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. In the Force Bypass area, select the Temporarily bypass all proxy services option.
The bypass statement to red.
3. Click Apply.

147
Importing a Service from the Service Library
Importing a service procedure is required if you delete a default service and want
to re-add it. If you import an existing service, you are prompted to confirm the
replacement of a service. Existing service settings are overwritten with the default
settings.
In addition, after upgrading the software, any new services added to the service
library must be imported if you want to use them.

To import a service from the service library:

1. From the Management Console, select the Configuration > Services > Proxy
Services > Proxy Services tab.

2. Click Import Service. The Import Service dialog displays.

3a

3b

3c

3. Configure the import service options:

a. From the Name drop-down list, select the service to import.
b. All other settings adjust automatically to the service’s default values.
Perform changes if required.
c. Click New to configure a new listener or Edit to modify existing listener
settings.

148
 d. Click OK.
4. Click Apply.

149
Section E: Global Options for Proxy Services
This section describes features that apply to all proxies and services. See "Proxy
Service Global Options" for details.

150
Section 2 Proxy Service Global Options
Blue Coat provides optional settings that apply to all proxy services when
configured:
❐ "Ensuring Application Availability (Tunnel on Protocol Error)"
❐ "Using the Client IP Address for Server Connections" on page 153
❐ "Improving Performance by Not Performing a DNS Lookup" on page 154
❐ "Managing Licensed User Connection Limits (ProxySG to Server)" on page
158

Note: You can subscribe to the CachePulse service to optimize HTTP traffic. For
information, see "Enabling CachePulse" on page 208.

Ensuring Application Availability (Tunnel on Protocol Error)

HTTP Proxy
In many networks, business-critical applications send traffic over port 80—the
default HTTP port—because it is used as a generic route through the firewall.
However, the ProxySG HTTP proxy encounters problems when it receives non-
HTTP requests from clients or browsers. The client receives an exception page and
the connection closes. The following deployment operations create this situation:
❐ The client request from an application or browser is not HTTP.
❐ The request is HTTP but also contains components that are not HTTP.
❐ The request contains an unexpected formatting error in a line or header.
The ProxySG appliance provides an option that enables the HTTP proxy to tunnel
the connection when it receives non-HTTP traffic or broken HTTP request. This
allows application traffic to continue and employee production to continue. The
transactions remain labeled as HTTP; therefore, the access logs and the Traffic Mix
and Active Sessions statistics display TCP_TUNNELED to indicate when a connection
passed through the HTTP proxy. The HTTP proxy cannot apply security policies;
however, benefits provided by ADN configurations might occur.
The TCP Tunnel on Error option is viable with the following deployments:
❐ Applies only to HTTP traffic; HTTPS is not supported in either forward or
reverse proxy modes.
❐ Applies only to errors in requests from the client browser or application to the
appliance. Any issues that arise from server responses are not accommodated
by this feature.

SSL Proxy
For the SSL proxy, the Tunnel on Protocol Error option applies when non-SSL
traffic arrives at the SSL port (443 by default). A common scenario that causes this
is having peer-to-peer applications (viz, Skype, BitTorrent, Gnutella, older AOL-

151
 IM and eMule) configured to enable port 443 for peer-to-peer traffic without SSL
set as the transport protocol. A ProxySG appliance transparently intercepting all
443 traffic cannot process these connections, rendering the application unusable.
With an explicit proxy deployment, SSL errors during the initial handshake
causes the same issue. The following example illustrates this:
❐ The ProxySG appliance is configured to have an explicit HTTP service on port
8080.

❐ The HTTP service is configured with detect protocol enabled, which hands off
SSL traffic to the SSL proxy from an HTTP CONNECT request. Detect Protocol is
set to OFF by default.

Note: The same applies to an explicit SOCKS proxy deployment with protocol
detection enabled or an explicit TCP listener.

Forwarding Note
Enabling the TCP Tunnel on Error option might cause issues if the ProxySG
appliance has forwarding rules that direct traffic to upstream proxies or other
devices:
❐ Forwarding hosts are not viewed as HTTP proxies (even if they are). The
initial ProxySG HTTP proxy connects with a TCP tunnel to the forwarding
host. If the appliance has a policy to forward and tunnels on error, the
forwarding rule might not match if the forwarding rule has a condition based
on information that is not present—any HTTP conditions, such as:
• Request method
• Request URL
• Request headers
❐ In the case of tunnel on error with explicit proxy, HTTP must match a
forwarding host for the connection of a successful TCP tunnel to occur. If no
forwarding host matches, HTTP will not tunnel on error.

To enable TCP tunnel on HTTP protocol errors:

1. Select the Configuration > Proxy Settings > General > General tab.

2. In the Tunnel on Protocol Error area, select TCP tunnel requests when a protocol error
is detected.

3. Click Apply.

152
 Related Policy
The Visual Policy Manager (VPM) provides the Client Certificate Requested object in
the SSL Intercept Layer > Service column (the equivalent CPL is
client.certificate.requested={yes|no}).Use this policy in conjunction with an
SSL.Intercept(no) action, or a Do Not Intercept SSL action in the VPM, to minimize
traffic disruption when the SSL proxy intercepts secure traffic where the OCS
requests a client certificate.
When Tunnel on Error is enabled, the first detection of a client certificate request
from an OCS causes the connection to fail. The appliance adds the details for that
exchange to an internal list of connections for which SSL interception should be
negated. Subsequent requests function as expected.

Using the Client IP Address for Server Connections

This section discusses configuring the ProxySG appliance to use the IP address of
the client to connect to destination servers rather than use the ProxySG address.

About Reflecting the Client Source IP when Connecting to Servers

By default, the ProxySG appliance uses its own IP address as the source IP
address for requests (when connecting to servers). If Reflect Client IP is enabled,
the ProxySG appliance uses the client IP address for all requests. Enabling this
option is not an arbitrary decision; it depends on the deployment and role of the
ProxySG appliance. For example, if this ProxySG

Note: The Reflect Client IP option is only supported in transparent ProxySG

deployments.

You can globally enable the Reflect Client IP option for all services that will be
intercepted. To apply Reflect Client IP option to only a few services, first enable
this option globally and then create policy to disable the Reflect Client IP option
for the exceptions. Or, disable the option globally and create policy to enable it.

Enabling Reflect Client Source IP

To configure the ProxySG appliance to connect to servers using client source
IP addresses:
1. Select the Configuration > Proxy Settings > General > General tab.

153
 2. In the Reflect Client IP area, select Reflect client’s source IP when connecting to
servers.

3. Click Apply.

Important: If you enable Reflect Client IP and want the ProxySG appliance to
preserve persistent client connections, you must also add policy.
VPM object: Web Access Layer > Action > Support Persistent Client Requests (static)
CPL:
<proxy>
http.client.persistence(preserve)

Improving Performance by Not Performing a DNS Lookup

This section describes how to improve performance by configuring the ProxySG
appliance to trust the destination IP address provided by the client.

About Trusting the Destination IP Address Provided by the Client

If, in your environment, a client sometimes provides a destination IP address that
the ProxySG appliance cannot identify, you have the option to configure the
appliance to not perform a DNS lookup and allow that IP address. This can
improve performance, but potentially presents a security issue.
You can configure the ProxySG appliance to trust a client-provided destination IP
address in transparent proxy deployments where:
❐ DNS configuration on the client is correct, but is not correct on the appliance.
❐ The client obtains the destination IP address using Windows Internet Name
Service (WINS) for NetBIOS name resolution.
❐ DNS imputing on the ProxySG appliance is not configured correctly. On the
ProxySG appliance, you can configure a list of suffixes to help with DNS
resolution. In the event that the host name is not found, these suffixes are
appended to the host name provided by the client. For information on DNS
imputing, see "Resolving Hostnames Using Name Imputing Suffixes" on page
961.
In each of the cases above, the ProxySG appliance cannot obtain the destination IP
address to serve client requests. When you enable the ProxySG appliance to trust
a client-provided destination IP address, the ProxySG appliance uses the IP
address provided by the client and does not perform a DNS lookup.

154
Figure 7–1 No DNS lookup occurs; the transactions goes straight to the OCS.

Figure 7–2 The ProxySG appliance initiates a DNS lookup and initiates a new connection to the
server.
The ProxySG appliance cannot trust the client-provided destination IP address in
the following situations:
❐ The ProxySG appliance receives the client requests in an explicit proxy
deployment.
❐ The ProxySG appliance has a forwarding rule configured for the request.
❐ The ProxySG appliance has a SOCKS gateway rule configured for the request.
❐ The ProxySG appliance has policy that rewrites the server URL.
A transproxy deployment is one where a client is configured to contact a ProxySG
appliance explicitly, and a new ProxySG appliance is deployed between the client
and its explicit proxy. The new ProxySG appliance, now transparently intercepts
the traffic between the client and its explicit proxy. In a transproxy deployment,
the destination IP address used by the client does not match the host header in the
HTTP request, since the client is configured to use the explicit proxy. The path that
the client request takes in a transproxy deployment depends on whether or not
Trust Destination IP is enabled on the transparently deployed ProxySG appliance.

155
 ❐ When Trust Destination IP is enabled on the transparent ProxySG appliance, the
transparent proxy trusts the destination IP included in the request and
forwards the request to the explicit proxy which is serviced either from cache
or from the Origin Content Server (OCS).
❐ When Trust Destination IP is disabled on the transparent ProxySG appliance, the
transparent proxy performs a DNS resolution on the host header in the
request. The request is then completed based on the configured policy—
forwarding rules, SOCKS gateway policy, and server URL rewrite policy.

Note: If a client gives the destination address of a blocked site but the host name
of a non-blocked site, with Trust Destination IP enabled, the ProxySG appliance
connects to the destination address. This might allow clients to bypass the
configured security policy for your environment.

About the Default Settings

During the initial configuration tasks, the administrator determined the default
Trust Destination IP setting. In most deployments, the role of the appliance
determines the setting:
❐ Acceleration role: enabled.
❐ Most other proxy deployments: disabled for tighter security.
You can change these defaults through the Management Console, the CLI, or
through policy. If you use policy, however, be aware that it overrides the setting in
the in Management Console.
For information about using the trust_destination_ip(yes|no) CPL property,
refer to the Content Policy Language Guide.

156
Configuring the ProxySG Appliance to Trust or Not Trust the
Destination IP Address
To change the current trust destination default setting:
1. Select the Configuration > Proxy Settings > General tab.

2. Select or clear the Trust client-provided destination IP when connecting to servers

option.
3. Click Apply.

157
Section 3 Managing Licensed User Connection Limits (ProxySG to
Server)
This section describes ProxySG appliance how to enable license-enforced user
limits, describes how to monitor user numbers, and describes how to configure
the ProxySG appliance to behave when a limit is breached.

About User Limits

If you have more users connecting through the system than is coded by the model
license, you have an option to configure the overflow behavior (after a permanent
model license has been applied to the system). The enforcement options are queue
the connections or bypass through the appliance and proceed directly to the
server.
Only unique IP addresses of connections intercepted by proxy services are
counted toward the user limit; furthermore, the number of users depends on the
hardware model and whether or not ADN is enabled.
License-enforced user connection limits are advisory and are based on optimal
performance for each appliance. The default setting is to not enforce user limits;
however, when a user connection limit is breached, the appliance logs the event
and the license health indicator changes to Critical.
For WAN optimization deployments, Blue Coat recommends purchasing a
ProxySG model based on the maximum number of client connections it needs to
support, not the maximum number of users, since the connection limit is likely to
be reached first; your channel partner SE or local Blue Coat SE can assist you with
WAN optimization connection counts and sizing for your specific needs.
The following tables provide the user connection limits hard-coded into the
license per hardware or virtual appliance model.

Table 7–4 Hardware Models and Licensed Users

Hardware Model Number of Licensed Users

(Concurrent Source IP Addresses)

Without ADN With ADN

(SGOS only)

S200-10 Unlimited Unlimited

S200-20 Unlimited Unlimited

S200-30 Unlimited Unlimited

S200-40 Unlimited Unlimited

S400-20 Unlimited Unlimited

S400-30 Unlimited Unlimited

S400-40 Unlimited Unlimited

S500-10 Unlimited Unlimited

158
 Table 7–4 Hardware Models and Licensed Users (Continued)

Hardware Model Number of Licensed Users

(Concurrent Source IP Addresses)

S500-20 Unlimited Unlimited

300-5 30 10

300-10 150 150

300-25 Unlimited Unlimited

600-10 500 500

600-20 1000 1000

600-35 Unlimited Unlimited

900-10 3500 3500

900-10B 3500 3500

900-20 6000 6000

900-30 Unlimited Unlimited

900-45

900-55 Unlimited Unlimited

9000-5 Unlimited Unlimited

9000-10
9000-20
9000-20B
9000-30
9000-40

Table 7–5 Virtual Appliance Models and Licensed Users

Virtual Appliance Model Number of Licensed Users

VA-5 10

VA-10 50

VA-15 125

VA-20 300

V-100 Up to 2500

Tasks for Managing User Limits

To learn more about user limits, see "About User Limits" on page 158.
Monitoring and managing user limits requires the following tasks:

159
 ❐ "Modifying User Limits Notifications" on page 160—Configure the
ProxySGAdvanced Secure Gateway appliance to monitor and alert you when
a user limit is near.
❐ "Determining Behavior When User Limits are Exceeded" on page 161—
Determine what happens when more user connections than allowed by the
license occurs.

Note: If your platform and license support unlimited user connections, you do
not have to configure user limit notifications because the thresholds cannot be
exceeded. Refer to Table 7–4, "Hardware Models and Licensed Users" on page 158
and Table 7–5, "Virtual Appliance Models and Licensed Users" on page 159 to
determine the limits for your hardware or virtual appliance model.

Modifying User Limits Notifications

You can set and monitor user limit thresholds of the model license. A threshold
breach triggers a notification and/or event log entry. Frequent breaches indicate
that constant user connections to this particular ProxySG model are exceeding the
optimal design.

Note: You can access the Statistics > Health Monitoring > Licensing tab to view
licensing status, but you cannot make changes to the threshold values from that
tab.

To view licensing metrics and set user limits notifications:

1. Click Maintenance > Health Monitoring > Licensing.

2. Select User License Utilization.

3. Click Edit. The Edit Health Monitor Settings dialog displays.

160
 4a
4b

4. (Optional) Modify the threshold and interval values to your satisfaction. The
thresholds represent the percentage of license use.
a. Modify the Critical and/or Warning Threshold settings. These values are
the percentages of maximums. For example, if the appliance is an
SG810-20 and ADN is enabled, the maximum number of unique users
connections is 1000. With a Warning Threshold value of 80 (percent) and
Critical Threshold value of 90, the notification triggers when user
connectivity reaches 800 and 900, respectively.
b. Modify the Critical and/or Warning Interval settings. These values are the
number of seconds that elapse between user limit checks. By default,
both critical and warning interval checks occur every 120 seconds.
5. Select the notification settings:
• Log adds an entry to the Event Log.
• Trap sends an SNMP trap to all configured management stations.
• Email sends an e-mail to the addresses listed in the Event Logging
properties (Maintenance > Event Logging > Mail).
6. Click OK to close the dialog.
7. Click Apply.
For information about licensing, see Chapter 3: "Licensing" on page 57.

Determining Behavior When User Limits are Exceeded

You can specify what happens when more users simultaneously connect through
the ProxySG appliance (overflow connections) than is allowed by the model license:
❐ Bypass the system: All connections exceeding the maximum are passed
through the system without processing.

161
 ❐ Queue connections: All connections exceeding the maximum are queued,
waiting for another connection to drop off.
❐ Do not enforce the licensed user limit: This is the default option for hardware
appliances. This allows for unlimited connections; however, exceeding the
license limit triggers a health monitoring event. This option is not available for
virtual appliances because the ProxySG VA always enforces the licensed user
limit.

To specify what happens when overflow connections occur:

1. Select Configuration > Proxy Settings > General.

2. In the User Overflow Action area, select an action that occurs when the licensed
user limits are exceeded:
• Do not enforce licensed user limit is the default. Unlimited user connections
are possible. If the limit is exceeded, the appliance health changes to
CRITICAL. This option is not available on the ProxySG VA because licensed
user limits are always enforced.
• Bypass connections from users over license limit—Any transaction from a user
whose connection exceeds the licensed limit is not susceptible to policy
checks or any other ProxySG benefit, such as acceleration. This option
provides the best user experience (with the caveat of potentially slower
performance), but presents a Web security risk. This is the default option
for the ProxySG VA.
• Queue connections from users over license limit—Any transaction from a user
whose connection exceeds the licensed limit must wait (in order) for an
available ProxySG connection. This option provides the lowest user
experience (and users might become frustrated and, perceiving a hang,
might attempt request refreshes), but preserves Web security policies.
3. Click Apply.

Viewing Concurrent Users

View a snapshot of intercepted, concurrent users by selecting the Statistics > System
> Resources > Concurrent Users tab. The tab shows user connections going through
the ProxySG appliance for the last 60 minutes, day, week, month, and year. Only
unique IP addresses of connections intercepted by proxy services are counted
toward the user limit.

162
See Also
❐ "Global Options for Proxy Services"
❐ "Enabling Reflect Client Source IP"
❐ "About Trusting the Destination IP Address Provided by the Client"
❐ "Managing Licensed User Connection Limits (ProxySG to Server)"

163
Section F: Exempting Requests From Specific Clients
The bypass list contains IP addresses/subnet masks of client and server
workstations. Used only in a transparent proxy environment, the bypass list
allows the ProxySG appliance to skip processing requests sent from specific
clients to specific servers. The list allows traffic between protocol incompliant
clients and servers to pass through the ProxySG appliance without a disruption in
service.

Note: This prevents the appliance from enforcing any policy on these requests
and disables any caching of the corresponding responses. Because bypass entries
bypass Blue Coat policy, use bypass sparingly and only for specific situations.

This section covers the following topics:

❐ "Adding Static Bypass Entries"
❐ "Using Policy to Configure Dynamic Bypass" on page 165

164
Section 4 Adding Static Bypass Entries
You can add entries to prevent the ProxySG appliance from intercepting requests
from specified systems.

Note: Dynamic bypass cannot be configured through the Management

Console. You must define policy or use the CLI. For more information, see
"Using Policy to Configure Dynamic Bypass" on page 165.

To add static bypass entries:

1. Click the Configuration > Services > Proxy Services > Static Bypass List tab.

2. Click New to create a new list entry (or click Edit to modify a list entry). The
New Bypass List Entry dialog displays.
3. Create a Client Address or Server Address entry. The IP address can be IPv4 or
IPv6. If you enter an IPv4 address, you can specify a subnet mask. For IPv6
addresses, you can specify a prefix length.
4. (Optional) Add a Comment that indicates why you are creating the static
bypass rule for the specific source/destination combination. This is useful if
another administrator needs to tune the settings later.
5. Click OK to close the dialog.
6. Click Apply.

Using Policy to Configure Dynamic Bypass

Dynamic bypass, available through policy, can automatically compile a list of
response URLs that return various types of errors.

165
 Note: Because bypass entries bypass Blue Coat policy, the feature should be used
sparingly and only for specific situations.

About Dynamic Bypass

Dynamic bypass keeps its own (dynamic) list of which connections to bypass,
where connections are identified by both source and destination. Dynamic bypass
can be based on any combination of policy triggers. In addition, some global
settings can be used to selectively enable dynamic bypass based on specific HTTP
response codes. After an entry exists in the dynamic bypass table for a specific
source/destination IP pair, all connections from that source IP to that destination
IP are bypassed in the same way as connections that match against the static
bypass list.
For a configured period of time, further requests for the error-causing URLs are
sent immediately to the origin content server (OCS), bypassing the ProxySG
appliance. The amount of time a dynamic bypass entry stays in the list and the
types of errors that cause the ProxySG appliance to add a site to the list, as well as
several other settings, are configurable from the CLI.
After the dynamic bypass timeout for a client and server IP address entry ends,
the ProxySG appliance removes the entry from the bypass list. On the next client
request for the client and server IP address, the ProxySG appliance attempts to
contact the OCS. If the OCS still returns an error, the entry is again added to the
local bypass list for the configured dynamic bypass timeout. If the entry does not
return an error, entries are again added to the dynamic list and not the local list.

Notes
❐ Dynamic bypass entries are lost when the ProxySG appliance is restarted.
❐ No policy enforcement occurs on client requests that match entries in the
dynamic or static bypass list.
❐ If a site that requires forwarding policy to reach its destination is entered into
the bypass list, the site is inaccessible.

Configuring Dynamic Bypass

Dynamic bypass is disabled by default. Enabling and fine-tuning dynamic bypass
is a two-step process:
❐ Set the desired dynamic bypass timeout and threshold parameters.
❐ Use policy (recommended) or the CLI to enable dynamic bypass and set the
types of errors that cause dynamic bypass to add an entry to the bypass list.

Adding Dynamic Bypass Parameters to the Local Bypass List

The first step in configuring dynamic bypass is to set the server-threshold,
max-entries, or timeout values in the CLI.

166
Note: This step is optional because the ProxySG appliance uses default
configurations if you do not specify them. Use the default values unless you have
specific reasons for changing them. Contact Blue Coat Technical Support for
detailed advice on customizing these settings.

❐ The server-threshold value defines the maximum number of client entries

before the ProxySG appliance consolidates client–server pair entries into a
single server entry that then applies to all clients connecting to that server. The
range is 1 to 256. The default is 16. When a consolidation occurs, the lifetime of
the consolidated entry is set to the value of timeout.
❐ The max-entries defines the maximum number of total dynamic bypass
entries. The range is 100 to 50,000. The default value is 10,000. When the
number of entries exceeds the max-entries value, the oldest entry is replaced
by the newest entry.
❐ The timeout value defines the number of minutes a dynamic bypass entry can
remain unreferenced before it is deleted from the bypass list. The range is 1 to
86400. The default value is 60.

Enabling Dynamic Bypass and Specifying Triggers

Enabling dynamic bypass and specifying the types of errors that causes a URL to
be added to the local bypass list are done with the CLI. You cannot use the
Management Console.
Using policy to enable dynamic bypass and specify trigger events is better than
using the CLI, because the CLI has only a limited set of responses. For
information about available CLI triggers, refer to the <Emphasis>Blue Coat
Content Policy Language Guide. For information about using policy to configure
dynamic bypass, refer to the Visual Policy Manager Reference.

Bypassing Connection and Receiving Errors

In addition to setting HTTP code triggers, you can enable connection and receive
errors for dynamic bypass.
If connect-error is enabled, any connection failure to the origin content server
(OCS), including timeouts, inserts the OCS destination IP address into the
dynamic bypass list.
If receive-error is enabled, when the cache does not receive an HTTP response
on a successful TCP connection to the OCS, the OCS destination IP address is
inserted into the dynamic bypass list. Server timeouts can also trigger receive-
error. The default timeout value is 180 seconds, which can be changed.

