tion Guide e

SGOS Administration Guide

SGOS 7.2.x

SGO.x

SGOS 6.7.x

i
SGOS Administration Guide

Contact Information
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term
“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve
reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However,
Broadcom does not assume any liability arising out of the application or use of this information, nor the application or
use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights
of others.
Email: [email protected]

Open source attributions are available in the ProxySG appliance online help. To view the attributions, click Help in the appliance to launch the
help system, go to the TOC, and select Open Source Attributions for Blue Coat ProxySG.

Document Number: 231-03113

Document Revision: SGOS 7.2.0.1—01/2020-A

ii
Contents

Chapter 1: Introduction
SGOS Documentation ......................................................................................................................... 22
Document Conventions ....................................................................................................................... 24
Notes and Warnings............................................................................................................................. 25
About Procedures ................................................................................................................................ 26

Chapter 2: Accessing the Appliance

Accessing the ProxySG Appliance Using the Management Console ................................................. 28
Accessing the ProxySG Appliance Using the CLI .............................................................................. 43
Section A: Configuring Basic Settings
Configuring the ProxySG Appliance Name ........................................................................................ 45
Changing the Login Parameters .......................................................................................................... 46
Viewing the Appliance Serial Number................................................................................................ 49
Configuring the System Time.............................................................................................................. 50
Synchronizing to the Network Time Protocol ..................................................................................... 52
Appendix: Required Ports, Protocols, and Services ............................................................................ 54

Chapter 3: Licensing
Adding an Add-on License.................................................................................................................. 65
Enabling Automatic License Updates ................................................................................................. 66
Viewing the Current License Status .................................................................................................... 67

Chapter 4: Controlling Access to the ProxySG Appliance

Moderate Security: Restricting Management Console Access Through the Console Access Control
List (ACL) ................................................................................................................................... 74

Chapter 5: Backing Up the Configuration

Section A: About Configuration Archives
Section B: Archiving Quick Reference
Archiving Quick Reference Table ....................................................................................................... 83
Section C: Creating and Saving a Standard Configuration Archive
Section D: Creating and Saving a Secure (Signed) Archive
Section E: Preparing Archives for Restoration on New Devices
Creating a Transferable Archive.......................................................................................................... 93
Section F: Uploading Archives to a Remote Server
Creating and Uploading an Archive to a Remote Server .................................................................. 102
Section G: Restoring a Configuration Archive

1
 Section H: Sharing Configurations
Section I: Troubleshooting

Chapter 6: Explicit and Transparent Proxy

Chapter 7: Managing Proxy Services

Section A: Proxy Services Concepts
Section B: Configuring a Service to Intercept Traffic
Changing the State of a Service (Bypass/Intercept) .......................................................................... 132
Section C: Creating Custom Proxy Services
Section D: Proxy Service Maintenance Tasks
Section E: Global Options for Proxy Services
Proxy Service Global Options ........................................................................................................... 143
Managing Licensed User Connection Limits (ProxySG to Server) .................................................. 150
Section F: Exempting Requests From Specific Clients
Adding Static Bypass Entries ............................................................................................................ 157
Section G: Trial or Troubleshooting: Restricting Interception From Clients or To Servers
Restricted Intercept Topics ................................................................................................................ 162
Section H: Reference: Proxy Services, Proxy Configurations, and Policy

Chapter 8: Intercepting and Optimizing HTTP Traffic

Section A: About the HTTP Proxy
Section B: Changing the External HTTP (Transparent) Proxy Service to Intercept All IP Addresses
on Port 80
Section C: Managing the HTTP Proxy Performance
About the HTTP Object Caching Policy Global Defaults................................................................. 184
Setting the HTTP Default Object Caching Policy............................................................................. 188
Section D: Selecting an HTTP Proxy Acceleration Profile
Configuring the HTTP Proxy Profile ................................................................................................ 195
Section E: Using a Caching Service
Enabling CachePulse ......................................................................................................................... 198
Section F: Fine-Tuning Bandwidth Gain
Allocating Bandwidth to Refresh Objects in Cache .......................................................................... 201
Section G: Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)
Section H: Viewing HTTP/FTP Statistics
Viewing the Number of HTTP/HTTPS/FTP Objects Served ........................................................... 212
Viewing the Number of HTTP/HTTPS/FTP Bytes Served............................................................... 213
Viewing Active Client Connections .................................................................................................. 214