CLI Syntax to Enable Dynamic Bypass and Trigger Events

❐ To enter configuration mode for the service:
#(config) proxy-services
#(config proxy-services) dynamic-bypass

❐ The following subcommands are available:

167
 #(config dynamic-bypass) {enable | disable}
#(config dynamic-bypass) max-entries number
#(config dynamic-bypass) server-threshold number
#(config dynamic-bypass) trigger {all | connect-error | non-http |
receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504}
#(config dynamic-bypass) timeout minutes
#(config dynamic-bypass) no trigger {all | connect-error | non
http | receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 |
504}
#(config dynamic-bypass) clear
#(config dynamic-bypass) view

168
Section G: Trial or Troubleshooting: Restricting Interception From
Clients or To Servers
This section discusses Restricted Intercept topics. See "Restricted Intercept Topics"
for details.

169
Section 5 Restricted Intercept Topics
❐ "About Restricted Intercept Lists"
❐ "Creating a Restricted Intercept List" on page 170

About Restricted Intercept Lists

By default, all clients and servers evaluate the entries in Proxy Services where the
decision is made to intercept or bypass a connection. To restrict or reduce the
clients and servers that can be intercepted by proxy services, create restricted
intercept lists. A restricted intercept list is useful in a rollout, before entering full
production—you only want to intercept a subset of the clients. After the ProxySG
appliance is in full production mode, you can disable the restricted intercept list.
A restricted intercept list is also useful when troubleshooting an issue because
you can reduce the set of systems that are intercepted.

Notes
❐ Restricted intercepts lists are only applicable to transparent connections.
❐ An entry can exist in both the Static Bypass List and the Restricted Intercept List.
However, the Static Bypass List overrides the entries in the Restricted Intercept
List.

Creating a Restricted Intercept List

To create a Restricted Intercept List:
1. From the Management Console, select the Configuration > Services > Proxy
Services > Restricted Intercept List tab.

3a

170
2. Select Restrict Interception to the servers and clients listed below-- all other
connections are bypassed.

3. Create a new entry:

a. Click New; the New Restricted Intercept Entry dialog displays.
b. Restrict interception from specific clients: In the Client Address area,
select Client host or subnet. Enter an IPv4 or IPv6 address in the IP
Address field and enter the subnet mask (for IPv4 addresses) or prefix
length (IPv6) in the Prefix/Subnet field.
c. Restrict interception to specific servers: In the Server Address area,
select Server host or subnet. Enter an IPv4 or IPv6 address in the IP
Address field and enter the subnet mask (for IPv4 addresses) or prefix
length (IPv6) in the Prefix/Subnet field.
d. Click OK to close the dialog.
4. Click Apply.

171
Section H: Reference: Proxy Services, Proxy Configurations, and
Policy
This section provides reference material.
❐ "Reference: Proxy Types"
❐ "Reference: Service/Proxy Matrices" on page 174
❐ "Reference: Access Log Fields" on page 175

Reference: Proxy Types

This section provides descriptions of the available proxies.

Table 7–6 Proxy Types

Proxy Name Protocol/Description Capabilities and Benefits

AOL-IM AOL Instant • Controls AOL instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users (both employee identities and IM handles), groups,
file types and names, and other triggers.
• All IM communications can be logged and archived for
review.
CIFS Common Internet File Optimizes/accelerates file sharing across the WAN to users in
System branch offices.
DNS Domain Name Service • Speeds up domain name resolution by looking up domain
names in the ProxySG appliance's DNS cache. If the
name isn't found in the cache, the appliance forwards the
request to the configured DNS server list.
• Ability to rewrite DNS requests and responses.
Flash Adobe Flash Real • Live streaming—The ProxySG appliance fetches the live
Time Messaging Flash stream once from the OCS and serves it to all users
Protocol behind the appliance.
• Video-on-demand—As Flash clients stream pre-recorded
content from the OCS through the ProxySG appliance, the
content is cached on the appliance. After content gets
cached on the ProxySG appliance, subsequent requests for
the cached portions are served from the appliance;
uncached portions are fetched from the OCS.
FTP File Transfer Protocol • Controls, secures, and accelerates file transfer requests
• Caches FTP objects.
HTTP Hyper Text Transfer • Controls, secures, and accelerates Web traffic
Protocol • Caches copies of frequently requested web pages and
objects.

172
Table 7–6 Proxy Types (Continued)

Proxy Name Protocol/Description Capabilities and Benefits

HTTPS A proxy positioned in • Accelerates secure web requests, improving the response
Reverse Proxy front of an HTTPS time to clients.
server that answers • Because the Reverse Proxy is processing the requests, it
secure web requests allows the HTTPS server to handle a heavier traffic load.
from clients (using the
ProxySG appliance's
local cache when
possible)
MAPI Messaging Accelerates the following Outlook processes: sending/
Application receiving e-mail, accessing message folders, changing
Programing Interface; calendar elements.
protocol used by
Microsoft Outlook
(client) to
communicate with
Microsoft Exchange
(server).
MMS Microsoft Media • Monitors, controls, limits, or blocks streaming media
Services; streaming traffic that uses Microsoft's proprietary streaming
protocol protocol.
• Reduces stutter and improves the quality of streaming
media.
• Logs streaming connections.
MSN-IM MSN Instant • Controls MSN instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users, groups, file types and names, and other triggers.
• Logs all IM communications for review.
RTSP Real Time Streaming • Monitors, controls, limits, or blocks streaming media
Protocol traffic that uses the Internet standard RTSP protocol.
• Reduces stutter and improves the quality of streaming
media.
• Logs streaming connections.
Shell A proxy that allows a • Monitors, controls, limits, or blocks outbound Telnet
client to connect to connections.
other destinations via • Enforces access control to a group of users and
Telnet, after the client destinations via policy.
has created an
• Logs all connections.
authenticated Telnet
connection to the
ProxySG appliance

173
Table 7–6 Proxy Types (Continued)

Proxy Name Protocol/Description Capabilities and Benefits

SOCKS A proxy that allows a • Monitors, controls, limits, or blocks outbound client
client to connect to connections requested using the SOCKS protocol.
other destination • Through policy, enforces access control to a group of users
servers/ports in a and destinations.
SOCKS tunnel, after
• SOCKS traffic can be passed to other proxies (such as
the client's connection
HTTP or AOL-IM) for acceleration.
to the SOCKS proxy is
authenticated • Logs all connections.

SSL Secure Socket Layer • Allows authentication, virus scanning and URL filtering
of encrypted HTTPS content.
• Accelerates performance of HTTPS content, using HTTP
caching.
• Validates server certificates presented by various secure
websites at the gateway.
TCP-Tunnel A tunnel for any TCP- Compresses and accelerates tunneled traffic.
based protocol for
which a more specific
proxy is not available
Yahoo-IM Yahoo Instant • Controls Yahoo instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users, groups, file types and names, and other triggers.
• Logs all unencrypted IM communications for review.

Reference: Service/Proxy Matrices

Expanding on the service port listing at the beginning of this chapter, the table
below provides a list of the pre-defined proxy services and listeners that the Proxy
can accelerate and interpret. Links to the related proxy configuration sections are
included.

Table 7–7 Proxy Name and Listeners (alphabetical order)

Service Proxy Destination Port Range Configuration Discussed

Name IP Address
AOL-IM AOL-IM All 5190

CIFS CIFS Transparent 445, 139 Chapter 11: "Accelerating File

Sharing" on page 297
DNS DNS All 53 Chapter 14: "Managing the
Domain Name Service (DNS)
Proxy" on page 347
Endpoint Endpoint All 135 Chapter 12: "Managing
Mapper Mapper Microsoft Outlook E-mail Traffic"
on page 313

174
Table 7–7 Proxy Name and Listeners (alphabetical order) (Continued)

Service Proxy Destination Port Range Configuration Discussed

Name IP Address
Explicit HTTP Explicit 8080, 80 Chapter 8: "Intercepting and
HTTP Optimizing HTTP Traffic" on
page 177
External HTTP Transparent 80
HTTP

FTP FTP All 21 Chapter 13: "Managing the File

Transport Protocol (FTP) Proxy"
on page 337
HTTPS SSL All 443 Chapter 9: "Managing the SSL
Proxy" on page 243
Internal TCP-Tunnel 192.168.0.0/16 80 Chapter 8: "Intercepting and
HTTP 10.0.0.0/8 Optimizing HTTP Traffic" on
172.16.0.0/16 page 177
169.254.0.0/16
192.0.2.0/24

MMS MMS All 1755 Chapter 26: "Managing

Streaming Media" on page 587
MSN-IM MSN-IM All 1863, 6891

MS Terminal TCP-Tunnel Transparent 3389 Chapter 26: "Managing

Services Streaming Media" on page 587
SOCKS SOCKS Explicit 1080 Chapter 43: "SOCKS Gateway
Configuration" on page 981
Yahoo-IM Yahoo-IM All 5050, 5101

Reference: Access Log Fields

The access log has two fields: service name and service group name.
❐ Name of the service used to intercept this connection:
• x-service-name (ELFF token) service.name (CPL token)

Note: The x-service-name field replaces the s-sitename field. The s-sitename
field can still be used for backward compatibility with squid log formats, but it
has no CPL equivalent.

❐ Service group name:

• x-service-group (ELFF token) service.group (CPL token)

Note: See Chapter 31: "Creating Custom Access Log Formats" on page 717 and
Chapter 32: "Access Log Formats" on page 727 for detailed information about
creating and editing log formats.

175
176
Chapter 8: Intercepting and Optimizing HTTP Traffic

This chapter describes how to configure the HTTP proxy to manage traffic and
accelerate performance in your environment.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "About the HTTP Proxy" on page 179
❐ Section B: "Changing the External HTTP (Transparent) Proxy Service to
Intercept All IP Addresses on Port 80" on page 181
❐ Section C: "Managing the HTTP Proxy Performance" on page 182
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 198
❐ Section E: "Using a Caching Service" on page 207
❐ Section F: "Fine-Tuning Bandwidth Gain" on page 210
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy
Authenticated Data (CPAD)" on page 218
❐ Section H: "Viewing HTTP/FTP Statistics" on page 229
❐ Section I: "Supporting IWA Authentication in an Explicit HTTP Proxy" on
page 235
❐ Section J: "Supporting Authentication on an Upstream Explicit Proxy" on
page 237
❐ Section K: "Detect and Handle WebSocket Traffic" on page 238

How Do I...?
To navigate this chapter, identify the task to perform and click the link:

How do I...? See...

Intercept traffic on the HTTP Proxy? "Changing the External HTTP

(Transparent) Proxy Service to Intercept
All IP Addresses on Port 80" on page 181

Create a new HTTP Proxy service? Section C: "Creating Custom Proxy

Services" on page 140

Configure the HTTP Proxy for object "Allocating Bandwidth to Refresh Objects
freshness? in Cache" on page 211
Step 4 in "To set HTTP default object
caching policy:" on page 196

177
 How do I...? See...

Bypass the cache or not cache content Refer to:

using policy? Visual Policy Manager Reference
Content Policy Language Guide
Use either the VPM or CPL to create
policy that allows for bypassing the
cache or for prohibiting caching based
on your needs.
Choose a proxy acceleration profile? "Selecting an HTTP Proxy Acceleration
Profile" on page 198

Cache content without having to use "Using a Caching Service" on page 207
policy?

Configure the HTTP proxy to be a:

server accelerator or reverse proxy? "About the Normal Profile" on page 198

forward proxy? "About the Portal Profile" on page 198

server-side bandwidth accelerator? "About the Bandwidth Gain Profile" on

page 199

Fine-tune the HTTP Proxy for "Using a Caching Service" on page 207
bandwidth gain? "Using Byte-Range Support" on page 212

Configure Internet Explorer to "Supporting IWA Authentication in an

explicitly proxy HTTP traffic? Explicit HTTP Proxy" on page 235

Configure the ProxySG appliance to "Detect and Handle WebSocket Traffic" on

detect and handle WebSocket traffic? page 238

178
Section A: About the HTTP Proxy
Before Reading Further
Before reading this section, Blue Coat recommends that you be familiar with the
concepts in these sections:
❐ "About Proxy Services" on page 130.
❐ Chapter 34: "Configuring an Application Delivery Network" on page 837
(optimize ADN performance on the HTTP Proxy).
The HTTP proxy is designed to manage Web traffic across the WAN or from the
Internet, providing:
❐ Security
❐ Authentication
❐ Virus Scanning and Patience Pages
❐ Performance, achieved through Object Caching and Object Pipelining
❐ Transition functionality between IPv4-only and IPv6-only networks
The proxy can serve requests without contacting the Origin Content Server (OCS)
by retrieving content saved from a previous request made by the same client or
another client. This is called caching. The HTTP proxy caches copies of frequently
requested resources on its local hard disk. This significantly reduces upstream
bandwidth usage and cost and significantly increases performance.
Proxy services define the ports and addresses where a ProxySG listens for
incoming requests. The ProxySG has three default HTTP proxy services: External
HTTP, Explicit HTTP, and Internal HTTP. Explicit HTTP and External HTTP use the HTTP
proxy, while Internal HTTP uses TCP tunnel.
❐ The Explicit HTTP proxy service listens on ports 80 and 8080 for explicit
connections.
❐ The Internal HTTP proxy service listens on port 80 and transparently intercepts
HTTP traffic from clients to internal network hosts.
❐ The External HTTP proxy service listens on port 80 for all other transparent
connections to the ProxySG. Typically, these requests are for access to Internet
resources.
Although you can intercept SSL traffic on either port, to enable the ProxySG to
detect the presence of SSL traffic you must enable Detect Protocol on the explicit
HTTP service so that the SSL traffic is handed off to the SSL Proxy. Default is set to
OFF. For more information on SSL proxy functionality, see Chapter 9: "Managing
the SSL Proxy" on page 243.
Furthermore, you can create a bypass list on the ProxySG to exclude the
interception of requests sent from specific clients to specific servers and disable
caching of the corresponding responses. The static bypass list also turns off all
policy control and acceleration for each matching request. For example, for all
clients visiting www.bluecoat.com you might exclude interception and caching of

179
 all requests, the corresponding responses, acceleration and policy control. To
create a static bypass list, used only in a transparent proxy environment, see
"Adding Static Bypass Entries" on page 165.
When accessing internal IP addresses, Blue Coat recommends using the TCP
tunnel proxy instead of the HTTP proxy. Some applications deployed within
enterprise networks are not always fully compatible with HTTP specs or are
poorly designed. Use of these applications can cause connection disruptions
when using HTTP proxy. As a result internal sites and servers use the Internal HTTP
service, which employs the TCP tunnel proxy.

Important: The TCP tunnel does not support HTTP proxy service functionality.
That is, only the TCP header of a request, (containing source and destination port
and IP) will be visible to the ProxySG for policy evaluation. To ensure you get the
most from the appliance, you must edit the External (transparent) HTTP service
to use the HTTP proxy instead of the default TCP tunnel.

IPv6 Support
The HTTP proxy is able to communicate using either IPv4 or IPv6, either
explicitly or transparently.
In addition, for any service that uses the HTTP proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.

About Web FTP

Web FTP is used when a client uses the HTTP protocol to access an FTP server.
Web FTP allows you to connect to a FTP server with the ftp:// URL. The
ProxySG translates the HTTP request into an FTP request for the origin content
server (OCS), if the content is not already cached. Further, it translates the FTP
response with the file contents into an HTTP response for the client.
To manage Web FTP connection requests on the ProxySG, the HTTP service on
port 80 (or 8080 in explicit deployments) must be set to Intercept.
For information on using an FTP client to communicate via the FTP protocol, see
Chapter 13: "Managing the File Transport Protocol (FTP) Proxy" on page 337.

Configuring Internet Explorer for Web FTP with an Explicit HTTP

Proxy
Because a Web FTP client uses HTTP to connect to the ProxySG, the HTTP proxy
manages this Web FTP traffic. For an explicitly configured HTTP proxy, Internet
Explorer version 10.0 users accessing FTP sites over HTTP must clear the Enable
folder view for FTP sites browser setting.

To disable Web FTP in Internet Explorer v10.0:

1. In Internet Explorer, select Tools > Internet Options.
2. Click the Advanced tab.
3. Clear the Enable FTP folder view option and click OK.

180
Section B: Changing the External HTTP (Transparent) Proxy Service
to Intercept All IP Addresses on Port 80
By default, the External HTTP service includes an HTTP proxy service listener
configured on port 80. During the initial ProxySG configuration, if it hasn’t
already been set, you can set External HTTP to Intercept.
The following procedure describes how to set the service to Intercept mode.

To intercept traffic using the External HTTP proxy service:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Intercept External HTTP traffic:

a. Scroll the list of service groups, click Standard, and select External HTTP.
b. Select Intercept from the drop-down list.
3. Click Apply.
Now that the ProxySG is intercepting HTTP traffic, configure the HTTP proxy
options. The following sections provide detailed information and procedures:
❐ Section C: "Managing the HTTP Proxy Performance" on page 182
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 198
❐ Section E: "Using a Caching Service" on page 207
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy
Authenticated Data (CPAD)" on page 218

181
Section C: Managing the HTTP Proxy Performance
This section describes the methods you can use to configure the HTTP proxy to
optimize performance in your network.
❐ "HTTP Optimization"
❐ "Customizing the HTTP Object Caching Policy"
❐ "About the HTTP Object Caching Policy Global Defaults" on page 192
❐ "About Clientless Requests Limits" on page 193
❐ "Preventing Exception Pages From Upstream Connection Errors" on page 195
❐ "Setting the HTTP Default Object Caching Policy" on page 196

HTTP Optimization
The HTTP proxy alleviates the latency in data retrieval and optimizes the delivery
of HTTP traffic through object caching and object pipelining. Caching minimizes
the transmission of data over the Internet and over the distributed enterprise,
thereby improving bandwidth use. Pipelining allows the ProxySG to open several
connections to a server, speeding up the delivery of content into the cache. Pre-
fetching is another method the ProxySG uses to improve the user experience.
Content on a requested web page several levels deep is requested and cached for
fast delivery to users.
For objects in cache, an intelligent caching mechanism in the ProxySG maintains
object freshness. This is achieved by periodically refreshing the contents of the
cache, while maintaining the performance within your network.
The method of storing objects on disk is critical for performance and scalability.
SGOS, the operating system on the ProxySG, uses an object store system which
hashes object lookups based on the entire URL. This hashing allows access to
objects with far fewer lookups, as compared to a directory-based file system
found in traditional operating systems. While other file systems run poorly when
they are full, the ProxySG’s cache system achieves its highest performance when
it is full.

Customizing the HTTP Object Caching Policy

Object caching is the saving of an application object locally so that it can be served
for future requests without requiring retrieval from the OCS. Objects can, for
example, be documents, videos, or images on a Web page. When objects are
cached, the only traffic that crosses the WAN are permission checks (when
required) and verification checks that ensure that the copy of the object in cache is
still fresh. By allowing objects to be shared across requests and users, object
caching greatly reduces the bandwidth required to retrieve contents and the
latency associated with user requests.
For more information on how the ProxySG executes permission checks to ensure
authentication over HTTP, see Section G: "Caching Authenticated Data (CAD)
and Caching Proxy Authenticated Data (CPAD)" on page 218.

182
 In case of a reverse proxy, object caching reduces the load on the OCS and
improves scalability of the OCS.

Figure 8–1 Object Caching on the ProxySG

Before you begin customizing your HTTP Proxy policy, read the following
concepts:
❐ "About Object Pipelining" on page 183
❐ "About HTTP Object Freshness" on page 184
❐ "About Meta Tags" on page 185
❐ "About Tolerant HTTP Request Parsing" on page 185
❐ "About HTTP Compression" on page 186
❐ "About the HTTP Object Caching Policy Global Defaults" on page 192

About Object Pipelining

A Web page is typically composed of dozens of objects. When a client requests a
Web page, all the objects must be retrieved to display the Web page. This object
retrieval process presents a delay for the end user — for example, serial retrieval
of the content would create a significant time lag.
Although current browsers open multiple connections with the OCS to retrieve
objects in parallel, the ProxySG further accelerates the process with its Object
Pipelining algorithm which supports nested pipelines that are up to three levels
deep.

183
 ❐ The Object Pipelining algorithm allows the ProxySG to open as many
simultaneous TCP connections as the origin server allows, and retrieves
objects in parallel. The proxy also pre-fetches objects based on pipelined
requests. For example, if a pipelined HTML object has other embedded
objects, the HTTP proxy will pre-fetch those embedded objects from the Web
server without a request from the client. The objects are then ready to be
delivered from the cache straight to the user, as fast as the client can request
them.
While object pipelining enhances the user experience by minimizing latency and
improving response times for first-time Web page requests, it could increase
bandwidth utilization. Therefore by default, to avoid an increase in bandwidth
utilization, object pipelining is disabled for the reverse proxy and bandwidth gain
profiles. It is enabled, by default, only on the forward proxy — Normal profile,
where enhancing the response time for clients is vital.

About HTTP Object Freshness

HTTP proxy categorizes HTTP objects into three types:
❐ Type-T: The OCS specifies explicit expiration time.
❐ Type-M: Expiration time is not specified; however, the last modified time is
specified by the OCS.
❐ Type-N: Neither expiration nor last modified time has been specified.
The ProxySG Asynchronous Adaptive Refresh (AAR) algorithm was designed to
maintain the freshness for all three types of cached HTTP objects in environments
where the Internet was characterized by larger, static pages and relatively low
Internet connection speeds. With AAR enabled, the ProxySG performs freshness
checks with the OCS to expunge old content from cache and to replace it with
updated content. To maximize the freshness of the next access to objects in the
cache, the ProxySG appliance uses the AAR algorithm to perform asynchronous
revalidations on those objects based on their relative popularity and the amount
of time remaining before their estimated time of expiration.
However, with the advent of Web 2.0, the nature of the Internet has changed. With
the general adoption of Web 2.0, which is characterized by dynamic content with
many small objects coupled with increasing bandwidth to the Internet, the
methods for caching are also evolving. In SGOS 6.2 the object cache model was
changed to support more objects per disk to allow for better support for Web 2.0
content. With the addition of this object model, the value of the original adaptive
refresh model has diminished markedly, and can in many instances actually
increase the latency due to system load.
Therefore, AAR is now disabled by default on systems running SGOS 6.2.6 and
later. However, if you upgrade from a pre-SGOS 6.2.6 release, AAR may still be
enabled. For information on how to configure this feature to best serve your
environment, see "Allocating Bandwidth to Refresh Objects in Cache" on page 211.

184
About Meta Tags
A meta tag is a hidden tag that placed in the <head> of an HTML document. It
provides descriptions and keywords for search engines and can contain the
attributes — content, http-equiv, and name. Meta tags with an http-equiv
attribute are equivalent to HTTP headers.
The ProxySG does not parse HTTP meta tag headers if:
❐ The meta tag does not appear within the first 256 bytes of the HTTP object
body. To be parsed, relevant HTTP meta tags must appear within the first 256
bytes of the HTTP object body.
❐ The Blue Coat AV that is connected to your ProxySG, adds or modifies the
meta tags in its response to the ProxySG. The response body modified by the
Blue Coat AV is not parsed.

Planning Considerations
You can use CPL properties in the <Cache> layer to control meta tag processing.
The CPL commands can be used in lieu of the check boxes for parsing meta tags
through the Management Console. For details on the meta-tags, see Step 7 in "To
set HTTP default object caching policy:" on page 196.
The following CPL commands are applicable for HTTP proxy, HTTP refresh, and
HTTP pipeline transactions:
http.response.parse_meta_tag.Cache-Control(yes|no)
http.response.parse_meta_tag.Expires(yes|no)
http.response.parse_meta_tag.Pragma.no-cache(yes|no)
VPM support to control the processing of meta tags is not available.

Related CLI Syntax to Parse Meta Tags

#(config) http [no] parse meta-tag cache-control
#(config) http [no] parse meta-tag expires
#(config) http [no] parse meta-tag pragma-no-cache

About Tolerant HTTP Request Parsing

The tolerant HTTP request parsing flag causes certain types of malformed
requests to be processed instead of being rejected.The defaults are:
❐ Proxy Edition: The HTTP tolerant request parsing flag is not set, by default,
The ProxySG blocks malformed HTTP requests, returning a 400 Invalid Request
error.
❐ MACH5 Edition: The HTTP tolerant request parsing flag is set by default.
Malformed HTTP requests are not blocked.

Implementation of HTTP Tolerant Request Parsing

By default, a header line that does not begin with a <Tab> or space character must
consist of a header name (which contains no <Tab> or space characters), followed
by a colon and an optional value.

185
 When the tolerant HTTP request parsing flag is either not set or is disabled, if the
header name and required details are missing, the ProxySG blocks malformed
HTTP requests and returns a 400 Invalid Request error.
With tolerant request parsing enabled, a request header name is allowed to
contain <Tab> or space characters, and if the request header line does not contain
a colon, then the entire line is taken as the header name.
A header containing only one or more <Tab> or space characters is considered
ambiguous. The ProxySG cannot discern if this is a blank continuation line or if it
is a blank line that signals the end of the header section. By default, an ambiguous
blank line is illegal, and an error is reported. With tolerant request parsing
enabled, an ambiguous blank line is treated as the blank line that ends the header
section.

To enable the HTTP tolerant request parsing flag:

Note: This feature is only available through the CLI.

From the (config) prompt, enter the following command to enable tolerant HTTP
request parsing (the default is disabled):
#(config) http tolerant-request-parsing
To disable HTTP tolerant request parsing:
#(config) http no tolerant-request-parsing

About HTTP Compression

Compression reduces a file size but does not lose any data. Whether you should use
compression depends upon three resources: server-side bandwidth, client-side
bandwidth, and ProxySG CPU. If server-side bandwidth is more expensive in your
environment than CPU, always request compressed content from the origin content server
(OCS). However, if CPU is comparatively expensive, the ProxySG appliance should
instead be configured to ask the OCS for the same compressions that the client requested
and to forward whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is not the
case, you can change the ProxySG appliance behavior.

Note: Decompression, content transformation, and recompression increases response

time by a small amount because of the CPU overhead. (The overhead is negligible in most
cases.) RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because compression
results in a smaller file being served to the client than was retrieved by the ProxySG
appliance from the origin content server, bandwidth gain statistics reflect such requests/
responses as negative bandwidth gain.

Compression is disabled by default. If compression is enabled, the HTTP proxy forwards

the supported compression algorithm (gzip and deflate) from the client’s request
(Accept-Encoding: request header) to the server as is, and attempts to send compressed

186
 content to client whenever possible. This allows the ProxySG appliance to send the
response as is when the server sends compressed data, including non-cacheable
responses. Any unsolicited encoded response is forwarded to the client as is.

Note: If compression is not enabled, the ProxySG appliance does not compress the
content if the server sends uncompressed content. However, the appliance continues to
uncompress content if necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page 229.

Understand Compression Behavior

The ProxySG compression behavior is detailed in the tables below. Compression
increases the overall percentage of cacheable content, increasing the hit rate in terms of
number of objects served from the cache.

Note: A variant is the available form of the object in the cache—compressed or

uncompressed. The Content-Encoding: header Identity refers to the uncompressed form
of the content.

For cache-hit compression behavior, see Table 8-1 below. For cache-miss compression
behavior, see Table 8-2.
.

Table 8-1. Cache-Hit Compression Behavior

Accept-Encoding: Variant Available when Variant Stored as a Content-Encoding: in

in client request the Request Arrived Result of the Request ProxySG response

Identity Uncompressed object None Identity

Identity No uncompressed object Uncompressed Identity

gzip compressed

gzip, deflate Uncompressed object gzip compressed gzip

gzip, deflate Uncompressed object None gzip

gzip compressed

gzip, deflate Uncompressed object None deflate

deflate compressed

deflate No uncompressed object deflate compressed deflate

gzip compressed (This is effectively a cache-
miss. The appliance does
not convert from gzip to
deflate.)

187
Table 8-2. Cache-Miss Compression Behavior

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request ProxySG request in ProxySG
response

Identity Identity Identity uncompressed object Identity

gzip, deflate gzip, deflate Identity uncompressed object gzip

gzip-compressed

gzip, deflate gzip, deflate gzip No uncompressed gzip

object
gzip-compressed

gzip, deflate, gzip, deflate gzip No uncompressed gzip

compress object
gzip-compressed

gzip, deflate gzip, deflate compress (illegal compress compress

response)

Compression Exceptions
❐ The ProxySG appliance issues a transformation_error exception (HTTP response
code 403), when the server sends an unknown encoding and the appliance is
configured to do content transformation.
❐ The ProxySG appliance issues an unsupported_encoding exception (HTTP response
code 415 - Unsupported Media Type) when the appliance is unable to deliver content
due to configured policy.
The messages in the exception pages can be customized. For information on using
exception pages, refer to “Advanced Policy Tasks” in the Visual Policy Manager Reference.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior

Three objects can be used to configure compression and compression levels through VPM:
❐ Client HTTP compression object: Allows you to determine the behavior when the
client wants the content in a different form than is in the cache.
❐ Server HTTP compression object: Allows you to enable or disable compression and to
set options.
❐ HTTP compression level object: Allows you to set a compression level of low,
medium, or high.
Refer to the Visual Policy Manager Reference to configure these HTTP compression
options.

188
 Using Policy to Configure Compression Behavior
Compression and decompression are allowed if compression is enabled. If compression is
not enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the ProxySG appliance. If
compression is turned off, uncompressed content is served to the client if a compressed
variant is not available. If decompression is disabled, an uncompressed version is fetched
from the OCS if the variant does not exist and the client requested uncompressed content.

Note: The ProxySG appliance decompresses the content if transformation is to be

applied, even if the compression is not enabled.

You can use server-side or client-side controls to manage compression through policy, as
described in the following table.

Table 8-3. Compression Properties

Compression Properties Description

http.allow_compression(yes | no) Allow the ProxySG appliance to compress

content on demand if needed.

http.allow_decompression(yes | no) Allow the ProxySG appliance to decompress

content on demand if needed.

http.compression_level(low | medium | Set the compression level to be low (1), medium

high) (6), or high (9). Low is the default.

http.server.accept_encoding(client) Turn on only client encodings

http.server.accept_encoding(identity) Turn off all encodings

http.server.accept_encoding(all) Turn on all supported encodings, including the

client’s encodings.

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

deflate)

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

client)

http.server.accept_encoding.gzip(yes | Add/remove an encoding

no)

http.server.accept_encoding[gzip, Add/remove a list of encodings

deflate, identity](yes | no)

http.server.accept_encoding.allow Allow/disallow unknown encodings.

_unknown (yes | no)

http.client.allow_encoding(identity); Allow no encodings (send uncompressed).

http.client.allow_encoding(client); Allow all client encodings. This is the default.

http.client.allow_encoding(gzip, Allow fixed set of encodings.

deflate);

189
 Table 8-3. Compression Properties (Continued)

Compression Properties Description

http.client.allow_encoding(gzip, Allow fixed set of encodings.

client);

http.client.allow_encoding.gzip(yes | Add/remove one encoding

no);

http.client.allow_encoding[gzip, Add/remove list of encodings

deflate, identity](yes | no);

Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms, except for
unknown encodings. If compression is not enabled, the default overrides any configured
CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the
compression related policy settings shown in Table 8-3. The Accept-Encoding header
modification can continue to be used if no compression policies are applied, or if
compression is not enabled. Otherwise, the compression-related policies override any
Accept-Encoding header modification, even if the Accept-Encoding header
modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client originally listed
that encoding in its Accept-Encoding header. If so, these encodings are added to the list
of candidates to be delivered to the client. The first cache object with an Accept-Encoding
match to the client-side list is the one that is delivered.

Suggested Settings for Compression

❐ If client-side bandwidth is expensive in your environment, use the following policy:
<proxy>
http.client.allow_encoding(client)
http.allow_compression(yes)
❐ If server-side bandwidth is expensive in your environment, compared to client-side
bandwidth and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)
❐ If CPU is expensive in your environment, compared to server-side and client-side
bandwidth:
http.server.accept_encoding(client);If no content transformation
policy is configured
http.server.accept_encoding(identity);If some content transformation
policy is configured
http.allow_compression(no); default
http.allow_decompression(no); default

190
Notes
❐ Policy-based content transformations are not stored as variant objects. If content
transformation is configured, it is applied on all cache-hits, and objects might be
compressed all the time at the end of such transformation if they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a
compression choice with a higher qvalue. For example, if a client requests Accept-
encoding: gzip;q=1, deflate;q=0.1, and only a deflate-compressed object is
available in the cache, the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS. To
change this, write policy to disallow compression or decompression if Cache-
Control: no-transform response header is present.

❐ The ProxySG appliance treats multiple content encoding (gzip, deflate or gzip, gzip)
as an unknown encoding. (These strings indicate the content has been compressed
twice.)
❐ The gzip and deflate formats are treated as completely separate and are not converted
from one to the other.
❐ Blue Coat recommends using gzip encoding (or allowing both gzip and deflate)
when using the HTTP compression feature.
❐ If the ProxySG appliance receives unknown content encoding and if content
transformation is configured (such as popup blocking), an error results.
❐ If the origin server provides compressed content with a different compression level
then that specified in policy, the content is not re-compressed.
❐ If the ProxySG appliance compressed and cached content at a different compression
level than the level specified in a later transaction, the content is not re-compressed.
❐ Parsing of container HTML pages occurs on the server side, so pipelining
(prefetching) does not work when the server provides compressed content.
❐ Compressing a zip file breaks some browser versions, and compressing images does
not provide added performance.
❐ All responses from the server can be compressed, but requests to the server, such as
POST requests, cannot.
❐ Only 200 OK responses can be compressed.

191
Section 1 About the HTTP Object Caching Policy Global Defaults
The ProxySG offers multiple configuration options that allow you to treat cached
objects in a way that best suits your business model.
The following table lists the options that you can configure.
Table 8–1 Settings for Configuring the Object Caching Policy

Settings to Configure Notes

Object Caching

Setting the maximum The default is 10000 MB for new installations of version 6.6.4.3 and later. If
object cache size you are using a version prior to 6.6.4.3 or have upgraded to 6.6.4.3 or later,
the default is 4096 MB.

Setting the TTL for Determines the number of minutes the SGOS stores negative responses
negative responses in for requests that could not be served to the client.
cache The OCS might send a client error code (4xx response) or a server error
code (5xx response) as a response to some requests. If you configure the
ProxySG to cache negative responses for a specified number of minutes, it
returns the negative response in subsequent requests for the same page or
image for the specified length of time. The ProxySG will not attempt to
fetch the request from the OCS. Therefore, while server-side bandwidth is
saved, you could receive negative responses to requests that might
otherwise have been served by accessing the OCS.
By default, the ProxySG does not cache negative responses. It always
attempts to retrieve the object from the OCS, if it is not already in cache.
Default: 0 minutes

Forcing freshness Verifies that each object is fresh upon access. Enabling this setting has a
validation before serving significant impact on performance because the HTTP proxy revalidates
an object from cache requested cached objects with the OCS before serving them to the client.
This results in a negative impact on bandwidth gain. Therefore, do not
enable this configuration unless absolutely required.
For enabling, select the Always check with source before serving object
check box.
Default: Disabled

192
 Settings to Configure Notes
Object Caching

Parsing HTTP meta tag Determines how HTTP meta tag headers are parsed in the HTML
headers documents. The meta tags that can be enabled for parsing are:
• Cache-control meta tag
The sub-headers that are parsed when this check box is selected are:
private, no-store, no-cache, max-age, s-maxage, must-re-
validate, proxy-revalidate
• Expires meta tag
This directive parses for the date and time after which the document
should be considered expired.
• Pragma-no-cache meta tag
This directive indicates that cached information should not be used
and instead requests should be forwarded to the OCS.
Default: Disabled

Allocating bandwidth on Allows you to specify a limit to the amount of bandwidth the ProxySG
the HTTP proxy for uses to achieve the desired freshness. For more information see,
maintaining freshness of "Allocating Bandwidth to Refresh Objects in Cache" on page 211.
the objects in cache Default: Disable refreshing

The above settings serve as defaults on the proxy. If you want a more granular
caching policy, for example— setting the TTL for an object, use Blue Coat Content
Policy Language (CPL). You can also use the VPM or CPL to bypass the cache or
to prohibit caching for a specific domain or server. Refer to the Content Policy
Language Guide for more information.

About Clientless Requests Limits

When certain HTTP proxy configurations are enabled, the ProxySG employs
various server-side connections to the OCS that are essential to caching and
optimizing HTTP traffic. The ProxySG automatically sends requests, called
clientless requests, over these connections. Performance and poor user experience
might occur, however, when an unlimited number of clientless requests are
allowed. As clientless requests increase and overwhelm the OCS, users might
experience slow downloads in their Web browsers. Furthermore, these excessive
requests might trigger the defensive measures because the corporate firewall
determines that the ProxySG is a security threat.
The following sub-sections describe the HTTP proxy functionality involved.

HTTP Content Pre-population

Configuration: Blue Coat Director distributes content management commands;
ProxySG connects to the OCS.

193
 Symptom: The OCS becomes overwhelmed.

Figure 8–2 No Clientless Request Limits and HTTP Content Pre-population

The OCS becomes overwhelmed from content requests and content management
commands. In this deployment, a global limit is not sufficient; a per-server limit is
required.

Caching/Optimization (Pipelining)
Configuration: Blue Coat ProxySG pipelining options enabled (Configuration >
Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed; users report slow access times in
their Web browsers.

Figure 8–3 No Clientless Request Limits and Pipelining Enabled

Responses to clients might contain embedded links that the ProxySG converts to
pipeline requests. As each link request results in a request to the OCS,
performance might be impacted; if the firewall in front of the OCS determines that
the request storm from the ProxySG represents a threat, requests are not allowed
through. In this scenario, a per-page limit prevents the problem.

Bandwidth Gain
Configuration: Blue Coat ProxySG Enable Bandwidth Gain Mode option enabled
(Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed.

Figure 8–4 No Clientless Request Limits and Bandwidth Gain is Enabled

194
 The ProxySG determines that objects in the cache require refreshing. This
operation itself is not costly, but the additional requests to the OCS adds load to
the WAN link. A global and per-server limit prevents the problem.
For new installations (or following a restoration to factory defaults), clientless
limits are enforced by default; the ProxySG capacity per model determines the
upper default limit. For systems upgraded to SGOS 6.x from versions previous to
5.x, clientless limits are not enforced and you must manually configure the
Continue with "Setting the HTTP Default Object Caching Policy" on page 196.

Preventing Exception Pages From Upstream Connection Errors

The ProxySG provides an option that prevents the ProxySG from returning TCP
error exception pages to clients when upstream connection errors or connection
time outs occur.
These types of connection issues might be common when enterprises employ
custom applications. Though the connections issues are related to the server,
administrators might mistakenly conclude that the ProxySG is the source of the
problem because of the issues exception page from the proxy.
When the option is enabled, the ProxySG essentially closes connections to clients
upon a server connection error or timeout. To the user, the experience is a lost
connection, but not an indication that something between (such as a proxy) is at
fault.
This feature is enabled (send exceptions on error) by default:
❐ After upgrading to SGOS 6.x from previous versions that have an
Acceleration License
❐ On systems that have the acceleration profile selected during initial
configuration (see Section D: "Selecting an HTTP Proxy Acceleration Profile"
on page 198).
This option can only be enabled/disabled through the CLI:
#(config) http exception-on-network-error
#(config) http no exception-on-network-error

195
Section 2 Setting the HTTP Default Object Caching Policy
This section describes how to set the HTTP default object caching policy. For more
information, see "HTTP Optimization" on page 182.

To set HTTP default object caching policy:

1. Verify that the ProxySG is intercepting HTTP traffic (Configuration > Proxy Services;
Standard service group (by default)).

2. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Policies.

3. Configure default proxy policies (HTTP Proxy Policy area; see "About the HTTP
Object Caching Policy Global Defaults" on page 192):
a. In the Do not cache objects larger than field, enter the maximum object
size to cache. The default is 10000 MB for new installations of version
6.6.4.3 and later. If you are using a version prior to 6.6.4.3 or have
upgraded to 6.6.4.3 or later, the default is 4096 MB.
b. In the Cache negative responses for field, enter the number of minutes
that SGOS stores negative responses. The default is 0.
c. Force freshness validation. To always verify that each object is fresh
upon access, select the Always check with source before serving object
option. Enabling this setting has a significant impact on performance,
do not enable this configuration unless absolutely required.
d. Disable meta-tag parsing. The default is to parse HTTP meta tag
headers in HTML documents if the MIME type of the object is text/
html.
To disable meta-tag parsing, clear the option for:
• Parse cache-control meta tag
The following sub-headers are parsed when this check box is selected:
private, no-store, no-cache, max-age, s-maxage, must-
revalidate, proxy-revalidate.

196
 • Parse expires meta tag
This directive parses for the date and time after which the document
should be considered expired.
• Parse pragma-no-cache meta tag
This directive indicates that cached information should not be used
and instead requests should be forwarded to the OCS.
4. Configure Clientless Request Limits (see "About Clientless Requests Limits" on
page 193):
a. Global Limit—Limits the number of concurrent clientless connections
from the ProxySG to any OCS. Strongly recommended if Pipeline
options or the Enable Bandwidth Gain Mode option is enabled on the
Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile tab.

b. Per-server Limit—Limits the number of concurrent clientless

connections from the ProxySG to a specific OCS, as determined by the
hostname of the OCS. Strongly recommended if Pipeline options or the
Enable Bandwidth Gain Mode option is enabled on the Configuration > Proxy
Settings > HTTP Proxy > Acceleration Profile tab.

c. Per-page Limit—Limits the number of requests that are created as a

result of embedded objects.
5. Click OK; click Apply.

See Also
❐ "Customizing the HTTP Object Caching Policy" on page 182.
❐ "Clearing the Object Cache" on page 1592
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 198.

197
Section D: Selecting an HTTP Proxy Acceleration Profile
This section discusses caching, pipelining behavior, and bandwidth gain.

Acceleration Profile Tasks

A proxy profile offers a collection of attributes that determine object caching and
object pipelining behavior. The attributes are pre-selected to meet a specific
objective — reduce response time for clients, reduce load on the OCS, reduce
server-side bandwidth usage.
Based on your needs, you can select any of the three profiles offered or you can
create a customized profile by selecting or clearing the options available within a
profile.
The available proxy profile are:
❐ Normal (the default setting) acts as a client accelerator, and is used for
enterprise deployments.
❐ Portal acts as a server accelerator (reverse proxy), and is used for Web hosting.
❐ Bandwidth Gain is used for Internet Service Provider (ISP) deployments.

Topic Links
❐ "About the Normal Profile"
❐ "About the Portal Profile"
❐ "About the Bandwidth Gain Profile" on page 199
❐ "About HTTP Proxy Profile Configuration Components" on page 199

About the Normal Profile

Normal is the default profile and can be used wherever the ProxySG is used as a
normal forward proxy. This profile is typically used in enterprise environments,
where the freshness of objects is more important than controlling the use of
server-side bandwidth. The Normal profile is the profile that most follows the
HTTP standards concerning object revalidation and staleness. Additionally, pre-
fetching (pipelining) of embedded objects and redirects is enabled, which reduces
response time for clients.

About the Portal Profile

When configured as a server accelerator or reverse proxy, the ProxySG improves
object response time to client requests, scalability of the origin content server
(OCS) site, and overall Web performance at the OCS. A server accelerator services
requests meant for an OCS, as if it is the OCS itself.

198
About the Bandwidth Gain Profile
The Bandwidth Gain profile is useful wherever server-side bandwidth is an
important resource. This profile is typically used in Internet Service Provider (ISP)
deployments. In such deployments, minimizing server-side bandwidth is most
important. Therefore, maintaining the freshness of an object in cache is less
important than controlling the use of server-side bandwidth. The Bandwidth-
Gain profile enables various HTTP configurations that can increase page response
times and the likelihood that stale objects are served, but it reduces the amount of
server-side bandwidth required.

About HTTP Proxy Profile Configuration Components

The following table describes each HTTP proxy acceleration profile option
(Management Console and CLI).

Table 8–2 Description of Profile Configuration Components

Management Console CLI (config) Definition

Check box Field Command
Pipeline embedded objects http [no] pipeline This configuration item applies only to HTML
in client request client requests responses. When this setting is enabled, and the
object associated with an embedded object
reference in the HTML is not already cached,
HTTP proxy acquires the object’s content before
the client requests the object. This improves
response time dramatically.
If this setting is disabled, HTTP proxy does not
acquire embedded objects until the client
requests them.
Pipeline redirects for client http [no] pipeline When this setting is enabled, and the response
request client redirects of a client request is one of the redirection
responses (such as 301, 302, or 307 HTTP
response code), then HTTP proxy pipelines the
object specified by the Location header of that
response, provided that the redirection location
is an HTML object. This feature improves
response time for redirected URLs.
If this setting is disabled, HTTP proxy does not
pipeline redirect responses resulting from client
requests.

199
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Pipeline embedded objects http [no] pipeline This configuration item applies only to HTML
in prefetch request prefetch requests responses resulting from pipelined objects.
When this setting is enabled, and a pipelined
object’s content is also an HTML object, and that
HTML object has embedded objects, then HTTP
proxy also pipelines those embedded objects.
This nested pipelining behavior can occur three
levels deep at most.
If this setting is disabled, the HTTP proxy does
not perform nested pipelining.
Pipeline redirects for http [no] pipeline When this setting is enabled, HTTP proxy
prefetch request prefetch pipelines the object specified by a redirect
redirects location returned by a pipelined response.
If this setting is disabled, HTTP proxy does not
try to pipeline redirect locations resulting from
a pipelined response.
Substitute Get for IMS http [no] If the time specified by the If-Modified-
substitute if- Since: header in the client’s conditional
modified-since request is greater than the last modified time of
the object in the cache, it indicates that the copy
in cache is stale. If so, HTTP proxy does a
conditional GET to the OCS, based on the last
modified time of the cached object.
To change this aspect of the If-Modified-
Since: header on the ProxySG, enable the
Substitute Get for IMS setting.
When this setting is enabled, a client time
condition greater than the last modified time of
the object in the cache does not trigger
revalidation of the object.
Note: All objects do not have a last-modified
time specified by the OCS.