2
 Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics ................................. 215
Section I: Supporting IWA Authentication in an Explicit HTTP Proxy
Section J: Supporting Authentication on an Upstream Explicit Proxy
Section K: Detect and Handle WebSocket Traffic
How the ProxySG Appliance Handles an Upgrade Request ............................................................. 221
Feature Limitations............................................................................................................................ 223

Chapter 9: Managing the SSL Proxy

Section A: Intercepting HTTPS Traffic
Configuring the SSL Proxy in Explicit Proxy Mode......................................................................... 232
Warn Users When Accessing Websites with Untrusted Certificates ................................................ 237
Section B: Configuring SSL Rules through Policy
Section C: Offloading SSL Traffic to an SSL Visibility Appliance
Section D: Viewing SSL Statistics
Viewing SSL History Statistics ......................................................................................................... 247
Section E: Using STunnel
Configuring STunnel ......................................................................................................................... 251
Viewing STunnel Results .................................................................................................................. 253
Section F: Tapping Decrypted Data with Encrypted Tap
Section G: Working with an HSM Appliance
Working with the SafeNet Java HSM ............................................................................................... 260
Write HSM Policy ............................................................................................................................. 263
Section H: Advanced Topics

Chapter 10: Managing the WebEx Proxy

About Controlling the WebEx Application and File Uploads........................................................... 272
Enable HTTP Handoff....................................................................................................................... 273
Control Access to a WebEx Site with Policy .................................................................................... 274
Control File Uploads with Policy ...................................................................................................... 276
Control Desktop Sharing with Policy................................................................................................ 279
WebEx Proxy Access Logging.......................................................................................................... 282
Review WebEx Proxy Sessions......................................................................................................... 284

Chapter 11: Managing Outlook Applications

Section A: The Outlook Proxies
Section B: Endpoint Mapper and MAPI Configuration
Optimizing Encrypted MAPI Traffic ................................................................................................ 297
Section C: Intercept Skype for Business
Configure the Appliance for Skype and Lync Interception............................................................... 304

3
 Chapter 12: Managing the FTP and FTPS Proxies
Configuring Native FTP Proxy and FTPS Proxy .............................................................................. 310

Chapter 13: Accelerating File Sharing

Configuring the ProxySG CIFS Proxy .............................................................................................. 319

Chapter 14: Managing DNS Traffic

About the DNS Proxy........................................................................................................................ 332
Handling DNS-over-HTTPS Traffic ................................................................................................. 334
EDNS Support in DNS Proxy .......................................................................................................... 338

Chapter 15: Managing a SOCKS Proxy

Configuring the SOCKS Proxy ......................................................................................................... 341
Viewing SOCKS History Statistics ................................................................................................... 343

Chapter 16: Managing Shell Proxies

Configuring the Telnet Shell Proxy Service Options ........................................................................ 350
Viewing Shell History Statistics........................................................................................................ 352

Chapter 17: Configuring and Managing an HTTPS Reverse Proxy

Section A: About the HTTPS Reverse Proxy
Section B: Configuring the HTTPS Reverse Proxy
Section C: Configuring HTTP or HTTPS Origination to the Origin Content Server

Chapter 18: Using the Appliance in an IPv6 Environment

Using the Appliance in an ISATAP Network ................................................................................... 367
IPv6 Support on the ProxySG Appliance .......................................................................................... 370
Configuring an ADN for an IPv6 Environment ................................................................................ 379
Optimizing ISATAP Traffic .............................................................................................................. 380
Configuring IPv6 Global Settings ..................................................................................................... 381

Chapter 19: Geolocation

Prerequisites for Using Geolocation.................................................................................................. 384
Enable Geolocation............................................................................................................................ 385
Configure Geolocation Database Downloads.................................................................................... 386
Test Outbound Connections Based on Geographic Location............................................................ 389
Determine Locations of IP Addresses for Incoming Connections .................................................... 393
Troubleshoot Geolocation ................................................................................................................. 395
Access Log Errors ............................................................................................................................. 396
Remove Geolocation Settings ........................................................................................................... 397

Chapter 20: Filtering Web Content

Section A: Web Content Filtering Concepts

4
 About Symantec WebFilter and the WebPulse Service .................................................................... 403
Section B: Setting up a Web Content Filter
Enabling a Content Filter Provider .................................................................................................... 413
Downloading the Content Filter Database......................................................................................... 415
Section C: Configuring Symantec WebFilter and WebPulse
Section D: Configuring Intelligence Services for Content Filtering
Section E: Using Intelligence Services to Classify Applications
Section F: Configuring the Default Local Database
Selecting and Downloading the Local Database ............................................................................... 444
Section G: Configuring Internet Watch Foundation
Section H: Configuring a Third-Party Vendor
Section I: About YouTube Categories
Section J: Viewing the Content Filtering Categories Report
Section K: Using Quotas to Limit Internet Access
Section L: Applying Policy
Section M: Troubleshooting