200
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Substitute Get for HTTP 1.1 http [no] HTTP 1.1 provides additional controls to the
conditionals substitute client over the behavior of caches concerning
conditional the staleness of the object. Depending on
various Cache-Control: headers, the ProxySG
can be forced to consult the OCS before serving
the object from the cache. For more information
about the behavior of various Cache-Control:
header values, refer to RFC 2616.
If the Substitute Get for HTTP 1.1 Conditionals
setting is enabled, HTTP proxy ignores the
following Cache-Control: conditions from the
client request:
• "max-stale" [ "=" delta-seconds ]
• "max-age" "=" delta-seconds
• "min-fresh" "=" delta-seconds
• "must-revalidate"
• "proxy-revalidate"

Substitute Get for PNC http [no] Typically, if a client sends an HTTP GET request
substitute pragma- with a Pragma: no-cache or Cache-Control:
no-cache no-cache header (for convenience, both are
hereby referred to as PNC), a cache must
consult the OCS before serving the content. This
means that HTTP proxy always re-fetches the
entire object from the OCS, even if the cached
copy of the object is fresh. Because of this, PNC
requests can degrade proxy performance and
increase server-side bandwidth utilization.
However, if the Substitute Get for PNC setting
is enabled, then the PNC header from the client
request is ignored (HTTP proxy treats the
request as if the PNC header is not present at
all).
Substitute Get for IE reload http [no] Some versions of Internet Explorer issue the
substitute ie- Accept: */* header instead of the Pragma:
reload no-cache header when you click Refresh. When
an Accept header has only the */* value, HTTP
proxy treats it as a PNC header if it is a type-N
object. You can control this behavior of HTTP
proxy with the Substitute GET for IE Reload
setting. When this setting is enabled, the HTTP
proxy ignores the PNC interpretation of the
Accept: */* header.

201
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Never refresh before http [no] strict- Applies only to cached type-T objects. For
expiration expiration refresh information on HTTP object types, see "About
HTTP Object Freshness" on page 184.
When this setting is enabled, SGOS does not
asynchronously revalidate such objects before
their specified expiration time.
When this setting is disabled, such objects, if
they have sufficient relative popularity, can be
asynchronously revalidated and can, after a
sufficient number of observations of changes,
have their estimates of expiration time adjusted
accordingly.
Never serve after expiration http [no] strict- Applies only to cached type-T objects.
expiration serve
If this setting is enabled, an object is
synchronously revalidated before being served
to a client, if the client accesses the object after
its expiration time.
If this setting is disabled, the object is served to
the client and, depending on its relative
popularity, may be asynchronously revalidated
before it is accessed again.
Cache expired objects http [no] cache Applies only to type-T objects.
expired
When this setting is enabled, type-T objects that
are already expired at the time of acquisition is
cached (if all other conditions make the object
cacheable).
When this setting is disabled, already expired
type-T objects become non-cacheable at the time
of acquisition.

202
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console CLI (config) Definition

Check box Field Command
Enable Bandwidth Gain bandwidth-gain This setting controls both HTTP-object
Mode {disable | enable} acquisition after client-side abandonment and
AAR (asynchronous adaptive refresh)
revalidation frequency.
• HTTP-Object Acquisition
When Bandwidth Gain mode is enabled, if a
client requesting a given object abandons its
request, then HTTP proxy immediately
abandons the acquisition of the object from
the OCS, if such an acquisition is still in
progress. When bandwidth gain mode is
disabled, the HTTP proxy continues to ac-
quire the object from the OCS for possible
future requests for that object.
• AAR Revalidation Frequency
Under enabled bandwidth gain mode, ob-
jects that are asynchronously refreshable are
revalidated at most twice during their esti-
mated time of freshness. With bandwidth
gain mode disabled, they are revalidated at
most three times. Not all asynchronously re-
freshable objects are guaranteed to be reval-
idated.

When a ProxySG is first manufactured, it is set to a Normal profile. Depending on

your needs, you can use the Bandwidth Gain profile or the Portal profile. You can
also combine elements of all three profiles, as needed for your environment.
The following table provides the default configuration for each profile.

Table 8–3 Normal, Portal, and Bandwidth Gain Profiles

Configuration Normal Portal Bandwidth

Profile Profile Gain
Pipeline embedded objects in client requests Enabled Disabled Disabled
Pipeline embedded objects in prefetch requests Enabled Disabled Disabled
Pipeline redirects for client requests Enabled Disabled Disabled
Pipeline redirects for prefetch requests Enabled Disabled Disabled
Cache expired objects Enabled Disabled Enabled
Bandwidth Gain Mode Disabled Disabled Enabled
Substitute GET for IMS (if modified since) Disabled Enabled Enabled
Substitute GET for PNC (Pragma no cache) Disabled Enabled Disabled

203
Table 8–3 Normal, Portal, and Bandwidth Gain Profiles (Continued)

Configuration Normal Portal Bandwidth

Profile Profile Gain
Substitute GET for HTTP 1.1 conditionals Disabled Enabled Enabled
Substitute GET for IE (Internet Explorer) reload Disabled Enabled Disabled
Never refresh before expiration Disabled Enabled Enabled
Never serve after expiration Enabled Enabled Disabled

204
Section 3 Configuring the HTTP Proxy Profile
Configure the profile by selecting any of the components discussed in "About
HTTP Proxy Profile Configuration Components" on page 199.

To configure the HTTP proxy profile:

1. Review the description of the components for each profile, see Table 8–2 on
page 199.
2. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Acceleration Profile.

Text displays at the bottom of this tab indicating which profile is selected.
Normal is the default profile. If you have a customized profile, this text does
not display.

Important: If you have a customized profile and you click one of the Use
Profile buttons, no record of your customized settings remains. However,
after the ProxySG is set to a specific profile, the profile is maintained in the
event the ProxySG is upgraded.
Also, if you select any Pipeline option or the Enable Bandwidth Gain Mode
option, Blue Coat strongly recommends limiting clientless requests. See
"About Clientless Requests Limits" on page 193.

3. To select a profile, click one of the three profile buttons (Use Normal Profile, Use
Bandwidth Gain Profile, or Use Portal Profile).

The text at the bottom of the Acceleration Profile tab changes to reflect the new
profile.

Note: You can customize the settings, no matter which profile button you
select.

4. (Optional) To customize the profile settings, select or clear any of the check
boxes (see Table 8–2, "Description of Profile Configuration Components" on
page 199 for information about each setting).

205
 5. Click OK; click Apply.

See Also
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 198.
❐ "About HTTP Proxy Profile Configuration Components" on page 199.
❐ "About HTTP Object Freshness" on page 184.
❐ "Using a Caching Service" on page 207.

206
Section E: Using a Caching Service
CachePulse is a caching service that provides you with optimal bandwidth gains
for popular or high-bandwidth websites. Utilizing highly effective Web caching
technology, CachePulse saves bandwidth on expensive international links and
backhaul traffic, thereby improving Web experience for users.
CachePulse accelerates the delivery of rich Web 2.0 content, video, and large files
such as:
• YouTube videos
• Netflix streaming media
• Microsoft Windows updates
Subscribing to the CachePulse service eliminates the need to maintain caching
policy; when you first enable the service, it downloads the latest version of the
caching policy database. CachePulse periodically updates the database as long as
the service is enabled and an Internet connection exists.

Prerequisite for Using CachePulse

Before you can use CachePulse, you must have a valid license for the feature.
Refer to your Blue Coat Sales point of contact for more information.
If you do not have a valid license, the Management Console might display Health
Monitoring errors. The event log might also contain error messages about the
subscription.

207
Section 4 Enabling CachePulse
To enable CachePulse:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. In the CachePulse section, select Enable.
3. Click Apply.
The appliance attempts to download the database.

What if the Initial Download is Not Successful?

If you receive a download error and the Management Console banner displays
Critical shortly after you click Apply, the CachePulse database download might
have failed. Check your network configuration and make sure that the appliance
can connect to the Internet. Because the appliance attempts to communicate with
the Blue Coat server over a secured connection on port 443, you might also have
to allow outbound connections from the appliance on port 443 in the firewall.
To check if there was a download problem, select Statistics > Health Monitoring >
Status and look for the status “CachePulse failed
on initial download” for
Subscription Communication Status.

See Also
❐ "Downloading the CachePulse Database"
❐ "Notifications for Status Metrics" on page 1531

Downloading the CachePulse Database

You can download the CachePulse database at any time if the feature is enabled. If
the initial download failed, and you resolved the issue that caused the failure, you
can use this method to download database updates.
To download the CachePulse database:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. In the CachePulse section, click Download Now.

208
The License and Download Status field shows statistics about the previous
successful and unsuccessful downloads. If the last download was
unsuccessful, the field contains an error.

If you receive a download error, check your network configuration and make
sure that the appliance can connect to the Internet.

209
Section F: Fine-Tuning Bandwidth Gain
In addition to the components related to top-level profiles, other configurable
items affect bandwidth gain. You can set the top-level profile (see "Selecting an
HTTP Proxy Acceleration Profile" on page 198) and adjust the following
configuration items to fine tune the ProxySG for your environment:
❐ Allocating bandwidth to refresh objects in cache
❐ Using Byte-range support
❐ Enabling the Revalidate pragma-no-cache (PNC)

210
Section 5 Allocating Bandwidth to Refresh Objects in Cache
The Refresh bandwidth options control the server-side bandwidth used for all forms
of asynchronous adaptive refresh activity. On systems with increased object store
capacity, the value of asynchronous adaptive refresh has diminished markedly,
and can in many instances actually increase latency due to system load. Therefore,
this feature is disabled by default. You can select from the following options:
❐ Disable refreshing—Disables adaptive refresh. This setting is recommended on
systems that use an increased object capacity disk model. This is the default
setting for fresh installations of SGOS 6.2.6 and later.
❐ Let the SG appliance manage refresh bandwidth—The appliance will automatically
use whatever bandwidth is available in its efforts to maintain 99.9% estimated
freshness of the next access. You can also enable this from the CLI using the
#(config caching) refresh bandwidth automatic command. This setting is
recommended only on systems that are not using the increased object capacity
disk model (that is, systems that were manufactured with an SGOS version
prior to 6.2).
❐ Limit refresh bandwidth to x kilobits/sec—If you want to use adaptive refresh but
you want to limit the amount of bandwidth used, select this option and
specify a limit to the amount of bandwidth the ProxySG uses to achieve the
desired freshness. Before making adjustments, review the logged statistics and
examine the current bandwidth used as displayed in the Refresh bandwidth
field. It is not unusual for bandwidth usage to spike occasionally, depending
on access patterns at the time. Entering a value of zero disables adaptive
refresh.

211
 To set refresh bandwidth:
1. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Freshness.

The Refresh bandwidth field displays the refresh bandwidth options. The
default setting is to Disable refreshing.

Important: Blue Coat strongly recommends that you not change the setting
from the default if you have a system with an increased object store capacity.

2. To enable adaptive refresh, select one of the following options:

• Select Limit refresh bandwidth to and enter a bandwidth limit to use in the
kilobits/sec field.

• To allow the appliance to automatically determine the amount of

bandwidth to use for adaptive refresh, select Let the SG Appliance manage
refresh bandwidth (recommended).

3. Click OK; click Apply.

Using Byte-Range Support

Byte-range support is an HTTP feature that allows a client to use the Range: HTTP
header for requesting a portion of an object rather than the whole object. The
HTTP proxy supports byte-range support and it is enabled by default.

When Byte-Range Support is Disabled

If byte-range support is disabled, HTTP treats all byte-range requests as non-
cacheable. Such requests are never served from the cache, even if the object exists
in the cache. The client’s request is sent unaltered to the OCS and the response is
not cached. Thus, a byte-range request has no effect on the cache if byte-range
support is disabled.

When Byte-Range Support is Enabled

If the object is already in cache, the ProxySG serves the byte-range request from
the cache itself. However, if the client’s request contains a PNC header, the
ProxySG always bypasses the cache and serves the request from the OCS.

212
If the object is not in cache, the ProxySG always attempts to minimize delay for
the client.
❐ If the byte-range requested is near the beginning of the object, that is the start
byte of the request is within 0 to 14336 bytes, then the ProxySG fetches the
entire object from the OCS and caches it. However, the client is served the
requested byte-range only.
❐ If the byte-range requested is not near the beginning of the object, that is the
start byte of the request is greater than 14336 bytes, then the ProxySG fetches
only the requested byte-range from the OCS, and serves it to the client. The
response is not cached.

Note: The HTTP proxy never caches partial objects, even if byte-range
support is enabled.

Since the ProxySG never caches partial objects, bandwidth gain is significantly
affected when byte-range requests are used heavily. If, for example, several clients
request an object where the start byte offset is greater than 14336 bytes, the object
is never cached. The ProxySG fetches the same object from the OCS for each
client, thereby causing negative bandwidth gain.
Further, download managers like NetAnts® typically use byte-range requests
with PNC headers. To improve bandwidth gain by serving such requests from
cache, enable the revalidate pragma-no-cache option along with byte-range support.
See "Enabling Revalidate Pragma-No-Cache" on page 214.

213
 To configure byte-range support:

Note: Enabling or disabling byte-range support can only be configured through

the CLI.

To enable or disable byte-range support, enter one of the following commands at

the (config) command prompt:
#(config) http byte-ranges
-or-
#(config) http no byte-ranges

Enabling Revalidate Pragma-No-Cache

The pragma-no-cache (PNC) header in a client’s request causes the HTTP proxy to
re-fetch the entire object from the OCS, even if the cached copy of the object is
fresh. This roundtrip for PNC requests can degrade proxy performance and
increase server-side bandwidth utilization.
While the Substitute Get for PNC configuration completely ignores PNC in client
requests and potentially serves stale content, the revalidate-pragma-no-cache
setting allows you to selectively implement PNC.
When the revalidate-pragma-no-cache setting is enabled, a client’s non-
conditional PNC-GET request results in a conditional GET request sent to the
OCS if the object is already in cache. The revalidate-pragma-no-cache request
allows the OCS to return the 304 Not Modified response, if the content in cache is
still fresh. Thereby, the server-side bandwidth consumed is lesser as the full
content is not retrieved again from the OCS.
By default, the revalidate PNC configuration is disabled and is not affected by
changes in the top-level profile. When the Substitute Get for PNC configuration is
enabled (see Table 8–2, "Description of Profile Configuration Components" on
page 199 for details), the revalidate PNC configuration has no effect.

To configure the revalidate PNC setting:

Note: The revalidate pragma-no-cache setting can only be configured through

the CLI.

To enable or disable the revalidate PNC setting, enter one of the following
commands at the (config) command prompt:
#(config) http revalidate-pragma-no-cache
-or-
#(config) http no revalidate-pragma-no-cache

Interpreting Negative Bandwidth Gain Statistics

Bandwidth gain represents the overall bandwidth benefit achieved by object and
byte caching, compression, protocol optimization, and object caching.
Occasionally, you might notice negative bandwidth gain when using the
bandwidth gain profile. This negative bandwidth gain is observed because the

214
client-side cumulative bytes of traffic is lower than the server-side cumulative
bytes of traffic for a given period of time. It is represented as a unit-less
multiplication factor and is computed by the ratio:
client bytes / server bytes
Some factors that contribute to negative bandwidth gain are:
❐ Abandoned downloads (delete_on_abandonment (no))
When a client cancels a download, the ProxySG continues to download the
requested file to cache it for future requests. Since the client has cancelled the
download, server-side traffic persists while the client-side traffic is halted.
This continued flow of traffic on the server-side causes negative bandwidth
gain.
Further with (delete_on_abandonment (yes)), when a client cancels a
download, the ProxySG terminates the connection and stops sending traffic to
the client. However, the server may have sent additional traffic to the ProxySG
before it received the TCP RESET from the ProxySG. This surplus also causes
negative bandwidth gain.
❐ Refreshing of the cache
Bandwidth used to refresh contents in the cache contributes to server-side
traffic. Since this traffic is not sent to the client until requested, it might cause
negative bandwidth gain.
❐ Byte-range downloads
When download managers use an open-ended byte-range, such as Range:
bytes 10000-, and reset the connection after downloading the requested byte-
range. The packets received by the ProxySG from the server are greater than
those served to the client, causing negative bandwidth gain.
❐ Download of uncompressed content
If the ProxySG downloads uncompressed content, but compresses it before
serving the content to the client, server-side traffic will be greater than client-
side traffic. This scenario is typical in a reverse proxy deployment, where the
server offloads the task of gzipping the content to the ProxySG.
❐ Reduced client-side throughput
In the short term, you will notice negative bandwidth gain if the client-side
throughput is lower than the server-side throughput. If, for example, the
ProxySG takes five minutes to download a 100 Mb file and takes 10 minutes to
serve the file to the client. The ProxySG reflects negative bandwidth gain for
the first five minutes.
To view bandwidth usage and bandwidth gain statistics on the HTTP proxy, click
Statistics > Traffic History tab. Select the HTTP proxy service to view statistics over
the last hour, day, week, month, and year. See Chapter 33: "Statistics" on page 789
for information on the graphs.

215
 Compression
Compression is disabled by default. If compression is enabled, the HTTP proxy
forwards the supported compression algorithm (either deflate or gzip) from the
client’s request (Accept-Encoding: request header) to the server as is, and
attempts to send compressed content to client whenever possible. This allows
SGOS to send the response as is when the server sends compressed data,
including non-cacheable responses. Any unsolicited encoded response is
forwarded as is to the client.
For more information on compression, see "Understanding HTTP Compression"
on page 220.

Related CLI Syntax to Configure HTTP

The following commands allow you to manage settings for an HTTP proxy.
Use the command below to enter the configuration mode.
# conf t
The following subcommands are available:
#(config) http [no] add-header client-ip
#(config) http [no] add-header front-end-https
#(config) http [no] add-header via
#(config) http [no] add-header x-forwarded-for
#(config) http [no] byte-ranges
#(config) http [no] cache authenticated-data
#(config) http [no] cache expired
#(config) http [no] cache personal-pages
#(config) http [no] force-ntlm
#(config) http ftp-proxy-url root-dir
#(config) http ftp-proxy-url user-dir
#(config) http [no] parse meta-tag {cache-control | expires | pragma-
no-cache}
#(config) http [no] persistent client
#(config) http [no] persistent server
#(config) http [no] persistent-timeout client num_seconds
#(config) http [no] persistent-timeout server num_seconds
#(config) http [no] pipeline client {requests | redirects}
#(config) http [no] pipeline prefetch {requests | redirects}
#(config) http [no] proprietary-headers bluecoat
#(config) http receive-timeout client num_seconds
#(config) http receive-timeout refresh num_seconds
#(config) http receive-timeout server num_seconds
#(config) http [no] revalidate-pragma-no-cache
#(config) http [no] strict-expiration refresh
#(config) http [no] strict-expiration serve
#(config) http [no] strip-from-header
#(config) http [no] substitute conditional
#(config) http [no] substitute ie-reload
#(config) http [no] substitute if-modified-since
#(config) http [no] substitute pragma-no-cache
#(config) http [no] tolerant-request-parsing

216
 #(config) http upload-with-pasv disable
#(config) http upload-with-pasv enable
#(config) http version {1.0 | 1.1}
#(config) http [no] www-redirect
#(config) http [no] xp-rewrite-redirect

Note: For detailed information about using these commands, refer to the
Command Line Interface Reference.

217
Section G: Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)
This section describes how the ProxySG caches authenticated content over HTTP.
Authentication over HTTP allows a user to prove their identity to a server or an
upstream proxy to gain access to a resource.
The ProxySG uses CAD and CPAD to facilitate object caching at the edge and to
help validate user credentials. Object caching in the ProxySG allows for lesser
bandwidth usage and faster response times between the client and the server or
proxy.
The deployment of the ProxySG determines whether it performs CAD or CPAD:
❐ When the Origin Content Server (OCS) performs authentication, the ProxySG
performs CAD.
❐ When the upstream HTTP Proxy performs authentication, the downstream
HTTP proxy or ProxySG executes CPAD.

About Caching Authenticated Data (CAD)

In the CAD scenario, when a user requests a resource that needs authentication,
the OCS sends an HTTP 401 error response to the user. The HTTP 401 response also
contains information on the authentication schemes that the OCS supports. To
prove their identity to the OCS, the user resubmits the initial request along with
the authentication details.

Figure 8–5 CAD: 200 response from the Origin Content Server.
The OCS then sends back one of the following responses:
❐ HTTP 200 response status, authentication is accepted. The user receives the
requested resource.
❐ HTTP 403 response status, user is not allowed to view the requested resource.
The user is authenticated but is not authorized to receive the content, hence
the user receives an error message.

218
 When another user accesses the same URL, the ProxySG authenticates the user
with the OCS and verifies the freshness of the content using the Get If Modified
Since request. If the user is authorized and the content has not been modified, the
OCS returns an HTTP 304 response message to the ProxySG. The ProxySG then
serves the content from cache.
If the content has been modified, the OCS returns the HTTP 200 response along
with the modified content.

Figure 8–6 CAD: 403 and 304 response codes from the OCS

Note: CAD is applicable only for pure HTTP authentication — the ProxySG
caches authenticated data only when the OCS includes the www-Authenticate
response code in the 401 response header. If, for example, the client accesses an
OCS that uses forms-based authentication, the ProxySG does not perform CAD.

About Caching Proxy Authenticated Data (CPAD)

The CPAD deployment uses two ProxySG appliances — a local proxy and a
gateway proxy. Figure 8–7 on page 220 below depicts the ProxySG appliances in a
CPAD deployment.
When the user requests a resource, ProxySG1 forwards the request to ProxySG2.
ProxySG2 issues the authentication challenge back to the user (a 407 response
instead of the 401 response that the OCS serves). Upon successful authentication,
ProxySG2 forwards the request to the OCS and the resource is served to the user.

219
 Figure 8–7 CPAD: 200 response from ProxySG 2
In Figure 8–8, ProxySG1 caches proxy authenticated data and ProxySG2 performs
authentication (instead of the OCS).

Figure 8–8 CPAD: 407 and 304 responses in a CPAD deployment

For subsequent users who access the same URL, see Figure 8-4, ProxySG1
forwards all requests to ProxySG2 with the Get If Modified Since request.
ProxySG2 issues the authentication challenge and provides one of the following
responses:
❐ HTTP 200 response status, the user is allowed access to the requested resource
but the content has changed.
❐ HTTP 304 response status, the user is authorized and the content can be served
from the cache.
❐ HTTP 403 response status, the user is not authorized to view the requested
resource.
❐ HTTP 407 response status, the user provided invalid credentials.

Understanding HTTP Compression

Compression reduces a file size but does not lose any data. Whether you should
use compression depends upon three resources: server-side bandwidth, client-
side bandwidth, and ProxySG CPU. If server-side bandwidth is more expensive

220
 in your environment than CPU, always request compressed content from the
origin content server (OCS). However, if CPU is comparatively expensive, the
ProxySG appliance should instead be configured to ask the OCS for the same
compressions that the client asked for and to forward whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is
not the case, you can change the ProxySG appliance behavior.

Note: Decompression, content transformation, and recompression increases

response time by a small amount because of the CPU overhead. (The overhead is
negligible in most cases.) RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because
compression results in a smaller file being served to the client than was retrieved
by the ProxySG appliance from the origin content server, bandwidth gain
statistics reflect such requests/responses as negative bandwidth gain.

Compression is disabled by default. If compression is enabled, the HTTP proxy

forwards the supported compression algorithm (gzip and deflate) from the
client’s request (Accept-Encoding: request header) to the server as is, and
attempts to send compressed content to client whenever possible. This allows the
ProxySG appliance to send the response as is when the server sends compressed
data, including non-cacheable responses. Any unsolicited encoded response is
forwarded to the client as is.

Note: If compression is not enabled, the ProxySG appliance does not compress
the content if the server sends uncompressed content. However, the appliance
continues to uncompress content if necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/
FTP History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page
229.

Understand Compression Behavior

The ProxySG compression behavior is detailed in the tables below. Compression
increases the overall percentage of cacheable content, increasing the hit rate in
terms of number of objects served from the cache.

Note:A variant is the available form of the object in the cache—compressed or

uncompressed. The Content-Encoding: header Identity refers to the
uncompressed form of the content.

For cache-hit compression behavior, see Table 8-3 below. For cache-miss
compression behavior, see Table 8-4.

221
 .

Table 8–4 Cache-Hit Compression Behavior

Accept- Variant Available when Variant Stored as a Content-Encoding in

Encoding: in the Request Arrived Result of the Request ProxySG response
client request

Identity Uncompressed object None Identity

Identity No uncompressed object Uncompressed Identity

gzip compressed

gzip, deflate Uncompressed object gzip compressed gzip

gzip, deflate Uncompressed object None gzip

gzip compressed

gzip, deflate Uncompressed object None deflate

deflate compressed

deflate No uncompressed deflate compressed deflate

object (This is effectively a
gzip compressed cache-miss. The
ProxySG appliance does
not convert from gzip to
deflate.)

Table 8–5 Cache-Miss Compression Behavior

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request ProxySG in ProxySG
request response

Identity Identity Identity uncompressed Identity

object

gzip, deflate gzip, deflate Identity uncompressed gzip

object
gzip-compressed

gzip, deflate gzip, deflate gzip No uncompressed gzip

object
gzip-compressed

gzip, deflate, gzip, deflate gzip No uncompressed gzip

compress object
gzip-compressed

gzip, deflate gzip, deflate compress (illegal compress compress

response)

222
Compression Exceptions
❐ The ProxySG appliance issues a transformation_error exception (HTTP
response code 403), when the server sends an unknown encoding and the
appliance is configured to do content transformation.
❐ The ProxySG appliance issues an unsupported_encoding exception (HTTP
response code 415 - Unsupported Media Type) when the appliance is unable
to deliver content due to configured policy.
The messages in the exception pages can be customized. For information on using
exception pages, The messages in the exception pages can be customized. For
information on using exception pages, refer to the Advanced Policy Tasks chapter, Section
E, of the Visual Policy Manager Reference.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior

Three objects can be used to configure compression and compression levels
through VPM:
❐ Client HTTP compression object: Allows you to determine the behavior when
the client wants the content in a different form than is in the cache.
❐ Server HTTP compression object: Allows you to enable or disable
compression and to set options.
❐ HTTP compression level object: Allows you to set a compression level of low,
medium, or high.
Complete the following steps to manage server and client HTTP compression and
compression levels.

To add or edit client compression:

1. Create a Web Access Layer:
a. From the Management Console, select Configuration > Policy > Visual
Policy Manager; click Launch.

b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Client
HTTP Compression.

223
 2c

2d

c. Select the compression options you want to use; click OK.

d. Click OK again; close the VPM window and click Yes in the dialog to
save your changes.

To add or edit server compression:

1. Create a Web Access Layer:
a. From the Management Console, select Configuration > Policy > Visual
Policy Manager; click Launch.

b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Server
HTTP Compression.

c. Select compression options; click OK.

d. Click OK again; close the VPM window and click Yes in the dialog to
save your changes.

Using VPM to Set HTTP Compression Levels

You can control the compression level based on any transaction condition (such as
the client IP address, the hostname, request/response headers, and the like).

To set compression levels:

1. Create a Web Access Layer:
• From the Management Console, select Configuration > Policy > Visual Policy
Manager; click Launch.

224
 • Select Policy > Add Web Access Layer from the menu of the Blue Coat VPM
window that appears.
• Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
• Right click on the item in the Action column; select Set.
• Click New in the Set Action Object dialog that appears; select Set HTTP
Compression Level.

• Select the compression level needed; click OK.

• Click OK again; close the VPM window and click Yes in the dialog to save your
changes.

Using Policy to Configure Compression Behavior

Compression and decompression are allowed if compression is enabled. If
compression is not enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the ProxySG
appliance. If compression is turned off, uncompressed content is served to the
client if a compressed variant is not available. If decompression is disabled, an
uncompressed version is fetched from the OCS if the variant does not exist and
the client requested uncompressed content.

Note: The ProxySG appliance decompresses the content if transformation is to be

applied, even if the compression is not enabled.

You can use server-side or client-side controls to manage compression through

policy, as described in the following table.

Table 8–6 Compression Properties

Compression Properties Description

http.allow_compression(yes | no) Allow the ProxySG appliance to compress
content on demand if needed.
http.allow_decompression(yes | no) Allow the ProxySG appliance to
decompress content on demand if needed.
http.compression_level(low | medium | Set the compression level to be low (1),
high) medium (6), or high (9). Low is the default.
http.server.accept_encoding(client) Turn on only client encodings
http.server.accept_encoding(identity) Turn off all encodings
http.server.accept_encoding(all) Turn on all supported encodings, including
the client’s encodings.
http.server.accept_encoding(gzip, Send specific encodings (order sensitive)
deflate)

225
 Table 8–6 Compression Properties (Continued)

Compression Properties Description

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)
client)

http.server.accept_encoding.gzip(yes | Add/remove an encoding

no)

http.server.accept_encoding[gzip, Add/remove a list of encodings

deflate, identity](yes | no)

http.server.accept_encoding.allow Allow/disallow unknown encodings.

_unknown (yes | no)

http.client.allow_encoding(identity); Allow no encodings (send uncompressed).

http.client.allow_encoding(client); Allow all client encodings. This is the
default.
http.client.allow_encoding(gzip, Allow fixed set of encodings.
deflate);

http.client.allow_encoding(gzip, Allow fixed set of encodings.

client);

http.client.allow_encoding.gzip(yes | Add/remove one encoding

no);

http.client.allow_encoding[gzip, Add/remove list of encodings

deflate, identity](yes | no);

Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms,
except for unknown encodings. If compression is not enabled, the default
overrides any configured CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the
compression related policy settings shown in Table 8-5. The Accept-Encoding
header modification can continue to be used if no compression policies are
applied, or if compression is not enabled. Otherwise, the compression-related
policies override any Accept-Encoding header modification, even if the Accept-
Encoding header modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client
originally listed that encoding in its Accept-Encoding header. If so, these
encodings are added to the list of candidates to be delivered to the client. The first
cache object with an Accept-Encoding match to the client-side list is the one that is
delivered.

Suggested Settings for Compression

❐ If client-side bandwidth is expensive in your environment, use the following
policy:
<proxy>
http.client.allow_encoding(client)
http.allow_compression(yes)

226
 ❐ If server-side bandwidth is expensive in your environment, compared to
client-side bandwidth and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)

❐ If CPU is expensive in your environment, compared to server-side and client-

side bandwidth:
http.server.accept_encoding(client);If no content transformation
policy is configured
http.server.accept_encoding(identity);If some content transformation
policy is configured
http.allow_compression(no); default
http.allow_decompression(no); default

Notes
❐ Policy-based content transformations are not stored as variant objects. If
content transformation is configured, it is applied on all cache-hits, and
objects might be compressed all the time at the end of such transformation if
they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a
compression choice with a higher qvalue. For example, if a client requests
Accept-encoding: gzip;q=1, deflate;q=0.1, and only a deflate-compressed
object is available in the cache, the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS.
To change this, write policy to disallow compression or decompression if
Cache-Control: no-transform response header is present.

❐ The ProxySG appliance treats multiple content encoding (gzip, deflate or gzip,
gzip) as an unknown encoding. (These strings indicate the content has been
compressed twice.)
❐ The gzip and deflate formats are treated as completely separate and are not
converted from one to the other.
❐ Blue Coat recommends using gzip encoding (or allowing both gzip and
deflate) when using the HTTP compression feature.

❐ If the ProxySG appliance receives unknown content encoding and if content

transformation is configured (such as popup blocking), an error results.
❐ If the origin server provides compressed content with a different compression
level then that specified in policy, the content is not re-compressed.
❐ If the ProxySG appliance compressed and cached content at a different
compression level than the level specified in a later transaction, the content is
not re-compressed.
❐ Parsing of container HTML pages occurs on the server side, so pipelining
(prefetching) does not work when the server provides compressed content.

227
 ❐ Compressing a zip file breaks some browser versions, and compressing
images does not provide added performance. For a current list of content
types that are not compressed, refer to the Release Notes.
❐ All responses from the server can be compressed, but requests to the server,
such as POST requests, cannot.
❐ Only 200 OK responses can be compressed.

228
Section H: Viewing HTTP/FTP Statistics
This section discusses the following topics:
❐ "HTTP/FTP History Statistics"
❐ "Viewing the Number of HTTP/HTTPS/FTP Objects Served"
❐ "Viewing the Number of HTTP/HTTPS/FTP Bytes Served" on page 231
❐ "Viewing Active Client Connections" on page 232
❐ "Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics"
on page 233
❐ "Disabling the Proxy-Support Header" on page 235

HTTP/FTP History Statistics

The HTTP/FTP History tabs display bar graphs that illustrate the last 60 minutes, 24
hours, and 30 days for the number of objects served, bytes served, active clients,
and client and server compression gain statistics associated with the HTTP,
HTTPS, and FTP protocols. The overall client and server compression-gain
statistics are displayed under System Usage.

Note: You can view current HTTP statistics through the CLI using the show http-
stats command.

229
Section 1 Viewing the Number of HTTP/HTTPS/FTP Objects Served
The HTTP/HTTPS/FTP Objects tab illustrates the device activity over the last 60
minutes, 24 hours, and 30 days. These charts illustrate the total number of objects
served from either the cache or from the Web.
The maximum number of objects that can be stored on a ProxySG is affected by a
number of factors, including the SGOS version it is running and the hardware
platform series.

To view the number of HTTP/HTTPS/FTP objects served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Objects.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

230
Section 2 Viewing the Number of HTTP/HTTPS/FTP Bytes Served
The HTTP/HTTPS/FTP Bytes tab shows the sum total of the number of bytes served
from the device over the last 60 minutes, 24 hours, and 30 days. The chart shows
the total number of bytes for objects served by the device, including both cache
hits and cache misses.

To view the number of HTTP/HTTPS/FTP bytes served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Bytes.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

231
Section 3 Viewing Active Client Connections
The HTTP/HTTPS/FTP Clients tab shows the maximum number of clients with
requests processed over the last 60 minutes, 24 hours, and 30 days. This does not
include idle client connections (connections that are open but that have not made
a request). These charts allow you to monitor the maximum number of active
clients accessing the ProxySG at any one time. In conjunction with the HTTP/
HTTPS/FTP Objects and HTTP/HTTPS/FTP Bytes tabs, you can determine the
number of clients supported based on load, or load requirements for your site
based on a specific number of clients.

To view the number of active clients:

1. From the Management Console select Statistics > Protocol Details > HTTP/FTP
History > HTTP/HTTPS/FTP Clients.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

232
Section 4 Viewing HTTP/HTTPS/FTP Client and Server Compression
Gain Statistics
Under HTTP/FTP History, you can view HTTP/FTP client and server
compression-gain statistics for the ProxySG over the last 60 minutes, 24 hours,
and 30 days in the Client Comp. Gain and the Server Comp. Gain tabs. Overall
client and server compression-gain statistics are displayed under System Usage.
These statistics are not available through the CLI.
The green display on the bar graph represents uncompressed data; the blue
display represents compressed data. Hover your cursor over the graph to see the
compressed gain data.
See one of the following sections for more information:
❐ "Viewing HTTP/FTP Client Compressed Gain Statistics"
❐ "Viewing HTTP/FTP Server Compressed Gain Statistics" on page 234

Viewing HTTP/FTP Client Compressed Gain Statistics

To view HTTP/FTP client compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 233

233
 Viewing HTTP/FTP Server Compressed Gain Statistics
To view HTTP/FTP server compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP
History > Server Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 233

234
Section I: Supporting IWA Authentication in an Explicit HTTP Proxy
Internet Explorer does not allow IWA authentication through a ProxySG when
explicitly proxied. To facilitate this authentication, Blue Coat added a Proxy-
Support: Session-based-authentication header. By default, when the ProxySG
receives a 401 authentication challenge from upstream, it sends the Proxy-
Support: Session-based-authentication header in response.
The Proxy-Support header is not supported if:
❐ you are using an older browser (Refer to the SGOS Release Notes for supported
browser versions).
❐ both the ProxySG and the OCS perform IWA authentication.
In either case, Blue Coat recommends that you disable the header and enable
Force IWA for Server Authentication. The Force IWA for Server Authentication action
converts the 401-type server authentication challenge to a 407-type proxy
authentication challenge that Internet Explorer supports. The ProxySG also
converts the resulting Proxy-Authentication headers in client requests to standard
server authorization headers, which allows an IWA authentication challenge to
pass through when Internet Explorer is explicitly proxied through the appliance.

Disabling the Proxy-Support Header

The Proxy-Support header is sent by default when an explicitly configured
ProxySG receives a 401 authentication challenge from upstream.
The header modification policy allows you to suppress or modify the Proxy-
Support custom header, and prevents the ProxySG from sending this default
header. Use either the Visual Policy Manager (VPM) or CPL to disable the header
through policy. For complete information on using VPM, refer to Visual Policy
Manager Reference.

Note: To suppress the Proxy-Support header globally, use the http force-ntlm
command to change the option. To suppress the header only in certain situations,
continue with the procedures below.

To suppress the proxy-support header through the VPM:

1. In a Web Access Layer, right click in the Action field and select Set. The Set
Action dialog displays.
2. Click New to see the drop-down list; select Control Response Header.

235
 3a

3b
3c
3d

3. Fill in the fields as follows:

a. Name: Enter a meaningful name.
b. Show: Select Custom from the drop-down list.
c. Header Name: Enter Proxy-Support.
d. Verify Suppress is selected.
4. Click OK.
5. Click Apply.

To suppress the proxy-support header through CPL:

Use CPL to define the Proxy-Support custom header object and to specify what
action to take. The example below uses Proxy-Support as the action name, but
you can choose any name meaningful to you. The result of this action is to
suppress the Proxy-Support header.
<Proxy>
action.Proxy-Support(yes)

define action Proxy-Support

delete(response.x_header.Proxy-Support)
end action Proxy-Support

236
Section J: Supporting Authentication on an Upstream Explicit Proxy
Proxy chaining may cause issues in HTTPS configurations. When an upstream
proxy requires Proxy-Authentication, a timeout may occur because by the time
the proxy authentication challenge occurs in the HTTP CONNECT request, the
client has already established a non-authorized connection to the downstream
proxy (which may or may not be a ProxySG).
To avoid this issue, use (command) (am I in the interface too?) when
protocol_detect is enabled. The HTTP proxy will challenge the client on any
CONNECT request for Proxy-Authentication. When the upstream proxy returns
the 200 OK message on receiving the Proxy-Authentication header to authorize
the request, but sends the credentials request on to the server.
Encrypted tap ( linky) works with this gesture...

Deployment Scenarios
Use this configuration when the ProxySG is inserted between a client and an
explicit proxy configured to use authentication. It can also be helpful in
transparent deployments.
• Explicit downstream: The ProxySG supports authentication to the client
for SSL/HTTPS traffic, with an upstream proxy performing the
authentication. The upstream proxy is not in your (control)
• Transparent downstream: The ProxySG, deployed transparently, supports
authentication to the client for SSL/HTTPS traffic, with an upstream
proxy performing the authentication. For example, in a chain where two
proxies are configured transparently as accelerators and a third further
upstream functions explicitly, authentication requests may not reach their
destinations.

237
Section K: Detect and Handle WebSocket Traffic
The Internet Engineering Task Force (IETF) standardized the WebSocket protocol
in 2011. WebSocket provides simultaneous two-way communications channels
over a single TCP connection by detecting the presence of a proxy server and
tunneling communications through the proxy.
To upgrade an HTTP connection to a newer HTTP version or use another protocol
such as WebSocket, a client sends a request with Upgrade, Connection, and other
relevant headers. Previous versions of SGOS did not allow WebSocket
handshakes to complete, but supported versions allow the handshake to complete
successfully. This version also detects WebSocket traffic and allows you to
perform specific policy actions.
When the appliance detects a WebSocket request in the HTTP/S request, the
Active Sessions tab in the Management Console indicates that the traffic is
WebSocket. Use the filter Protocol > WebSocket.
To differentiate WebSocket traffic in the access-log, use the TCP_WEBSOCKET value in
the s-action field. You can determine if the traffic was plain WebSocket or secure
WebSocket by looking at the scheme (HTTP or HTTPS).

238
Section 5 How the ProxySG Appliance Handles an Upgrade Request
Refer to the following overviews of how the ProxySG appliance handles a
WebSocket upgrade request in transparent proxy and in explicit proxy. For more
information on the policy condition mentioned in the following overviews, refer
to the Content Policy Language Reference and the Visual Policy Manager Reference.

Upgrade Request in Transparent Mode

a. The browser sends a protocol upgrade request to the proxy.
b. The HTTP proxy receives the upgrade request.
c. If the Upgrade header has a single value of websocket, the HTTP proxy
begins a WebSocket handshake by forwarding the Upgrade and
Connection headers upstream to upgrade the connection protocol.

In this case, the tunneled=yes and http.websocket=yes conditions evaluate

to true.
d. Policy runs and evaluates the request. If the request is allowed, the
proxy takes the next step depending on the response code:
• If the HTTP response code is 101 ("Switching Protocols"), the proxy
tunnels the request.
• If the HTTP response code is successful (2xx), the proxy returns a 400
Bad Request exception to indicate that the origin content server (OCS)
did not understand the upgrade request.
• In all other cases, the proxy returns the standard HTTP response codes
and does not tunnel the request.

Note: The appliance evaluates all policy that applies to a transaction

during the initial upgrade request.

Upgrade Request in Explicit Mode

a. The browser sends an HTTP CONNECT request to the proxy.
b. The HTTP proxy receives the HTTP CONNECT request.

239
 c. If Detect Protocol is enabled on the HTTP proxy, the request is
forwarded to the HTTP proxy.
If Detect Protocol is disabled on the HTTP proxy and policy does not allow
HTTP CONNECT requests, the appliance treats the request as
if force_protocol(http) were set in policy.
The request is thus forwarded to the HTTP proxy, allowing the appliance
to evaluate policy on (and possibly allow) tunneled HTTP traffic, such as
WebSocket requests, while blocking non-HTTP protocols sent over HTTP
CONNECT.
If Detect Protocol is disabled on the HTTP proxy and HTTP CONNECT is
allowed in policy, the request is TCP-tunneled.
d. (If the protocol is secure WebSocket) If Detect Protocol for SSL is
disabled, the request is TCP-tunneled. If Detect Protocol for SSL is
enabled, the request is forwarded to the SSL proxy.
(On the SSL proxy) If HTTPS interception is disabled, the request is SSL-
tunneled. If HTTPS interception is enabled, the request is forwarded to the
HTTPS proxy.
The proxy detects the Upgrade: websocket header and begins a WebSocket
handshake. The tunneled=yes and http.websocket=yes conditions
evaluate to true.policy that applies to a transaction during the initial
upgrade request.

240
Section 6 Feature Limitations
❐ The appliance does not perform ICAP scanning (either REQMOD or
RESPMOD) on transactions using the WebSocket protocol.
❐ You must import the appliance’s signing certificate authority (CA) certificate
into the browser to prevent a trust error from occurring when the appliance
intercepts HTTPS and detects WebSocket over HTTPS.

241
242
Chapter 9: Managing the SSL Proxy

This chapter discusses the ProxySG SSL proxy.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Intercepting HTTPS Traffic" on page 247
❐ Section B: "Configuring SSL Rules through Policy" on page 256
❐ Section C: "Viewing SSL Statistics" on page 261
❐ Section D: "Using STunnel" on page 264
❐ Section E: "Tapping Decrypted Data with Encrypted Tap" on page 270
❐ Section F: "Working with an HSM Appliance" on page 273
❐ Section G: "Advanced Topics" on page 278
For information on Certificate Authority (CA) certificates, keyrings, and key
pairs, see Chapter 73: "Authenticating a ProxySG Appliance" on page 1473.

About the SSL Proxy

HTTPS traffic poses a major security risk to enterprises. Because the SSL content is
encrypted, it cannot be monitored by normal means. This enables users to bring in
viruses, access forbidden sites, or leak confidential business information over the
HTTPS connection on port 443.
The SSL proxy intercepts, decrypts and re-encrypts HTTPS traffic (in explicit and
transparent modes) so that security measures such as authentication, virus
scanning, and URL filtering, and performance enhancements such as HTTP
caching can be applied to HTTPS content. Additionally, the SSL proxy validates
server certificates presented by various HTTPS sites at the gateway and offers
information about the HTTPS traffic in the access log.
The SSL proxy tunnels all HTTPS traffic by default unless there is an exception,
such as a certificate error or a policy denial. In such cases, the SSL proxy intercepts
the SSL connection and sends an error page to the user. The SSL proxy also
enables interception of HTTPS traffic for monitoring purposes.
The SSL proxy can perform the following operations while tunneling HTTPS
traffic.
❐ Validate server certificates, including revocation checks using Certificate
Revocation Lists (CRLs).
❐ Check various SSL parameters such as cipher and version.
❐ Log useful information about the HTTPS connection.
When the SSL proxy is used to intercept HTTPS traffic, it can also:

243
 ❐ Cache HTTPS content.
❐ Apply HTTP-based authentication mechanism.
❐ Send decrypted data to a configured ICAP Antivirus appliance for virus
scanning and URL filtering.
❐ Apply granular policy (such as validating mime type and filename extension).

IPv6 Support
The SSL proxy is able to communicate using either IPv4 or IPv6, either explicitly
or transparently.
In addition, for any service that uses the SSL proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.