Chapter 21: Web Application Protection

Section A: Using Application Protection
Enabling Application Protection ....................................................................................................... 481
Testing the Application Protections .................................................................................................. 483
Verifying the Database Download .................................................................................................... 484

Chapter 22: Control Traffic Based on Client IP Reputation

Create User-Defined IP Reputation Policy........................................................................................ 486

Chapter 23: Using Policy Services

About Policy Services ....................................................................................................................... 490
Verify Status of Policy Services ........................................................................................................ 491
Configure Policy Services Database Downloads .............................................................................. 492
Monitor Policy Services Status.......................................................................................................... 494
Install Security Policy........................................................................................................................ 495

Chapter 24: Analyzing the Threat Risk of a URL

Configure Threat Risk Levels............................................................................................................ 506
Use Threat Risk Features................................................................................................................... 512

Chapter 25: Malicious Content Scanning Services

Section A: About Content Scanning

5
 Section B: Configuring ICAP Services
Creating an ICAP Service.................................................................................................................. 533
Configuring ICAP Feedback ............................................................................................................. 541
Customizing ICAP Patience Text...................................................................................................... 543
Section C: Securing Access to an ICAP Server
Using Secure ICAP............................................................................................................................ 548
Using a Crossover Cable ................................................................................................................... 550
Using a Private Network.................................................................................................................... 551
Section D: Monitoring Content Analysis and Sessions
Introduction to Content Analysis Request Monitoring...................................................................... 554
Section E: Creating ICAP Policy
Using ICAP Headers in Policy .......................................................................................................... 573
Section F: Managing Virus Scanning

Chapter 26: Configuring Service Groups

Creating a Service Group .................................................................................................................. 582

Chapter 27: Managing Streaming Media

Section A: Concepts: Streaming Media
About Processing Streaming Media Content..................................................................................... 596
About Streaming Media Authentication............................................................................................ 605
Section B: Configuring Streaming Media
Configuring the HTTP Streaming Proxy........................................................................................... 609
Configuring the Windows Media, Real Media, and QuickTime Proxies.......................................... 613
Limiting Bandwidth........................................................................................................................... 615
Configuring the Multicast Network................................................................................................... 617
Viewing Streaming History Statistics................................................................................................ 621
Section C: Additional Windows Media Configuration Tasks
Section D: Configuring Windows Media Player
Section E: Configuring RealPlayer
Section F: Configuring QuickTime Player
Section G: Using the Flash Streaming Proxy
Configuring the Flash Streaming Proxy ............................................................................................ 644
Section H: Supported Streaming Media Clients and Protocols

Chapter 28: Managing Bandwidth

Configuring Bandwidth Allocation ................................................................................................... 663
Bandwidth Management Statistics .................................................................................................... 665
Using Policy to Manage Bandwidth.................................................................................................. 667

6
Chapter 29: XML Protocol
Section A: Authenticate Request
Section B: Authenticate Response
Section C: Authorize Request
Section D: Authorize Response

Chapter 30: Configuring Access Logging

Configuring a Log for Uploading ...................................................................................................... 687
Viewing Access-Log Statistics .......................................................................................................... 690

Chapter 31: Configuring the Access Log Upload Client

Importing an External Certificate ...................................................................................................... 697
Digitally Signing Access Logs .......................................................................................................... 699
Troubleshooting................................................................................................................................. 712

Chapter 32: Creating Custom Access Log Formats

Creating a Custom or ELFF Log Format........................................................................................... 717

Chapter 33: Creating and Editing an Access Log Facility

Creating a Log Facility ...................................................................................................................... 722
Editing an Existing Log Facility........................................................................................................ 724
Associating a Log Facility with a Protocol ....................................................................................... 726
Configuring Global Settings.............................................................................................................. 728

Chapter 34: Access Log Formats

Action Field Values ........................................................................................................................... 735

Chapter 35: Statistics

Viewing the Traffic Mix Report ........................................................................................................ 742
Viewing NetFlow Statistics ............................................................................................................... 748
Viewing Traffic History .................................................................................................................... 749
Supported Proxies and Services ........................................................................................................ 751
Viewing the Application Mix Report ................................................................................................ 753
Viewing the Application History Report........................................................................................... 757
Viewing System Statistics ................................................................................................................. 759
Active Sessions—Viewing Per-Connection Statistics ...................................................................... 767

Chapter 36: Configuring an Application Delivery Network

Section A: ADN Overview
ADN Modes....................................................................................................................................... 792
Section B: Configuring an ADN
Introduction to Configuring an ADN ................................................................................................ 800

7
 Enabling Explicit ADN Connections ................................................................................................ 805
Configuring IP Address Reflection ................................................................................................... 812
Section F: Securing the ADN
Securing a Managed ADN................................................................................................................. 821
Section G: Configuring Load Balancing
Introduction to Load Balancing ......................................................................................................... 828
Section H: Configuring Advanced ADN Settings
Configuring an ADN Node as an Internet Gateway.......................................................................... 832
Configuring the Byte-Cache Dictionary Size .................................................................................... 834
Section I: Monitoring the ADN
Reviewing ADN History ................................................................................................................... 841
Reviewing ADN Active Sessions...................................................................................................... 843
Monitoring Adaptive Compression ................................................................................................... 845
Section J: Related CLI Syntax to Configure an ADN
Section K: Policy
Section L: Troubleshooting

Chapter 37: WCCP Configuration

Configuring WCCP on the ProxySG Appliance ............................................................................... 863
Viewing WCCP Statistics and Service Group Status ........................................................................ 870

Chapter 38: TCP/IP Configuration

PMTU Discovery............................................................................................................................... 876

Chapter 39: Routing on the Appliance

Distributing Traffic Through Multiple Default Gateways ................................................................ 881
Routing in Transparent Deployments................................................................................................ 884
Routing Domains............................................................................................................................... 891

Chapter 40: Configuring Failover

Configuring Failover Groups............................................................................................................. 897
Viewing Failover Statistics................................................................................................................ 899

Chapter 41: Configuring DNS

Adding DNS Servers to the Primary or Alternate Group .................................................................. 905
Resolving Hostnames Using Name Imputing Suffixes ..................................................................... 909

Chapter 42: Virtual IP Addresses

Creating a VIP ................................................................................................................................... 912
Deleting a VIP ................................................................................................................................... 913

8
Chapter 43: Configuring Private Networks
Configuring Private Subnets.............................................................................................................. 917
Configuring Private Domains............................................................................................................ 918

Chapter 44: Managing Routing Information Protocols (RIP)

Installing RIP Configuration Files..................................................................................................... 922

Chapter 45: SOCKS Gateway Configuration

Section A: Configuring a SOCKS Gateway
Adding a SOCKS Gateway ............................................................................................................... 931
Creating SOCKS Gateway Groups.................................................................................................... 933
Configuring Global SOCKS Defaults ............................................................................................... 935
Configuring the SOCKS Gateway Default Sequence ....................................................................... 937
Section B: Using SOCKS Gateways Directives with Installable Lists
Creating a SOCKS Gateway Installable List..................................................................................... 944

Chapter 46: TCP Connection Forwarding

Configuring TCP Connection Forwarding ........................................................................................ 950

Chapter 47: Configuring the Upstream Network Environment

Section A: Overview
Section B: About Forwarding
Section C: Configuring Forwarding
Creating Forwarding Hosts and Groups ............................................................................................ 963
Configuring Global Forwarding Defaults.......................................................................................... 968
Configuring the Forwarding Default Sequence................................................................................. 970
Section D: Using Forwarding Directives to Create an Installable List
Creating a Forwarding Installable List .............................................................................................. 978

Chapter 48: Using Policy to Manage Forwarding

Chapter 49: About Security

Controlling User Access with Identity-based Access Controls......................................................... 986

Chapter 50: Controlling Access to the Internet and Intranet

Section A: Managing Users
Viewing Logged-In Users ................................................................................................................. 989
Section B: Using Authentication and Proxies
About Authentication Modes............................................................................................................. 997
Section C: Using SSL with Authentication and Authorization Services
Section D: Creating a Proxy Layer to Manage Proxy Operations

9
 Section E: Forwarding BASIC Credentials
Section F: Authenticating Outbound SSH Client Connections

Chapter 51: Local Realm Authentication and Authorization

Creating a Local Realm ................................................................................................................... 1032
Changing Local Realm Properties ................................................................................................... 1033