Validating the Server Certificate

The SSL proxy can perform the following checks on server certificates:
❐ Verification of issuer signature.
❐ Verification of certificate dates.
❐ Comparison of host name in the URL and certificate (intercepted connections
only).
Host names in server certificates are important because the SSL proxy can
identify a Web site just by looking at the server certificate if the host name is in
the certificate. Most content-filtering HTTPS sites follow the guideline of
putting the name of the site as the common name in the server's certificate.
❐ Verification of revocation status.
To mimic the overrides supported by browsers, the SSL proxy can be
configured to ignore failures for the verification of issuer signatures and
certificate dates and comparison of the host name in the URL and the
certificate.
The ProxySG appliance trusts all root CA certificates that are trusted by Internet
Explorer and Firefox. This list is updated to be in sync with the latest versions of
IE and Firefox.

Checking CRLs
An additional check on the server certificate is done through Certificate
Revocations Lists (CRLs). CRLs show which certificates are no longer valid; the
CRLs are created and maintained by Certificate Signing Authorities that issued
the original certificates.
Only CRLs that are issued by a trusted issuer can be used by the ProxySG
appliance. The CRL issuer certificate must exist as CA certificate on the ProxySG
appliance before the CRL can be imported.
The ProxySG appliance allows:
❐ One local CRL per certificate issuing authority.

244
 ❐ An import of a CRL that is expired; a warning is displayed in the log.
❐ An import of a CRL that is effective in the future; a warning is displayed in the
log.

Working with SSL Traffic

The STunnel (SSL interception and tunnel) configuration intercepts all SSL traffic,
handing HTTPS traffic off to the HTTPS forward proxy for compression and
acceleration. STunnel decrypted traffic may be may be tapped and read by a third
party application such as Wireshark or Snort.
Recommendations for intercepting traffic include:
❐ Intercept non-HTTPS traffic for acceleration
❐ Intercept any SSL traffic for tap, when you don’t know the application
protocol over SSL
❐ The HTTPS information in the next section applies as well.

Determining What HTTPS Traffic to Intercept

The SSL proxy tunnels HTTPS traffic by default; it does not intercept HTTPS
traffic.
Many existing policy conditions, such as destination IP address and port number,
can be used to decide which HTTPS connections to intercept.
Additionally, the SSL proxy allows the host name in the server certificate to be
used to make the decision to intercept or tunnel the traffic. The server certificate
host name can be used as is to make intercept decisions for individual sites, or it
can be categorized using any of the various URL databases supported by Blue
Coat.
Categorization of server certificate host names can help place the intercept
decision for various sites into a single policy rule.
Recommendations for intercepting traffic include:
❐ Intercept Intranet traffic.
❐ Intercept suspicious Internet sites, particularly those that are categorized as
none in the server certificate.
Recommendations for traffic to not intercept includes sensitive information, such
as personal financial information.

Managing Decrypted Traffic

After the HTTPS connection is intercepted, you can do:
❐ Anti-virus scanning over ICAP.
❐ URL filtering.
❐ Filtering based on the server certificate host name.
❐ Caching.

245
 HTTPS applications that require browsers to present client certificates to secure
Web servers do not work if you are intercepting traffic. To address this, you can
create a policy rule to prevent the interception of such applications, or add client
certificates to the ProxySG appliance, and write policy to present the correct
certificate.
If you configure the ProxySG appliance to intercept HTTPS traffic, be aware that
local privacy laws might require you to notify the user about interception or
obtain consent prior to interception. You can option to use the HTML Notify User
object to notify users after interception or you can use consent certificates to
obtain consent before interception. The HTML Notify User is the easiest option;
however, the ProxySG appliance must decrypt the first request from the user
before it can issue an HTML notification page.

Using the SSL Proxy with ADN Optimization

The SSL proxy itself can be used as a split proxy, which requires two SSL proxies,
one at the branch and one at the core, working together. A split proxy can be
configured (see below) to implement functionality that is not possible in a
standalone proxy.
In this configuration, the SSL proxy supports ADN optimization on WAN
networks, and SSL traffic performance can be increased through the byte caching
capability offered. The branch proxy, which makes the decisions, is configured
with both ADN optimization and SSL proxy functionality.
The Concentrator proxy (a ProxySG appliance that provides access to data center
resources) does not require any configuration related to the SSL proxy. It only
requires the necessary ADN configuration for applying byte caching capabilities
to intercepted SSL content.
No special configuration is required to the SSL proxy.

System Configuration: System Configuration:

ADN Optimization ADN Optimization
Device Authentication and Authorization Device Authentication and Authorization
SSL Proxy Configuration ADN Secure Tunnel
ADN Secure Tunnel

246
Section A: Intercepting HTTPS Traffic
Intercepting HTTPS traffic (by decrypting SSL connections at the ProxySG
appliance) allows you to apply security measures like virus scanning and URL
filtering. See “Configuring STunnel” on page 264 to intercept HTTPS using
STunnel.
Configuration to intercept HTTPS traffic requires the following tasks:
❐ A ProxySG SSL license is required before you can make use of the SSL proxy
for interception. This can be verified in the maintenance tab > licensing page.
❐ Determine whether you are using transparent or explicit mode. For
information on explicit versus transparent proxies, see Chapter 6: "Explicit
and Transparent Proxy" on page 119.
❐ Create an SSL service or HTTP/SOCKS services with protocol detection
enabled, depending on whether you are using transparent or explicit mode.
The Detect Protocol setting is disabled by default. For more information on
creating an SSL service, skip to "Configuring the SSL Proxy in Transparent
Proxy Mode" on page 248.
❐ Create or import an issuer keyring, which is used to sign emulated server
certificates to clients on the fly, allowing the SSL proxy to examine SSL
content. For more information on creating an issuer keyring, see "Specifying
an Issuer Keyring and CCL Lists for SSL Interception" on page 250.
❐ (Optional) Use the Notify User object or client consent certificates to notify users
that their requests are being intercepted and monitored. Whether this is
required depends on local privacy laws. The ProxySG appliance has to
decrypt the first request from the user to issue an HTML notification page. If
this is not desirable, use client consent certificates instead. For more
information on configuring the Notify User policy, refer to the Visual Policy
Manager Reference. For information on managing client consent certificates, see
"Using Client Consent Certificates" on page 251.
❐ Download CA certificates to desktops to avoid a security warning from the
client browsers when the ProxySG appliance is intercepting HTTPS traffic. For
information, see "Downloading an Issuer Certificate" on page 251.
❐ Using policy (VPM or CPL), create rules to intercept SSL traffic and to control
validation of server certificates. By default, such traffic is tunneled and not
intercepted. You must create suitable policy before intercepting SSL traffic. For
more information on using policy to intercept SSL traffic, see Section B:
"Configuring SSL Rules through Policy" on page 256.
❐ Configure the Blue Coat AV or other third-party ICAP vendor, if you have not
already done this. For more information on ICAP-based virus scanning, see
Chapter 23: "Configuring Threat Protection" on page 505 (Blue Coat AV) and
Chapter 24: "Malicious Content Scanning Services" on page 517.
❐ Configure the Blue Coat Web Filter (BCWF) or a third-party URL-filtering
vendor, if you have not already done this. For more information on
configuring BCWF, see Chapter 20: "Filtering Web Content" on page 409.

247
 ❐ Configure Access Logging. For more information on configuring access
logging, see "Configuring Access Logging" on page 607.
❐ Customize Exception Pages: To customize exception pages (in case of server
certificate verification failure), refer to the Advanced Policy Tasks chapter, Section
E, of the Visual Policy Manager Reference.

Configuring the SSL Proxy in Transparent Proxy Mode

Proxy services are configured from the Management Console or the CLI. If using
the SSL proxy in transparent mode, continue with this section.
If you are using the SSL proxy in explicit mode, you might need an HTTP proxy
or a SOCKS proxy. For information on configuring an SSL proxy in explicit mode,
see "Configuring the SSL Proxy in Explicit Proxy Mode" on page 249.
You can use a TCP Tunnel service in transparent mode to get the same
functionality. A TCP tunnel service is useful when you have a combination of SSL
and non-SSL traffic going over port 443 and you do not want to break the non-SSL
traffic. The SSL service requires that all requests to its port be SSL.

To configure an SSL service in transparent proxy mode:

1. From the Management Console, select the Configuration > Services > Proxy
Services tab.

2. Click New. The Edit Service dialog displays.

3. In the Name field, enter a meaningful name for this SSL proxy service.
4. From the Service Group drop-down list, select to which service this
configuration applies. By default, Other is selected.

248
 5. Select SSL from the Proxy settings drop-down list.
6. TCP/IP Settings option: The Early Intercept option cannot be changed for the SSL
proxy service.
7. Select ADN options:
• Enable ADN. Select this option to configure this service to use ADN.
Enabling ADN does not guarantee the connections are accelerated by
ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) or network setup (for transparent deployment).
• The Optimize Bandwidth option is selected by default if you enabled WAN
optimization during initial configuration. Clear the option if you are not
configuring WAN optimization.
8. Create a new listener:
a. Click New; if you edit an existing listener, click Edit.
b. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 or IPv6).
You can, however, restrict this listener to a specific IPv4/IPv6 address
or user subnet/prefix length.
c. Select a Destination address from the options. The correct selection
might depend on network configuration. For overviews of the options,
see "About Proxy Services" on page 130.
d. In the Port Range field, enter a single port number or a port range on
which this application protocol broadcasts. For a port ranges, enter a
dash between the start and end ports. For example: 8080-8085
e. In the Action area, select the default action for the service: Bypass tells
the service to ignore any traffic matching this listener. Intercept
configures the service to intercept and proxy the associated traffic.
f. Click OK to close the dialog. The new listener displays in the Listeners
area.
9. Click OK to close the Edit Service dialog.
10. Click Apply.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception"
on page 250.

Configuring the SSL Proxy in Explicit Proxy Mode

The SSL proxy can be used in explicit mode in conjunction with the HTTP Proxy
or SOCKS Proxy. You must create an HTTP Proxy service or a SOCKS Proxy
service and use it as the explicit proxy from desktop browsers. You must also
ensure that the detect-protocol attribute is enabled for these services.
When requests for HTTPS content are sent to either a SOCKS proxy or an HTTP
proxy, the proxies can detect the use of the SSL protocol on such connections and
enable SSL proxy functionality.

249
 Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception"
on page 250.

Specifying an Issuer Keyring and CCL Lists for SSL Interception

The SSL proxy can emulate server certificates; that is, present a certificate that
appears to come from the origin content server. In actuality, Blue Coat has
emulated the certificate and signed it using the issuer keyring. By default only the
subjectName and the expiration date from the server certificate are copied to the
new certificate sent to the client. The ProxySG appliance will emulate RSA
certificates, matching the key size up to 2048 bits. DSA server certificates are
emulated with 1024 bit RSA certificates.

Note: Only keyrings with both a certificate and a keypair can be used as issuer
keyrings.

You can also change the CA Certificate Lists (CCLs) that contain the CAs to be
trusted during client and server certificate validation. The defaults are adequate
for the majority of situations. For more information about CCLs, see Chapter 73:
"Authenticating a ProxySG Appliance" on page 1473.

To specify the keyring and CCLs:

1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.

2. Issuer Keyring: From the drop-down menu, select the keyring to use as the
issuer keyring. Any keyring with both a certificate and a keypair in the drop-
down menu can be used.
3. CCL for Client Certificates: Choose which CAs are trusted when the SSL proxy
validates client certificates. The default is <All CA Certificates>.
4. CCL for Server Certificates: Choose which CAs are trusted when the SSL proxy
validates server certificates. The CCL for server certificates is relevant even
when SSL proxy is tunneling SSL traffic. The default is browser-trusted.
5. Click Apply.
To configure policy, see "Configuring SSL Rules through Policy" on page 256.

250
Using Client Consent Certificates
The SSL proxy, in forward proxy deployments, can specify whether a client
(typically a browser) certificate is required. These certificates are used for user
consent, not for user authentication. Whether they are needed depends upon local
privacy laws.
With client consent certificates, each user is issued a pair of certificates with the
corresponding private keys. Both certificates have a meaningful user-readable
string in the common name field. One certificate has a string that indicates grant of
consent something like: “Yes, I agree to SSL interception”. The other certificate has
a common name indicating denial of consent, something like: “No, I do not agree
to SSL interception”.
Policy is installed on the ProxySG appliance to look for these common names and
to allow or deny actions. For example, when the string “Yes, I agree to SSL
interception” is seen in the client certificate common name, the connection is
allowed; otherwise, it is denied.

To configure client consent certificates:

1. Install the issuer of the client consent certificates as a CA certificate.
2. In VPM, configure the Require Client Certificate object in the SSL Layer > Action
column.
3. Configure the Client Certificate object in the Source column to match common
names.

Downloading an Issuer Certificate

When the SSL proxy intercepts an SSL connection, it presents an emulated server
certificate to the client browser. The client browser issues a security pop-up to the
end-user because the browser does not trust the issuer used by the ProxySG
appliance. This pop-up does not occur if the issuer certificate used by SSL proxy is
imported as a trusted root in the client browser's certificate store.
The ProxySG appliance makes all configured certificates available for download
via its management console. You can ask end users to download the issuer
certificate through Internet Explorer or Firefox and install it as a trusted CA in
their browser of choice. This eliminates the certificate popup for emulated
certificates.
To download the certificate through Internet Explorer, see "To download a
certificate through Internet Explorer:" on page 251. To download a certificate
through Firefox, see "To download a certificate through Firefox:" on page 253.

To download a certificate through Internet Explorer:

Note: You can e-mail the console URL corresponding to the issuer certificate to
end users so that the he or she can install the issuer certificate as a trusted CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.

251
 3. Click Download a Certificate as a CA Certificate; the list of certificates on the system
display.
4. Click a certificate (it need not be associated with a keyring); the File Download
Security Warning displays asking what you want to do with the file.

5. Click Save. When the Save As dialog displays, click Save; the file downloads.
6. Click Open to view the Certificate properties; the Certificate window displays.

7. Click the Install Certificate button to launch the Certificate Import Wizard.
8. Ensure the Automatically select the certificate store based on the type of certificate
radio button is enabled before completing the wizard
9. Click Finish. the wizard announces when the certificate is imported.
10. (Optional) To view the installed certificate, go to Internet Explorer, Select Tools
> Internet Options > Contents > Certificates, and open either the Intermediate
Certification Authorities tab or the Trusted Root Certification Authorities tab,
depending on the certificate you downloaded.

252
To download a certificate through Firefox:

Note: You can e-mail the console URL corresponding to the issuer certificate
to end users so that the end-user can install the issuer certificate as a trusted
CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.
3. Click Download a ProxySG Certificate as a CA Certificate; the list of certificates on
the system display.
4. Click a certificate (it need not be associated with a keyring); the Download
Certificate dialog displays.

5. Enable the options needed. View the certificate before trusting it for any
purpose.
6. Click OK; close the Advanced Statistics dialog.

253
Warn Users When Accessing Websites with Untrusted Certificates
Preserve Untrusted Certificate Issuer allows the ProxySG appliance to present the
browser with a certificate that is signed by its untrusted issuer keyring. The
browser displays certificate information to the user, and lets the user accept the
security risk of an untrusted certificate and proceed to the website.
The default-untrusted keyring has been added to the ProxySG appliance to use
with the Preserve Untrusted Certificate Issuer feature. The default-untrusted
keyring should not be added to any trusted CA lists.

Note: This only applies to SSL forward proxy transactions with HTTPS
interception enabled.

To display a warning to users about untrusted certificates on website, you must

complete the following tasks.

Task # Reference

1 "Presenting Untrusted Certificates to a Browser" on page 254

2 "Set the Behavior when Encountering Untrusted Certificates" on page

254

Presenting Untrusted Certificates to a Browser

Configure the ProxySG appliance to act as a certificate authority and present a
certificate signed by a specific keyring for all traffic. The default is the default-
untrusted keyring.

1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.
2. To have the ProxySG appliance act as a Certificate Authority (CA) and present
the browser with an untrusted certificate, select Preserve untrusted certificate
issuer.

3. From the Untrusted Issuer Keyring drop-down, select the desired keyring from
the list of eligible keyrings which will be used to sign untrusted server
certificates presented by the ProxySG appliance.
4. Click Apply.

Set the Behavior when Encountering Untrusted Certificates

In the VPM or CPL, define what the ProxySG appliance should do for specific
traffic if the user tries to access a website with an untrusted certificate.

Define Behavior in the Visual Policy Manager (VPM)

Override the ProxySG Management Console settings for specific traffic, to specify
whether the users should be prompted when a certificate that has not been signed
by a trusted Certificate Authority is encountered.
In the SSL Intercept Layer, add one of the following Actions:
❐ Do not Preserve Untrusted Issuer

254
 If an OCS presents a certificate to the ProxySG appliance that is not signed by
a trusted Certificate Authority (CA), the ProxySG appliance either sends an
error message to the browser, or ignores the error and processes the request,
based on the configuration of the Server Certificate Validation object.
❐ Preserve Untrusted Issuer

If an OCS presents a certificate to the ProxySG appliance that is not signed by

a trusted Certificate Authority (CA), the appliance acts as a CA and presents
the browser with an untrusted certificate. A warning message is displayed to
the user, and they can decide to ignore the warning and visit the website or
cancel the request.
❐ Use Default Setting for Preserve Untrusted Issuer

The Preserve untrusted certificate issuer configuration setting in the ProxySG

Management Console is used to determine whether or not untrusted
certificate issuer should be preserved for a connection. This is the default
behavior.

Define Behavior in CPL

Include the following syntax in policy to specify the behavior of the ProxySG
appliance when users encounter a website with an untrusted certificate:
ssl.forward_proxy.preserve_untrusted(auto|yes|no)
where:
• auto - Uses the Preserve untrusted certificate issuer configuration setting in
the ProxySG Management Console to determine whether untrusted
certificate issuer should be preserved for a connection. This is the default.
• yes - Preserve untrusted certificate issuer is enabled for the connection.
• no - Preserve untrusted certificate issuer is disabled for the connection.
For example, to use the enable using the preserve untrusted certificate issuer, use
the following syntax:
<ssl-intercept>
ssl.forward_proxy.preserve_untrusted(yes)

255
Section B: Configuring SSL Rules through Policy
SSL interception and access rules, including server certificate validation, are
configured through policy—either the VPM or CPL. Use the SSL Intercept Layer to
configure SSL interception; use the SSL Access Layer to control other aspects of SSL
communication such as server certificate validation and SSL versions. To
configure SSL rules using CPL, refer to the Content Policy Language Reference. This
section covers the following topics:
❐ "Using the SSL Intercept Layer" on page 256.
❐ "Using the SSL Access Layer" on page 258
❐ "Using Client Consent Certificates" on page 251
The policy examples in this section are for in-path deployments of ProxySG
appliances.

Using the SSL Intercept Layer

The SSL intercept layer allows you to set intercept options:
❐ "To intercept HTTPS content through VPM:" on page 256
❐ "To intercept HTTPS requests to specific sites through the VPM:" on page 257
❐ "To customize server certificate validation through VPM:" on page 258
❐ “Configuring STunnel” on page 264

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To intercept HTTPS content through VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. Right-click Set in the Action column; the Set Action object displays.
4. Click New and select Enable HTTPS Intercept object.
The options for Issuer Keyring, Hostname, Splash Text, and Splash URL all control
various aspects for certificate emulation. Fill in the fields as follows:
a. Issuer Keyring: If you selected an issuer keyring previously, that keyring
displays. If you did not select an issuer keyring previously, the default
keyring displays. To change the keyring that is used as the issuer
keyring, choose a different keyring from the drop-down menu.
b. Hostname: The host name you put here is the host name in the
emulated certificate.
c. Splash Text: You are limited to a maximum of 200 characters. The splash
text is added to the emulated certificate as a certificate extension.

256
 d. Splash URL: The splash URL is added to the emulated certificate as a
certificate extension.
The STunnel options control various aspects of SSL interception.
a. Enable STunnel Interception: Establish a policy where configured STunnel
services (such as POP3S and SMTPS) are terminated and accelerated.
b. Enable SSL interception with automatic protocol detection: In addition to
STunnel interception as described above, discovered HTTPS is handed
off to the HTTPS proxy. Otherwise, SSL traffic continues in STunnel
mode.
5. Click OK to save the changes.
You can use the Disable SSL Intercept object to disable HTTPS Intercept.

To intercept HTTPS requests to specific sites through the VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. In the Destination column, right-click Set; the Set Destination Object displays.
4. Click New and select Server Certificate.

5a

5b

5. Fill in the fields as described below. You can only select one field:
a. Hostname: This is the host name of the server whose traffic you want to
intercept. After entering the host name, use the drop-down menu to
specify Exact Match, Contains, At Beginning, At End, Domain, or Regex.
b. Subject: This is the subject field in the server's certificate. After you
enter the subject, use the drop-down menu to specify Exact Match,
Contains, At Beginning, At End, Domain, or Regex.

6. Click Add, then Close; click OK to add the object to the rule.

To categorize host names in server certificates through VPM:

1. While still in the Destination column of the SSL Intercept layer, right-click Set; the
Set Destination object displays.

2. Click New and select the Server Certificate Category object. The Add Server
Certificate Category Object displays. You can change the name in the top field if
needed.

257
 3. Select the categories. The categories you selected display in the right-hand
column.
4. Click OK.

Using the SSL Access Layer

For a list of the conditions, properties, and actions that can be used in the SSL
Access Layer, refer to the Content Policy Language Reference.

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To customize server certificate validation through VPM:

Note: The policy property server.certificate.validate, if set, overrides the

ssl-verify-server command for either HTTP or for forwarding hosts.

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Access Layer.
3. In the Action column, right-click Set; the Set Action object displays.
4. Click New and select Set Server Certificate Validation object.

258
 5. By default, server certificate validation is enabled; to disable it, select Disable
server certificate validation at the bottom of the dialog.

If server certificate validation is enabled, you can determine behavior by

selecting the Ignore hostname mismatch, Ignore expiration, or Ignore untrusted issuer
options. These options mimic the overrides supported by most browsers.
6. Select an option for revocation checks:
• Select an Online Certificate Status Protocol (OCSP) option. For more
information, see Section F: "Checking Certificate Revocation Status in Real
Time (OCSP)" on page 1326.
• Use only local certificate revocation check: Uses the CRL configured on the
ProxySG appliance to perform the revocation check for a server certificate.
• Do not check certificate revocation: Does not check the revocation status of the
server certificate; however it still carries out the other certificate validation
checks.
7. Click OK; click OK again to add the object.

Notes

Note: Pipelining configuration for HTTP is ignored for HTTPS requests

intercepted by the SSL proxy. When the SSL proxy intercepts an HTTPS request,
and the response is an HTML page with embedded images, the embedded
images are not pre-fetched by the ProxySG appliance.

❐ If the ProxySG appliance and the origin content server cannot agree on a
common cipher suite for intercepted connections, the connection is aborted.

259
 ❐ Server-Gated Cryptography and step-up certificates are treated just as regular
certificates; special extensions present in these certificates are not be copied
into the emulated certificate. Clients relying on SGC/step-up certificates
continue using weaker ciphers between the client and the ProxySG appliance
when the SSL proxy intercepts the traffic.

260
Section C: Viewing SSL Statistics
The following sections discuss how to analyze various statistics generated by SSL
transactions.