Chapter 52: CA eTrust SiteMinder Authentication

Creating a SiteMinder Realm ......................................................................................................... 1048
Configuring SiteMinder Servers...................................................................................................... 1050
Defining SiteMinder Server General Properties.............................................................................. 1052

Chapter 53: Certificate Realm Authentication

Configuring Certificate Realms....................................................................................................... 1060
Specifying an Authorization Realm ................................................................................................ 1065

Chapter 54: Oracle COREid Authentication

Creating a COREid Realm .............................................................................................................. 1075
Configuring Agents for COREid Authentication ............................................................................ 1076
Configuring the COREid Access Server ......................................................................................... 1078
Configuring the General COREid Settings ..................................................................................... 1080

Chapter 55: SAML Authentication

About SAML ................................................................................................................................... 1084
Requirements for SAML Authentication ........................................................................................ 1086
An Overview of the Authentication Process ................................................................................... 1087
Set up SAML Authentication .......................................................................................................... 1089
Export the IDP Metadata File .......................................................................................................... 1090
Prepare the Appliance...................................................................................................................... 1092
Create the SAML Realm ................................................................................................................. 1096
Configure SAML Authorization...................................................................................................... 1098
Configure the IDP............................................................................................................................ 1100
Prevent Dropped Connections When Policy is Set to Deny............................................................ 1111
Backing Up Configuration: Considerations for SAML................................................................... 1112

Chapter 56: Integrating the Appliance with Your Windows Domain

Integrate the Appliance into the Windows Domain ........................................................................ 1114
Configure SNMP Traps for the Windows Domain ......................................................................... 1118

Chapter 57: Integrating Authentication with Active Directory Using IWA

Preparing for a Kerberos Deployment............................................................................................. 1123
Configuring IWA on the Appliance ................................................................................................ 1125
Creating the IWA Authentication and Authorization Policies ........................................................ 1135
Configuring Client Systems for Single Sign-On ............................................................................. 1142

10
 Using IWA Direct in an Explicit Kerberos Load Balancing/Failover Scenario.............................. 1144

Chapter 58: Kerberos Constrained Delegation

Chapter 59: LDAP Realm Authentication and Authorization

Creating an LDAP Realm on the Appliance ................................................................................... 1157
Configuring LDAP Properties on the Appliance............................................................................. 1159

Chapter 60: Novell Single Sign-on Authentication and Authorization

Creating a Novell SSO Realm ........................................................................................................ 1178
Novell SSO Agents.......................................................................................................................... 1179
Adding LDAP Servers to Search and Monitor for Novell SSO ...................................................... 1181
Querying the LDAP Novell SSO Search Realm ............................................................................. 1182
Configuring Authorization .............................................................................................................. 1183
Defining Novell SSO Realm General Properties ............................................................................ 1184

Chapter 61: Policy Substitution Realm

Creating a Policy Substitution Realm.............................................................................................. 1193
Configuring User Information ......................................................................................................... 1194
Creating a List of Users to Ignore ................................................................................................... 1195
Configuring Authorization .............................................................................................................. 1196
Defining Policy Substitution Realm General Properties ................................................................. 1197
Creating the Policy Substitution Policy........................................................................................... 1200

Chapter 62: RADIUS Realm Authentication and Authorization

Creating a RADIUS Realm ............................................................................................................. 1203
Defining RADIUS Realm Properties .............................................................................................. 1204
Defining RADIUS Realm General Properties................................................................................. 1206

Chapter 63: Configuring the Appliance as a RADIUS Session Monitor

Chapter 64: Sequence Realm Authentication

Creating a Sequence Realm ............................................................................................................. 1223
Adding Realms to a Sequence Realm.............................................................................................. 1224
Defining Sequence Realm General Properties ............................................................................... 1226

Chapter 65: Managing X.509 Certificates

Section A: PKI Concepts
Section B: Using Keyrings and SSL Certificates
Creating a Keyring........................................................................................................................... 1235
Providing Client Certificates in Policy ............................................................................................ 1239
Add Certificates to the ProxySG Appliance.................................................................................... 1240
Group Related Client Keyrings into a Keylist................................................................................. 1242
Specify the Client Certificates to be Used in Policy ....................................................................... 1244