Viewing SSL History Statistics

The Statistics > Protocol details > SSL History tabs (SSL Data, SSL Clients, SSL Bytes)
provide various useful statistics for unintercepted SSL traffic.

Note: Some SSL statistics (SSL client connections and total bytes sent and
received over a period of time) can only be viewed through the Management
Console (see "Unintercepted SSL Data" on page 261 and "Unintercepted SSL
Clients" on page 262).

Unintercepted SSL Data

The SSL Data tab on the Management Console displays SSL statistics.
The following table details the statistics provided through the SSL Data tab for the
Unintercepted SSL protocol.

Table 9–1 Unintercepted SSL Data Statistics

Status Description
Current unintercepted SSL The current number of unintercepted SSL client
connections connections.
Total unintercepted SSL connections The cumulative number of unintercepted SSL
client connections since the ProxySG appliance
was last rebooted.
Total bytes sent The total number of unintercepted bytes sent.
Total bytes received The total number of unintercepted bytes received.

To view unintercepted SSL data statistics:

From the Management Console, select the Statistics > Protocol Details > SSL History >
SSL Data tab; make sure Unintercepted SSL is selected for the Protocol.
The default view shows all unintercepted SSL data.

261
 Unintercepted SSL Clients
The SSL Clients tab displays dynamic graphical statistics for connections received
in the last 60-minute, 24-hour, or 30-day period.

To view SSL client unintercepted statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL
History > SSL Clients tab.

2. Make sure Unintercepted SSL is selected for the Protocol.

3. Select a time period for the graph from the Duration: drop-down list. The
default is Last Hour.
4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

Unintercepted SSL Bytes

The SSL Bytes tab displays dynamic graphical statistics for bytes received in the
last 60-minute, 24-hour, or 30-day period.

To view unintercepted SSL byte statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL
History > SSL Bytes tab.

2. Make sure Unintercepted SSL is selected for the Protocol.

262
3. Select the Duration: for the graph from the drop-down list. The default is Last
Hour.

4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.

263
Section D: Using STunnel
Stunnel intercepts SSL traffic regardless of the application protocol over it. HTTPS
traffic may be identified and handed off to that proxy, and you may create
services to inspect and accelerate other SSL protocols, such as SMTPS. The
decrypted data may be tapped; see "Tapping Decrypted Data with Encrypted
Tap" on page 270.
STunnel integrates with secure ADN. When secure ADN is enabled, SSL traffic is
accelerated using byte-caching and/or compression. An STunnel service will
intercept traffic based on the configuration and policy. For intercepted SSL-
sessions, the STunnel proxy acts as man-in-the-middle.
The STunnel sub-proxy can perform the following actions:
❐ Intercept SSL traffic and hand off HTTPS content to the HTTPS proxy when it
is detected.
❐ Intercept non-HTTPS traffic.
❐ With ADN, accelerate intercepted SSL traffic.
If you are familiar with configuring an inline or explicit HTTPS proxy, STunnel
works the same way. STunnel is configured with the following policy rule:
ssl.forward_proxy(yes)
or
ssl.forward_proxy(stunnel)
Traffic is handled by STunnel, and tunneled through or processed as appropriate.
STunnel supports SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2.

Configuring STunnel
You can configure STunnel using the Visual Policy Manager (VPM) or the
Management Console.

Configure STunnel Policy using VPM

STunnel, which lets you intercept SSL traffic regardless of the application protocol
over it, is configured on the interception layer. To configure STunnel policy using
the VPM, follow these steps.
1. On the Configuration tab, select Policy> Visual Policy Manager, then click Launch.
2. Select Policy > Add SSL Intercept Layer.
3. Right click in the Action column
4. Choose Set > New > Enable SSL Interception.
5. On the Add SSL Interception Object window, choose one of the following:
• Enable STunnel Interception: Establish
a policy where configured STunnel
services (such as POP3S and SMTPS) are terminated and accelerated.
Make sure to configure the related services if you choose this option.

264
 • Enable SSL interception with automatic protocol detection:
In addition to
STunnel interception as described above, discovered HTTPS is handed off
to the HTTPS proxy. Otherwise, SSL traffic continues in STunnel mode.

6. Click OK. The window closes.

7. Click OK on the Set Action Object Window; it closes.
8. To examine the policy, press View.
9. Click Install policy on the VPM window.

Configure STunnel via the Management Console

Accelerate SSL Traffic
To provide acceleration to SSL using byte caching, enable a secure ADN. See
"Using the SSL Proxy with ADN Optimization" for details.
Intercept the traffic as described in "Intercept SSL Based Traffic" .
For an inline or explicit forward proxy, use the policy rule
ssl.forward_proxy(stunnel) or ssl.forwrd_proxy(yes).

Note: If an unsuccessful SSL interception occurs (the SSL handshake fails), the
traffic is tunneled.

Intercept SSL Based Traffic

Use STunnel to intercept SSL traffic, such as POP3S, SMTPS, and HTTPS.

Configure a Forward Proxy with an STunnel Service

1. Set up a Secure ADN between the concentrator and branch peer. See "Verify
Secure ADN" on page 327.

265
 2. On the branch peer, edit or create POP3S or SMTPS services (create a new
service at Configuration > Services > Proxy Services > New Service).
3. Click Apply on the Configuration tab.

Example POP3S Setup:

POP3S is located in the Bypass-
Recommended group by default.
Name: POP3S
Service Group: Standard
Proxy Settings/Proxy: SSL
Detect Protocol: Check;identified HTTPS
traffic will be handed to the HTTPS
forward proxy for processing
TCP/IP: N/A
Application Delivery Network Settings: Click
Enable ADN; Retention priority is set to
normal.
Listeners: Set Action to Intercept.

For an SMTPS setup, follow the same configuration, except choose the
appropriate port and enter SMTPS as the Name.
Make sure your SSL policy is configured correctly for STunnel. See the next
section.

Viewing STunnel Results

Traffic and Service results are available for STunnel. See Chapter 33: "Statistics"
on page 789 for additional details on understanding the presentation of statistics.
• STunnel is part of the SSL proxy, but is broken out under STunnel in the
Proxy statistics, so you may easily find the results.
• The SSL proxy controls the tunneled (unintercepted) SSL traffic—there is
no need to look at the Bandwidth Savings report for the SSL proxy since
this traffic is not accelerated.
• For a typical setup, where you have HTTPS traffic identified and handed
off to its proxy, make sure to look at the HTTPS proxy statistics and
bandwidth savings as well as STunnel reports in order to get the best
understanding of STunnel results.

Viewing Traffic Statistics

To see traffic statistics, go to Statistics > Traffic Details. View the Traffic Mix and Traffic
History tab statistics. STunnel sessions are listed under Active and Errored sessions,
as well.

266
Traffic Mix
On the Traffic Mix > Service tab, view traffic distribution and bandwidth statistics
for SSL service traffic running through the ProxySG appliance.

Traffic History
STunnel sessions are listed under Traffic Mix and Traffic History:
1. Select the Statistics > Traffic Details> Traffic Mix/Traffic History.
2. On the Traffic Mix tab, select Proxy.
• The BW Usage and BW Gain tabs are available.
• The pie chart visually represents the bandwidth percentage for each proxy,
including STunnel.
• Scroll down in the table to view the STunnel (and HTTPS) information.
3. On the Traffic History tab, select Proxy.
• View STunnel on the BW Usage, BW Gain, Client Bytes and Server Bytes tabs.

267
 Application Mix
The ProxySG appliance can classify SSL-tunneled traffic without full HTTPS
interception. The Statistics > Application Details > Application Mix and Statistics >
Application Details > Application History reports display the applications detected in
SSL-tunneled traffic. In the Proxy Type column in Application Mix report, look for
STunnel.

Viewing Session Statistics

To see STunnel accelerated session statistics such as duration, bandwidth savings
using ADN functionality, and caching for current active and historical errored
sessions, view the Sessions statistics on the Statistics tab.
1. On the Concentrator peer, log in to the Management Console.
2. Select the Statistics > Sessions > Active Sessions/Errored Sessions > Proxied Sessions
tab.
3. From the Filter drop-down list, select Protocol.
4. Select STunnel from the corresponding drop down list.
5. Press Show.

268
 See "Active Sessions—Viewing Per-Connection Statistics" on page 815 for details
on using these windows.

Viewing Protocol Details

Go to Protocol Details > SSL Data tab to view client connection and data transfer
bytes information for STunnel.
At Protocol, select STunnel.

Access Logging
View the SSL log to see the STunnel sessions; the cs-protocol value is set to stunnel.

269
Section E: Tapping Decrypted Data with Encrypted Tap
Encrypted tap streams decrypted data from intercepted HTTPS or STunnel SSL
transactions on client connections. The tap is performed simultaneously and on
the same ProxySG appliance which is performing the Secure Web Gateway
function. The data is presented in a format that can be understood by common
network traffic analysis tools like Wireshark, common network intrusion
detection systems such as Snort, and so on.
• Encrypted Tap does not support VLAN.
• MTU is fixed at 1500 bytes.
• SSL protocol headers/records/details are not preserved.
• Encrypted Tap is supported for forward proxy for STunnel and HTTPS,
and for reverse proxy for HTTPS.
• Encrypted tap also taps WebSocket.

Before you start

• Ensure your SGOS license is up to date and includes a valid Encrypted
Tap component
• Configure HTTPS (see “Intercepting HTTPS Traffic” on page 247) or
STunnel (see “Using STunnel” on page 264) interception on the ProxySG
appliance.
• Ensure the ProxySG has at least one open Ethernet port.
• Have a computer with a spare, unused/assigned Ethernet interface and a
third party analysis application installed available to receive the tapped
data.

Follow these steps

On the ProxySG appliance:
1. Enable Proxy Services for HTTPS/HTTP:
a. From the Management Console, select Configuration tab > Services >
Proxy-Services.

b. On the Proxy Services tab, select Predefined Service Group >Standard >
HTTPS, and press Edit Service.

c. On the Edit Service pop up, under Listeners, set Action=Intercept.

d. Press OK. The Edit Service pop up closes.
2. On the Configuration tab > Proxy Settings > General > General tab, check
Reflect Client IP to reflect the client IP.
3. From the Management Console, select Configuration tab > Policy > Policy Options >
Default Proxy Policy: Allow to set the Default Policy to Allow.

4. Create the Encrypted Tap policy.

270
 a. From the Management Console, on the Configuration tab, select Policy >
Visual Policy Manager > Launch. The Visual Policy Manager window pops
up.
b. On the VPM, from Policy, select Add SSL Access Layer, and provide a
name as required.
c. Highlight the added row, right click on Action, and choose Set.
d. On the Set Action Object window, click New..., and choose Enable
encrypted tap.

e. On the Add Encrypted Tap Object window, set the name, verify Enable
encrypted tap is selected, and choose the tap Interface to use from the
drop down.
f. Click Ok. The window closes.
g. Click Ok. The Set Action Object window closes.
5. Install the Encrypted Tap policy.
a. Click Install Policy. You will see a confirmation when the new policy has
been installed.

Note: Make sure the tapped interface is not the same as any client/server/
management interface in use, in order to avoid dumping tapped or decrypted
traffic onto real servers. Furthermore, to avoid dropping traffic at the L2
device (resultant of how L2 forwarding works), ensure there are no Layer 2
bridging devices between the ProxySG appliance and the sniffer tools used on
the tapped interface.

271
 On another computer:
1. Connect the PC to the selected Ethernet interface.
2. Open the third-party application (such as Wireshark), and configure it to
monitor the network traffic on the selected Ethernet interface. The intercepted
HTTPS traffic should now be viewable by this application.

Viewing Encrypted Tap Results

❐ Tapping the Traffic
Traffic is accessed at the specified interface. It has a TCP-like format which
networking monitoring tools such as Wireshark and Snort can easily interpret.
Here are the output details:
• TCP-SYN/ACK for connection setup
• TCP-FIN/ACK or TCP-RST for connection tear downs.
• Original source and destination IP and ports of the connection
• TCP sequence numbers, acknowledgements, and checksums, updated
accordingly for data output
• TTL set to 1
• MAC addresses selected to avoid any potential conflicts. The Source MAC
is the original source MAC address. If the Destination MAC address
belongs to the original ProxySG appliance, it may be translated, but will
otherwise be preserved.
❐ View the ssl log to see HTTPS or STunnel sessions; tapped transactions have
the x-cs-connection-encrypted-tap x-cs-connection-encrypted-tap value set
to TAPPED.

Troubleshooting
This section describes troubleshooting tips and solutions for Encrypted Tap.
❐ View access logs for Encrypted Tap. See ‘Viewing Access-Log Statistics.’
❐ View the Encrypted Tap debug log and statistics.
❐ Perform a packet capture at the hardware interface on the ProxySG appliance.
Go to Maintenance > Service Information > Packet Captures to access packet
captures. The capture provides details on the data transmitted by the ProxySG
appliance; compare this to the received tap data.
❐ Perform policy tracing; refer to the Blue Coat Knowledge Base for articles on
how to perform an SSL policy trace.

272
Section F: Working with an HSM Appliance
A Hardware Security Module (HSM) provides additional security for storing
cryptographic keys and certificates, which is required in some highly regulated
industries. The ProxySG appliance is able to use a network-attached HSM
appliance to store resigning CA keys, and to perform digital signature operations.
The ProxySG appliance exchanges signing requests and responses with the
attached HSM appliance, over mutually authenticated HTTPS requests. The
ProxySG appliance sends certificate data to the HSM.

The ProxySG appliance can work with multiple HSM appliances, and multiple
appliances can work with the same HSM. In the event that a policy rule using an
HSM to sign cannot work due to lack of response from the HSM, the attempt is
logged, and the applicable policy action configured for HSM failure (cut through,
drop, reject) occurs. In addition to the resigning certificates, a mutually
authenticated connection (communication pipeline) must be set up by verified
certificates. Configure the ProxySG appliance with CLI, CPL, or the VPM.

Working with the SafeNet Java HSM

The SafeNet Java HSM must be configured separately. Additionally, Blue Coat
provides an agent to install on the SafeNet Java HSM, which will be used to
interact with Blue Coat appliances. A certificate to authorize the agent is included.
The Blue Coat HSM Agent operates on top of a secure session. It communicates to
the external Blue Coat entity (ProxySG appliance), and is used remotely.

Before You Begin

In order for the ProxySG to trust the HSM, you must import the server certificate
for the HSM, and put it in to a CA Certificate List. Go to Configuration > SSL > CA
Certificates, and Import the certificate. Name the certificate and paste the .PEM data
in to the appropriate field. For further information, see “ Importing CA
Certificates” on page 1315.

273
 An HSM requires a linked Device Profile (go to SSL > Device Profiles). Click New,
and create a FIPS compliant or non-compliant profile as required, then enter the
HSM credentials into the Create SSL Device Profile window. For more information,
see "Specifying an Issuer Keyring and CCL Lists for SSL Interception" for more
information.

Add an HSM
HSM appears in the Configuration > SSL menu. The new page contains three tabs.
Click Create on the HSM tab to set up an HSM connection.
1. On the Configuration > SSL > HSM tab, select Create. The Create HSM window pops up.
2. Enter the HSM credentials. For the Device Profile, select the HSM profile created
earlier. Click OK to save the information and close the window.
3. Click Apply on the HSM window. The new HSM appears in the list. Referenced
will show “No” until you use the new HSM in policy.

Add an HSM Keyring

Adding an HSM keyring follows the same steps as adding any SSL keyring. HSM
keyrings are now also available in Proxy Settings > SSL Proxy > General Settings >
Issuer Keyring.

1. On the Configuration > SSL > HSM Keyrings tab, select Create. The Create HSM
Keyring window pops up.

2. Enter the HSM credentials. Use the Paste From Clipboard button to enter the
Certificate PEM file; the Key Label is the name associated with the private key
created on the SafeNet Java HSM. Click OK to save the information and close
the window..
3. Click Apply on the HSM Keyrings window. The new HSM keyring appears in the
list. Referenced will show “No” until you use the new keyring in policy.

274
 Note: A keyring which is referenced by policy can’t be deleted.

Once a keyring has been created, you can click View Certificate to see the certificate
details and PEM file data. Click Preview to see a list of actions which will occur
when the keyring is implemented.

Note: HSM keyrings also appear in the Proxy Settings > SSL Proxy list of Issuer
Keyrings.

Add an HSM Keygroup

Keygroups may be referenced in policy, instead of an individual keyring. When a
keygroup is used, the SSL connections are load balanced, either within one HSM
or across an HSM group.
Adding an HSM keygroup follows the same steps as adding any SSL keylist.
1. On the Configuration > SSL > HSM Keygroups tab, select Create. The Create HSM
Keygroup window pops up. Any preexisting keygroups appear is the Available
HSM Keyrings fields.

2. Create the new group. Move keyrings from the Available HSM Keyrings list to the
Included HSM Keyrings list with the Add>> and Remove>> buttons, to have them
included in the new group.
3. Click OK. The window closes.
4. Click Apply on the HSM Keygroups window.

275
Write HSM Policy
Use policy to direct the SSL proxy to use an HSM keyring or keygroup to sign an
emulated certificate from an intercepted authenticated SSL connection. See the
following graphic.
1. Launch the VPM (Policy > Visual Policy Manager > Launch).
2. On the Blue Coat Visual Policy Manager window, select Policy > Add SSL Intercept
Layer.

3. Rename the layer on the Add New Layer window if required, then click OK (not
shown in the graphic).
4. Highlight the new layer, and right click at Action; select Set. The Set Action
Object window displays.

5. On the Set Action Object window, select New. > Enable SSL Interception.
6. On the Add SSL Interception Object window, select the Issuer Keyring to use for
HSM signatures. Configured HSM keyrings and keygroups appear on the
drop down list.
7. Click OK. The window closes.
8. Click Install Policy. You will see a “Policy installation was successful” message
on completion.
9. Close the VPM and click Apply.

276
277
Section G: Advanced Topics
If you use OpenSSL or Active Directory, you can follow the procedures below to
manage your certificates.
For OpenSSL, see "Creating an Intermediate CA using OpenSSL" on page 278; if
using Active Directory, see "Creating an Intermediate CA using Microsoft Server
2012 (Active Directory)" on page 281.

Creating an Intermediate CA using OpenSSL

This section describes the certificate management when creating an intermediate
CA using OpenSSL.
The overall steps are:
❐ "Installing OpenSSL" on page 278
❐ "Creating a Root Certificate" on page 278
❐ "Modifying the OpenSSL.cnf File" on page 279
❐ "Signing the ProxySG CSR" on page 279
❐ "Importing the Certificate into the ProxySG Appliance" on page 280
❐ "Testing the Configuration" on page 280
Various OpenSSL distributions can be found at http://www.openssl.org.

Installing OpenSSL
After OpenSSL is installed, you must edit the openssl.cnf file and ensure the
path names are correct. By default root certificates are located under ./PEM/DemoCA;
generated certificates are located under /certs.

Creating a Root Certificate

In order to create a root Certificate Authority (CA) certificate, complete the
following steps.

Note: The key and certificate in this example is located at ./bin/PEM/demoCA/

private/.

1. In command prompt, enter:

openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\
cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem

where the root directory for openssl is: \resources\ssl\openssl

openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done

278
 Generating a 1024 bit RSA private key
.....................................+++++
................................................+++++
writing new private key to
'c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem'
Enter PEM pass phrase:

2. Type any string more than four characters for the PEM pass phrase.
3. Enter the certificate parameters, such as country name, common name that are
required for a Certificate Signing Request (CSR).
The private key and root CA are now located under the directory ./PEM/
DemoCA/private

4. Create a keyring.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Click Create; fill in the fields as appropriate.
c. Click OK.
5. Create a CSR on the ProxySG appliance.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Highlight the keyring you just created; click Edit/View.
c. In the Certificate Signing Request pane, click Create and fill in the fields
as appropriate.

Note: Detailed instructions on creating a keyring and a CSR are in

Chapter 73: "Authenticating a ProxySG Appliance" on page 1473. They can
also be found in the online help.

6. Paste the contents of the CSR into a text file called new.pem located in the ./bin
directory.

Modifying the OpenSSL.cnf File

Modify the openssl.cnf file to import the openSSL root CA into your browser. If
you do not do this step, you must import he ProxySG certificate into the browser.
1. In the openssl.cnf file, look for the string basicConstraints=CA, and set it to
TRUE.
basicConstraints=CA:TRUE

2. Save the openSSL.cnf file.

Signing the ProxySG CSR

Open a Windows command prompt window and enter:
openssl ca -policy policy_anything -out newcert.pem -in new.pem
The output is:

279
 Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'Paris'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'BlueCoat'
organizationalUnitName:PRINTABLE:'Security Team'
commonName :PRINTABLE:'Proxy.bluecoat.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 27 13:29:09 2006 GMT (365
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This signs the certificate; it can then be imported into the ProxySG appliance.

Importing the Certificate into the ProxySG Appliance

1. Open the file newcert.pem in a text editor.
2. Select Management Console > Configuration > SSL > SSL Keyrings.
3. Selecting the keyring used for SSL interception; click Edit/View.
4. Paste in the contents of the newcert.pem file.
5. Import the contents of the newcert.pem file into the CA Certificates list.
a. From the Management Console, select Configuration > SSL > CA
Certificates.

b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.

Testing the Configuration

Import the root CA into your browser and construct an SSL interception policy.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 256.

You should not be prompted for any certificate warning.

280
Creating an Intermediate CA using Microsoft Server 2012 (Active Directory)
This section describes certificate management when creating an intermediate CA
using Active Directory.
Before you begin:
❐ Verify the Windows 2012 system is an Active Directory server.
❐ Make sure IIS is installed on the server.
❐ Install the "Certificate Services" through the Server Manager. Enable Active
Directory Certificate Services and select the Certificate Authority mode
as Enterprise
root CA on the AD CS (Active Directory Certificate Services).

All certificate management is done through the browser using the following URL:
http://@ip_server/CertSrv
For information on the following tasks, see:
❐ "Install the root CA onto the browser:" on page 281
❐ "Create an appliance keyring and certificate signing request:" on page 281
❐ "Sign the appliance CSR:" on page 281
❐ "Import the subordinate CA certificate onto the appliance:" on page 282
❐ "Test the configuration:" on page 282

Install the root CA onto the browser:

1. Connect to http://@ip_server/certsrv.
2. Click Download a CA Certificate, certificate chain, or CRL.
3. Click Install this CA Certificate.
This installs the root CA onto the browser.

Create an appliance keyring and certificate signing request:

1. From the Management Console, select the Configuration > SSL > Keyrings tab.
2. Create a new keyring. For detailed instructions on creating a new keyring, see
"Creating a Keyring" on page 1291.
3. Create a Certificate Signing Request (CSR). For detailed instructions on
creating a CSR, see "Creating a Keyring" on page 1291.
4. To capture the CSR information, edit the keyring containing the CSR, and
copy the Certificate Signing Request field content.
5. Click Close.

Sign the appliance CSR:

1. Connect to http://@ip_server/certsrv.
2. Select Request a certificate.
3. Select submit an advanced certificate request.

281
 4. On the next screen (Submit a Certificate Request or Renewal Request) paste the
contents of the CSR into the Base-64-encoded certificate request field.
5. Select the Certificate Template Subordinate Certification Authority.
If this template does not exist, connect to the certificate manager tool on the
Active Directory server and add the template.
6. Click Submit.
7. Download the certificate (not the chain) as Base 64 encoded.
8. Save this file on the workstation as newcert.pem.

Import the subordinate CA certificate onto the appliance:

1. Open the file newcert.pem in a text editor and copy the contents, from the
BEGIN CERTIFICATE through END CERTIFICATE; don’t include any spaces after
the dashes.
2. In the Management Console, select the Configuration > SSL > SSL Keyrings tab.
3. Select the keyring that has the CSR created; click Edit.

Note: Ensure this keyring is used as the issuer keyring for emulated
certificates. Use policy or the SSL intercept setting in the Management
Console or the CLI.

4. Click Import to paste the contents of the newcert.pem file. This imported the
appliance’s subordinate CA certificate into the keyring.
5. To ensure the appliance trusts the newly -added certificate, import the
contents of the newcert.pem file into the CA Certificates list.
a. From the Management Console, select Configuration > SSL > CA
Certificates.

b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.
e. Click Apply.

Test the configuration:

Import the root CA into your browser and construct an SSL interception policy.
You should not be prompted for any certificate warning.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 256.

282
Chapter 10: Managing the WebEx Proxy

This chapter describes how to use the Advanced Secure Gateway appliance
WebEx proxy to control WebEx sessions.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About Controlling the WebEx Application and File Sharing" on page 284
❐ "Enable HTTP Handoff" on page 285
❐ "Control Access to a WebEx Site with Policy" on page 286
❐ "Control File Uploads with Policy" on page 288
❐ "Control Desktop Sharing with Policy" on page 291
❐ "WebEx Proxy Access Logging" on page 294
❐ "Review WebEx Proxy Sessions" on page 296
WebEx is a popular file and desktop sharing software application. Meeting
participants can join from all over the world. In the presenter role, a user can
share his desktop, files, or a specific application window. The WebEx proxy on
the Advanced Secure Gateway appliance provides for the inspection of WebEx
traffic, which allows fine control over desktop and file sharing operations.
This solution is designed for both explicit and transparent forward proxy
deployments. It requires the WebEx HTTP handoff be enabled. If the HTTP
handoff is not enabled, the WebEx proxy policy is not applied, though other
policy pertaining to HTTP traffic is applied.

IPv6 Support
The Webex proxy is able to communicate using either IPv4 or IPv6, either
explicitly or transparently.

283
Advanced Secure Gateway Administration Guide

Section 1 About Controlling the WebEx Application and File Sharing

The WebEx Proxy can control WebEx desktop and file sharing with using a deny
(block)/allow option. The proxy can be configured to allow a user to attend a
meeting, but restrict the user from sharing a file, hosting a meeting, or sharing the
desktop.
This solution requires an active, licensed content filtering service database. You
can use the Blue Coat WebFilter (BCWF) service, but some WebEx operations will
be unavailable. To use all WebEx operations, you require a Blue Coat Intelligence
Services license and database.
When enabled, the content filtering service detects WebEx HTTPS connections.
When HTTP handoff is enabled, WebEx connections are handed to the WebEx
Proxy, where it can be inspected and subject to policy actions. If desktop or file
sharing is configured to blocked when detected by the WebEx proxy, the HTTP
connection does not continue to the server.
For details on these content filtering services, see "Filtering Web Content" on page
409.

Before You Begin

❐ Make sure the Blue Coat content filtering service is licensed and active.
❐ Select Intelligence Services for the content filtering data source. Select
Configuration > Content Filtering > Blue Coat, and select Intelligence Services from
the Data Source menu.
❐ Enable Application Classification. Select Configuration > Application Classification
> General,
and click Enable Blue Coat Application Classification on this device.
❐ Make sure WebEx HTTP Handoff is enabled before enacting policy. See
"Enable HTTP Handoff" on page 285.

284
Section 2 Enable HTTP Handoff
Enable HTTP handoff so that WebEx connections are handed to the WebEx Proxy,
where it can be inspected and subject to policy actions.
1. Go to Configuration > Proxy Settings > WebEx Proxy.
2. Verify Enable HTTP handoff has been checked; it is checked by default.

285
Advanced Secure Gateway Administration Guide

Section 3 Control Access to a WebEx Site with Policy

This procedure applies to connections to a specific WebEx server. You will likely
want to write policy which contains both a reference to a specific site (whether to
deny or allow access to that site) as well as an action such as deny file uploads.
1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer.
3. Name the layer appropriately, such as “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the WebEx Site from the list. The system displays theAdd
WebEx Site Object window.

6. Name the WebEx Site Object, then enter the site name in the detail you select at
the drop down. For example, enter “company1“ for an Exact Match, then click
OK. The Add WebEx Site Object window closes. The Site Name may only contain
alphanumeric characters.

7. Choose an Action of Allow or Deny, as required.

8. Alternately, you can add a Webex site and another object to a Combined
Destination Object, to allow or deny a specific action for a particular site. For
example, add a ShareApplication object to deny application sharing for a
specific site.
See "Control File Uploads with Policy" next for more details on creating
Combined Destination Objects.

286
9. Install the policy.

287
Advanced Secure Gateway Administration Guide

Section 4 Control File Uploads with Policy

Use a combined object to deny file uploading through WebEx.

Note: Before proceeding, make sure that you meet the requirements described in
"Before You Begin" on page 284.

To control file uploads:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New,
and select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the
left side list, and click OK.

• If the Advanced Secure Gateway appliance is unable to connect to

Intelligence Services, you will see a “Problem connecting” message.

288
8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control
window.
a. Name the object (for example, “WebExOperation-UploadFiles”).
b. Select Upload Files from the left side list, and click OK.

Note: Other WebEx operations include Host Meeting, Join Meeting, and Login.

9. To set up policy where both objects are required for the action to occur, set up
an AND situation.
a. Highlight the first new object (“WebExApplication”), and click Add to
move it to the top right object field.
b. Highlight the second new object (“WebExOperation-UploadFiles”),
and click Add to move it to the lower object field.
c. Click OK. The window closes.
d. Click OK on the Set Destination Object window.

289
Advanced Secure Gateway Administration Guide

10. On the VPM window, right click Action on the current layer, and choose Allow or
Deny.

11. Install the policy.

290
Section 5 Control Desktop Sharing with Policy
Use a combined object to deny local desktop sharing through WebEx. Desktop
sharing is controlled by the Share Application function; the process is otherwise
the same as "Control File Uploads with Policy" .

Note: Before proceeding, make sure that you meet the requirements described in
"Before You Begin" on page 284.

To control desktop sharing:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system
displays the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New,
and select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the
left side list, and click OK.

• If the Advanced Secure Gateway appliance is unable to connect to

Intelligence Services, you will see a “Problem connecting” message.

291
Advanced Secure Gateway Administration Guide

8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control
window.
• Name the object (for example, “WebExOperation-ShareApplication”).
• Select Share Application from the left side list, and click OK.

9. To set up policy where both objects are required for the action to occur, set up
an AND situation.

292
 a. Highlight the first new object (“WebExApplication”), and click Add to
move it to the top right object field.
b. Highlight the second new object (“WebExOperation-
ShareApplication”), and click Add to move it to the lower object field.
c. Click OK. The window closes.
d. Click OK on the Set Destination Object window.
10. On the VPM window, right click Action on the current layer, and choose Deny or
Allow.

11. Install the policy.

293
Advanced Secure Gateway Administration Guide

Section 6 WebEx Proxy Access Logging

WebEx actions are reported under the Collaboration proxy access log by default.
Actions include:
• a user joining a meeting
• a user leaving a meeting
• a user connection is dropped abruptly
• a file or application sharing session starting
• a file or application finishing
• a file or application being blocked
To verify Access Logging is enabled, go to Configuration > Access Logging > General,
and click Enable Access Logging on the Default Logging tab. Verify the Collaboration
log appears on the Configuration > Access Logging > Logs tab.
For information about access log customization, refer to the "Creating Custom
Access Log Formats" . To view the Collaboration log, go to Statistics > Access
Logging, and select collaboration in the Log field.
Each individual WebEx meeting has a designated nine digit Meeting ID. This
Meeting ID is recorded in the access logs. Follow the Show Log Collaboration link.
The following table provides the log decode.

Field Name Field description Possible values

date Date of event

time Time of event

c-ip Client IP

r-dns Remote hostname

duration Duration of the session in Applicable only to

seconds STOP_FILE_UPLOAD,
STOP_APPLICATION_SHAR
ING, and LEAVE_MEETING

x-collaboration-method Description of method JOIN_MEETING,

LEAVE_MEETING,
HOST_MEETING,
DISCONNECT,
START_FILE_UPLOAD,
STOP_FILE_UPLOAD,
START_APPLICATION_SHA
RING,
STOP_APPLICATION_SHAR
ING

s-action Whether a sharing session ALLOWED, DENIED,

was allowed or blocked (if FAILED, SUCCESS
applicable)

294
The following table provides the log decode.

Field Name Field description Possible values

x-collaboration-user-id WebEx user ID

x-collaboration-meeting- WebEx 9 digit meeting

id number

x-webex-site WebEx site name on

which this meeting is
hosted (for example,
"bluecoat" for
bluecoat.webex.com)

295
Advanced Secure Gateway Administration Guide

Section 7 Review WebEx Proxy Sessions

After WebEx traffic begins to flow through the Advanced Secure Gateway
appliance, you can review the statistics page and monitor results in various
WebEx categories. The presented statistics are representative of the client
perspective.

To review WebEx statistics:

1. From the Management Console, select Statistics > Sessions > Active Sessions.
2. On the Proxied Sessions tab, set the following:
a. At Filter, select Protocol.
b. Select WebEx from the drop down menu.
c. Click Show.

296
Chapter 11: Accelerating File Sharing

This chapter discusses file sharing optimization. File sharing uses the Common
Internet File System (CIFS) protocol.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About the CIFS Protocol" on page 297
❐ "About the Blue Coat CIFS Proxy Solution" on page 298
❐ "Configuring the ProxySG CIFS Proxy" on page 301

About the CIFS Protocol

The CIFS protocol is based on the Server Message Block (SMB) protocol used
for file sharing, printers, serial ports, and other communications. It is a client-
server, request-response protocol. The CIFS protocol allows computers to share
files and printers, supports authentication, and is popular in enterprises
because it supports all Microsoft operating systems, clients, and servers.
File servers make file systems and other resources (printers, mailslots, named
pipes, APIs) available to clients on the network. Clients have their own hard
disks, but they can also access shared file systems and printers on the servers.
Clients connect to servers using TCP/IP. After establishing a connection, clients
can send commands (SMBs) to the server that allows them to access shares,
open files, read and write files— the same tasks as with any file system, but
over the network.
CIFS is beneficial because it is generic and compatible with the way
applications already share data on local disks and file servers. More than one
client can access and update the same file, while not compromising file-sharing
and locking schemes. However, the challenge for an enterprise is that CIFS
communications are inefficient over low bandwidth lines or lines with high
latency, such as in enterprise branch offices. This is because CIFS transmissions
are broken into blocks of data; each block has a maximum size of 64 KB for
SMBv1. When using SMBv1, the client must stop and wait for each block to
arrive before requesting the next block. Each stop represents time lost instead of
data sent. Therefore, users attempting to access, move, or modify documents
experience substantial, work-prohibiting delays.
The second version of SMB (SMBv2) alleviates some of the inefficiencies in
CIFS communication and improves performance over high latency links.
Servers that support SMBv2 pipelining can send multiple requests/responses
concurrently which improves performance of large file transfers over fast
networks. While SMBv2 has some improvements, it does not address all of the
performance issues of CIFS; for example, it cannot reduce payload data
transferred over low bandwidth links.

297
SGOS Administration Guide

About the Blue Coat CIFS Proxy Solution

The CIFS proxy on the ProxySG combines the benefits of the CIFS protocol with
the abilities of the ProxySG to improve performance, reduce bandwidth, and
apply basic policy checks. This solution is designed for branch office deployments
because network administrators can consolidate their Windows file servers (at the
data center) instead of spreading them across the network.

LEGEND:
A: Branch client
B: Branch peer
C: Concentrator peer
D: File server containing objects requested by branch users

DATA FLOW:
1: A branch client requests a file from a server at the data center.
2: If the Branch peer has the object or part of the object cached, it is served back to the client; otherwise,
the request for uncached objects is sent to the data center. For SMBv1 connections, the ProxySG
attempts to read ahead—anticipate what part(s) of a specific object might be requested next.
3: If enabled for the CIFS service, byte caching and compression techniques are applied to the data
over the TCP connection.
4: The Concentrator performs decompression and authentication tasks, accesses the content server,
and returns the content back to the branch.
5. The client receives the requested content. In addition, the anticipated content is cached (if permitted
by the server and policy) so that future requests for it can be served without requesting it from the data
center.
6. Another client requests access to a file on the core server, but wants to write to the file. With write
back enabled, the branch ProxySG continuously informs the client that it is okay to write the next block.
Simultaneously, the ProxySG sends the data over the WAN to the file server, thus maximizing the data
pipeline.
Figure 11–1 CIFS Proxy Traffic and Flow Diagram

298
Caching Behavior
The CIFS proxy caches the regions of files that are read or written by the client
(partial caching) and applies to both read and write file activities. Also, the
caching process respects file locking.
SMBv1 and SMBv2 share the same object cache, allowing a client using SMBv2
protocol to use objects cached by another client using SMBv1 (and vice versa).
When SMBv2 protocol acceleration is disabled or the connection requires
messages to be signed, the connection is placed into passthrough and object
caching is not performed. However, the connection can still take advantage of
byte caching and compression.

Note: Caching behavior can also be controlled with policy. See the Content Policy
Language Reference Guide or the Visual Policy Manager Reference Guide.

Authentication
The CIFS proxy supports both server and proxy authentication in the following
contexts.

Server Authentication
Permissions set by the origin content server (OCS) are always honored. Requests
to open a file are forwarded to the OCS; if the OCS rejects the client access request,
no content is served from the cache.

Note: NTLM/IWA authentication requires that the client knows what origin
server it is connecting to so it can obtain the proper credentials from the domain
controller.

Proxy Authentication
The ProxySG cannot issue a challenge to the user over CIFS, but it is able to make
use of credentials acquired by other protocols if IP surrogates are enabled.

Policy Support
The CIFS proxy supports the proxy, cache, and exception policy layers. However,
the SMB protocol can only return error numbers. Exception definitions in the
forms of strings cannot be seen by an end user. Refer to the Content Policy
Language Reference for supported CPL triggers and actions.

299
SGOS Administration Guide

Access Logging
By default, the ProxySG uses a Blue Coat-derived CIFS access log format.
date time c-ip c-port r-ip r-port s-action s-ip cs-auth-group
cs-username x-client-connection-bytes x-server-connection-bytes
x-server-adn-connection-bytes x-cifs-method
x-cifs-client-read-operations x-cifs-client-write-operations
x-cifs-client-other-operations x-cifs-server-operations
x-cifs-error-code x-cifs-server x-cifs-share x-cifs-path
x-cifs-orig-path x-cifs-client-bytes-read x-cifs-server-bytes-read
x-cifs-bytes-written x-cifs-uid x-cifs-tid x-cifs-fid x-cifs-file-size
x-cifs-file-type x-cifs-fid-persistent

WCCP Support
If WCCP is deployed for transparency, you must configure WCCP to intercept
TCP ports 139 and 445.

300
Section 1 Configuring the ProxySG CIFS Proxy
This section contains the following sub-sections:
❐ "About Windows Security Signatures" on page 301
❐ "Intercepting CIFS Services" on page 304
❐ "Configuring SMBv1 Options" on page 305
❐ "Configuring SMBv2 Options" on page 310
❐ "Reviewing CIFS Protocol Statistics" on page 311

See Also
"About the CIFS Protocol" on page 297

About Windows Security Signatures

Security signatures prevent the CIFS proxy from providing its full acceleration
capabilities. Additionally, security signatures require a considerable amount of
processing on both clients and servers. As their benefits are often superseded by
link-layer security measures, such as VPNs and restricted network topology, the
benefits are minimal and the drawbacks are high.

SMBv1
In order for the CIFS proxy to fully optimize SMBv1 traffic, the Windows clients
cannot be configured with a requirement that security signatures always be used.
The instructions for verifying this setting are detailed below.
In addition, if signing is required on the server, you must enable and configure
SMB signing on the ADN concentrator. (See "Enabling SMB Signing Support for
SMBv1 Connections" on page 307.)

SMBv2
For SMBv2, if security signatures are always required on the client or the server,
the CIFS proxy cannot fully optimize SMBv2 traffic. The proxy can perform byte
caching and compression on this traffic, but it cannot perform object caching or
protocol acceleration. If you want to fully optimize SMBv2 traffic, you must
disable the setting that controls whether digital signing must always be used; this
must be configured on clients and servers. If either side requires signing always
be used, the SMBv2 connections will be passed through the proxy without full
optimization.
If your clients are running Windows 8, you can optionally disable Secure Dialect
Negotiation on clients for better performance; see "Disable Secure Dialect
Negotiation" on page 304.

Verify Security Signature Settings in Windows

By default, the Digitally sign communications (always) setting is disabled in Windows,
except in the case of a Domain Controller installation. If this setting has been
enabled, you will need to disable it in order to fully optimize CIFS traffic.

301
SGOS Administration Guide

To verify the security signature settings in Windows:

Note: This procedure follows the Control Panel Classic View format. The
screen shots represent Microsoft Windows XP.

1. In each Windows client, select Start > Control Panel > Administrative Tools > Local
Security Policy. The Local Security Settings dialog appears.

2. Select Local Policies > Security Options.

3. Right-click Microsoft network client: Digitally sign communications (always) and
select Properties. A configuration dialog appears.

Note: In Windows 2000, this option is called Digitally sign client communications
(always).

302
4. Select Disabled. Click Apply and OK.
5. Close all Control Panel dialogs.

Important: If the server is an ADS/Domain controller, you must set the

same security settings for both Administrative Tools > Domain Controller Security
Policy and Administrative Tools- > Domain Security Policy. Otherwise, you cannot
open file shares and Group Policy snap-ins on your server.

6. You must reboot the client to apply this configuration change.

7. SMBv2 only: Repeat these steps on the servers you want the CIFS proxy to
optimize. On the server, the option is called Microsoft network server: Digitally
sign communications (always).

8. SMBv1 only: If the server requires signing, enable and configure SMB signing
on the ADN concentrator. See "Enabling SMB Signing Support for SMBv1
Connections" on page 307.

303
SGOS Administration Guide

Disable Secure Dialect Negotiation

Secure Dialect Negotiation allows servers and clients to detect an attacker’s
attempts to eavesdrop on server-client communication and downgrade the
negotiated SMBv2 protocol dialect.
If your clients run Windows 8, you can optionally disable Secure Dialect
Negotiation to improve CIFS performance; however, CIFS operations still
function correctly if the feature is enabled.

Disable Secure Dialect Negotiation on the client:

1. In Windows, open the Registry Editor.
2. Look for the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
LanmanServer\Parameters

3. Select the key, and then add a new DWORD value with the name
RequireSecureNegotiate and value data 0.

Intercepting CIFS Services

By default (upon upgrade and on new systems), the ProxySG has CIFS services
configured for transparent connections on ports 139 and 445. Blue Coat creates
listener services on both ports because different Windows operating systems
(older versus newer) attempt to connect using 139 or 445. For example, Windows
NT and earlier only used 139, but Windows 2000 and later try both 139 and 445.
Therefore only configuring one port can potentially cause only a portion of
Windows 2000 and newer CIFS traffic to go through the proxy.
A transparent connection is the only supported method; the CIFS protocol does
not support explicit connections.
Also, by default these services are configured to accept all IP addresses in Bypass
mode. The procedure in this section describes how to change them to Intercept
mode, and explains other attributes within the service.

Adding and Configuring New CIFS Services

If you require a CIFS service to intercept a port other than the default 139/445
ports, you can create a new service (and specify a default or custom service
group). This general procedure is described in "Creating Custom Proxy Services"
on page 140.

To configure the CIFS proxy to intercept file sharing traffic:

1. From the Management Console, select Configuration > Services > Proxy Services.

304
 2a

2b

2. Intercept CIFS traffic:

a. Scroll the list of service groups, click Standard, and, if necessary, click
CIFS to expand the CIFS services list.

b. Notice the Action for each default service (ports 139 and 445) is Bypass.
Select Intercept from the drop-down list(s).
3. Click Apply.
Now that the ProxySG is intercepting CIFS traffic, configure the CIFS proxy
options for SMBv1 ("Configuring SMBv1 Options" on page 305) or SMBv2
("Configuring SMBv2 Options" on page 310).

Configuring SMBv1 Options

When using SMBv1, you can configure options for file reading/writing, remote
storage optimization, and folder management and caching. This section describes
these options and why they might require changing based on your branch
deployment.

To view/change the SMBv1 configuration options:

1. In the Management Console, select the Configuration > Proxy Settings > CIFS Proxy
> SMBv1 tab.

2. To accelerate SMBv1 connections, make sure the Enable protocol acceleration for
SMBv1 connections check box is selected.

305
SGOS Administration Guide

3. Configure the SMBv1 options:

a. Read Ahead: The appliance attempts to anticipate what data might be
requested next, fetches it, and caches it; this reduces the latency of the
connection. The ProxySG might partially cache a requested object (the
part directly requested and viewed by the client). Enabled by default.
If applications frequently perform large amounts of non-sequential file
access, disable Read Ahead to reduce the amount of unnecessary data being
fetched into the cache.
b. Write Back: This setting applies when clients attempt to write to a file on
the core server. Without write back, a client would experience
substantial latency as it sends data chunks and waits for the
acknowledgement from the server to send subsequent data chunks.
With Write Back set to Full, the branch ProxySG sends
acknowledgements to the client, prompting the client to send
subsequent data without waiting for an acknowledgement from the
core server. Meanwhile, the ProxySG forwards the data from the client
to the core server through the compressed TCP connection.
For best performance, set Write Back to Full (default).
c. Remote Storage Optimization: When this option is enabled, Windows
Explorer modifies the icons of uncached folders on remote servers,
indicating to users that the contents of the folder have not yet been
cached by the ProxySG. Disabled by default.
When remote storage optimization is enabled, the ProxySG reports to the
client that files are offline if the file is not in cache. This is designed to
reduce the amount of chatter that a client will generate for files. By default,
Windows Explorer does not show offline files in the search results. In
order to force Windows Explorer to show offline files, you can select
Search tape backup in the Windows Explorer advanced search options.
d. Suppress Folder Customization: When this option is enabled, remote
folders are displayed in the default view, without any view
customizations (such as showing thumbnails instead of icons). This
setting speeds the display of remote folders, especially on slow links.
Disabled by default.

306
 e. Never Serve Directories After Expiration: When this option is enabled and
Directory Cache Time is past its expiration, directori