11
 Emulate Client Certificates.............................................................................................................. 1247
Section C: Managing Certificates
Managing SSL Certificates.............................................................................................................. 1251
Using Certificate Revocation Lists ................................................................................................. 1254
Section D: Using External Certificates
Section E: Advanced Configuration
Managing CA Certificate Lists........................................................................................................ 1263
Managing Cached Intermediate Certificates ................................................................................... 1268
Section F: Checking Certificate Revocation Status in Real Time (OCSP)
Creating and Configuring an OCSP Responder .............................................................................. 1276

Chapter 66: Managing SSL Traffic

Section A: SSL Client Profiles
Editing an SSL Client ...................................................................................................................... 1285
Section B: SSL Device Profiles
Section C: Notes and Troubleshooting

Chapter 67: Windows Single Sign-On Authentication

Creating a Windows SSO Realm .................................................................................................... 1295
Configuring Windows SSO Agents................................................................................................. 1296
Configuring Windows SSO Authorization...................................................................................... 1298
Defining Windows SSO Realm General Properties ........................................................................ 1300

Chapter 68: Using XML Realms

Creating an XML Realm ................................................................................................................. 1307
Configuring XML Servers............................................................................................................... 1308
Configuring XML Options .............................................................................................................. 1310
Configuring XML Realm Authorization ......................................................................................... 1311
Configuring XML General Realm Properties ................................................................................. 1313

Chapter 69: Forms-Based Authentication and Validation

Creating and Editing a Form ........................................................................................................... 1323
Setting Storage Options ................................................................................................................... 1325
About CAPTCHA Validation.......................................................................................................... 1328
Configure CAPTCHA Validation ................................................................................................... 1329

Chapter 70: Authentication and Authorization Errors

Chapter 71: Configuring Adapters and Virtual LANs

Changing the Default Adapter and Interface Settings ..................................................................... 1360
Viewing Interface Statistics............................................................................................................. 1370

12
Chapter 72: Software and Hardware Bridges
Configuring a Software Bridge........................................................................................................ 1377

Chapter 73: Configuring Management Services

Creating a Management Service...................................................................................................... 1389
Managing the SSH Console............................................................................................................. 1394
Managing SSH Ciphers for Inbound Connections .......................................................................... 1398
Managing SSH HMACs for Inbound Connections ......................................................................... 1400
Managing the Telnet Console.......................................................................................................... 1402

Chapter 74: Preventing Denial of Service Attacks

Creating the CPL ............................................................................................................................. 1412

Chapter 75: Authenticating an Appliance

Obtaining an Appliance Certificate ................................................................................................. 1418
Creating an SSL Device Profile for Device Authentication............................................................ 1423

Chapter 76: Monitoring the Appliance

Section A: Using Director to Manage ProxySG Appliances
Automatically Registering the ProxySG Appliance with Director ................................................. 1427
Section B: Monitoring the System and Disks
System Configuration Summary ..................................................................................................... 1432
Viewing System Environment Sensors ........................................................................................... 1433
Viewing Disk Status and Taking Disks Offline .............................................................................. 1434
Viewing SSL Accelerator Card Information ................................................................................... 1435
Section C: Configuring Event Logging and Notification
Selecting Which Events to Log ....................................................................................................... 1437
Setting Event Log Size .................................................................................................................... 1438
Enabling Event Notification ............................................................................................................ 1439
Viewing Event Log Configuration and Content.............................................................................. 1446
Section D: Monitoring Network Devices (SNMP)
Configuring SNMP Communities ................................................................................................... 1454
Configuring SNMP for SNMPv1 and SNMPv2c............................................................................ 1456
Configuring SNMP for SNMPv3 .................................................................................................... 1460
Section E: Configuring Health Monitoring
About the Health Monitoring Metric Types .................................................................................... 1468

Chapter 77: Verifying Service Health and Status

Section A: Overview of Health Checks
Background DNS Resolution .......................................................................................................... 1484
Section B: About Symantec Health Check Components
Health Check Tests .......................................................................................................................... 1487

13
 Section C: Configuring Global Defaults
Changing Health Check Default Settings ........................................................................................ 1495
Configuring Health Check Notifications ......................................................................................... 1498
Section D: Forwarding Host and SOCKS Gateways Health Checks
Section E: DNS Server Health Checks
Section F: Authentication Health Checks
Section G: Virus Scanning and Content Filtering Health Checks
Section H: Managing User-Defined Health Checks
Section I: Health Check Topics
About Health Check Statistics ......................................................................................................... 1521
Section J: Using Health Check Results in Policy

Chapter 78: Maintaining the Appliance

Performing Maintenance Tasks ....................................................................................................... 1526
Upgrading the ProxySG Appliance ................................................................................................. 1531
Managing Systems........................................................................................................................... 1532

Chapter 79: Diagnostics

Diagnostic Reporting (Service Information) ................................................................................... 1539
Packet Capturing (PCAP—the Job Utility) ..................................................................................... 1546
Core Image Restart Options ............................................................................................................ 1553
Diagnostics: Symantec Customer Experience Program and Monitoring ........................................ 1554

14
Chapter 1: Introduction

This audience for this document is network administrators who are responsible for
managing Blue Coat ProxySG appliances. This document provides reference
information and procedures to configure SGOS, and includes topics for Application
Delivery Network (ADN), including acceleration and virtual appliance solutions.
The information in this document supersedes information in the appliance’s
Management Console online help.

21
SGOS Administration Guide

Section 1 SGOS Documentation

The following core SGOS documentation is available.
Table 1–1 SGOS documentation

Document Overview

SGOS Upgrade/Downgrade Guide Steps for upgrading or downgrading SGOS,. Also covers
https://www.symantec.com/docs/ behavior changes and policy deprecations.
DOC9794

SGOS Administration Guide Detailed information for configuring and managing the
https://www.symantec.com/docs/ ProxySG appliance.
DOC11607

Command Line Interface Reference Commands available in the ProxySG appliance CLI and
https://www.symantec.com/docs/ how to use them to perform configuration and
DOC11609 management tasks

ProxySG Web Visual Policy Manager How to create and implement policy in the ProxySG
WebGuide appliance's web-based Visual Policy Manager, including
https://www.symantec.com/docs/ layer interactions, object descriptions, and advanced
DOC11610 tasks.

Legacy Visual Policy Manager How to create and implement policy in the ProxySG
Reference appliance's legacy Visual Policy Manager.
https://www.symantec.com/docs/
DOC11611

Content Policy Language Reference CPL gestures available for writing the policy by which
https://www.symantec.com/docs/ the ProxySG appliance evaluates web requests.
DOC11608

Required ports, protocols, and services Basic configurations, and some commonly used options,
for the ProxySG appliance for ports and protocols.
https://www.symantec.com/docs/
INFO5294

ProxySG Log Fields and CPL Fields available for creating access log formats (ELFF
Substitutions Reference and custom) on the ProxySG appliance.
https://www.symantec.com/docs/
DOC11251

ProxySG Security Best Practices Best-effort security considerations for your ProxySG
https://www.symantec.com/docs/ deployment.
DOC11613

SGOS 7.2.x Documentation Full list of documentation published for SGOS 7.2.x.
https://www.symantec.com/docs/
DOC11612

SGOS Release Notes Changes, issues, fixes, and limitations pertaining to

SGOS releases. Also includes any related security
advisory (SA) fixes.

22
 Chapter 1: Introduction

Note: SGOS Release Notes are available on the Downloads page. Log in to MySymantec
with your MySymantec credentials to access the release image and release notes.

To download the release notes:

1. Go to MySymantec:
https://support.symantec.com
2. Select Downloads > Network Protection (Blue Coat) Downloads.
3. When prompted, log in with your MySymantec credentials.
4. Select your product.
5. Select your appliance model (if applicable).
6. Select a software version.
7. Accept the License Agreement.
8. Select the file(s) to download and click Download Selected Files.

Note: The first time you download files, you are prompted to install the Download
Manager. Follow the onscreen prompts to download and run the installer. For more
information, refer to https://www.symantec.com/support-center/getting-started.

9. The Download Manager window opens. Select the download location.

Note: Complete instructions are also available online at:

https://www.symantec.com/support-center/getting-started
Bookmark this page for future reference.

Symantec also provides other deployment guides targeted for specific solutions. For these
and other documents, refer to:
https://support.symantec.com/us/en/documentation.1145522.2116810.html

23
SGOS Administration Guide

Section 2 Document Conventions

The following table lists the typographical conventions used in this document.

Table 1–2 Document Conventions

Conventions Definition

Italics The first use of a new or Blue Coat-proprietary term, or a variable.

Courier font Screen output. For example, command line text, file names, and
Content Policy Language (CPL).
Courier Italics A command line variable that is to be substituted with a literal
name or value pertaining to the appropriate facet of your network
system.
Courier Boldface A literal to be entered as shown.
Arial Boldface Screen elements in the Management Console.
{ } One of the parameters enclosed within the braces must be supplied
[ ] An optional parameter or parameters.
| Either the parameter before or after the pipe character can or must
be selected, but not both.

24
 Chapter 1: Introduction

Section 3 Notes and Warnings

The following is provided for your information and to caution you against actions that can
result in data loss or personal injury:

Note: Supplemental information that requires extra attention.

Important: Critical information that is not related to equipment damage or personal

injury (for example, data loss).

WARNING! Used only to inform you of danger of personal injury or physical damage
to equipment. An example is a warning against electrostatic discharge (ESD) when
installing equipment.

25
SGOS Administration Guide

Section 4 About Procedures

Many of the procedures in this guide begin:
❐ Select Configuration > TabName, if you are working in the Management Console, or
❐ From the (config) prompt, if you are working in the command line interface (CLI).
Symantec assumes that you are logged into the first page of the Management Console or
entered into configuration mode in the CLI.
In most cases, procedures in this guide tell you how to perform a task in the Management
Console, even if there is a CLI equivalent.

26
Chapter 2: Accessing the Appliance

This section provides procedures for accessing the ProxySG appliance so that you can
perform administrative tasks using the Management Console and/or the command-line
interface. It assumes that you have performed the first-time setup using the Serial
Console or the front panel and that you have minimally specified an IP address, IP
subnet mask, IP gateway, and DNS server, and that you have tested the appliance and
know that it is up and running on the network. If you have not yet done this, refer to the
hardware guides for your appliance model.
This section includes the following topics:
❐ "Accessing the ProxySG Appliance Using the Management Console" on page 28
❐ "Accessing the ProxySG Appliance Using the CLI" on page 43
❐ "Configuring Basic Settings" on page 44
❐ "Appendix: Required Ports, Protocols, and Services" on page 54

27
SGOS Administration Guide

Section 1 Accessing the ProxySG Appliance Using the Management

Console
The Management Console is a graphical web interface that allows you to manage,
configure, monitor, and upgrade the appliance from any location. To determine the
browser and Java requirements for the Management Console, refer to the SGOS Release
Notes.
Figure 2–1 ProxySG appliance Management Console

Note: When you access the Management Console home page, if you see a host
mismatch or an invalid certificate message, you must recreate the security certificate
used by the HTTPS-Console. For information on changing the security certificate, see
"Managing the HTTPS Console (Secure Console)" on page 1390.

Ways to Access the Management Console

The methods available to you for accessing the Management Console depend on what you
want to achieve—for example, you might want to manage multiple Management Console
instances—and environmental factors specific to your deployment. See Table 2–1 for
details.

Note: To determine if you have a minimum supported Java version installed, refer to:
http://www.symantec.com/docs/TECH245893

28
 Chapter 2: Accessing the Appliance

Table 2–1 Ways to Access the Management Console

Use Case(s) Environmental Requirements How to access the

Management Console

You want to run the Your deployment must have all of the following: See "Load the Management
Management Console • Any SGOS version. Console Directly in a
directly in a browser. • A browser with NPAPI support. Browser" on page 29.
• Browsers enabled with the minimum supported
version of Java to run the Management
Console.

You require an alternative to Your deployment must have workstations with the See "Run the Management
running the Management minimum supported version of Java to run the Console using Java Web
Console directly in a Management Console (browsers need not be Java- Start" on page 30.
browser because: enabled), and at least one of the following:
• You know that the • A browser without NPAPI support.
browser does not • Any browser version, provided you can access
support NPAPI. the Internet or can host the Launcher applet
• Your browser is not internally.
configured to run Java
or JavaScript.
You want to launch multiple Your deployment has all of the following: See "Launch Multiple
appliances. • Any browser version. Management Consoles" on
• Workstations with the minimum supported page 31.
version of Java to run Java Web Start; browsers
need not be Java-enabled.
• Access to the Internet.

Load the Management Console Directly in a Browser

Loading the Management Console in a browser is the legacy way to access the
management interface of an appliance. Accessing any SGOS version through a browser
that supports NPAPI loads the legacy Management Console directly in the browser by
default.

Note: If the browser does not load the content immediately, you can use Java Web Start
instead (as described in "Run the Management Console using Java Web Start" on page
30). A “Click here if your browser does not support embedded applets” link appears at the
bottom of the Management Console; if you click the link, you are prompted to open or
save a Java Network Launch Protocol (JNLP) file. Otherwise, refresh the browser or wait
for the console to load the legacy Management Console.

Load the Management Console in a browser:

1. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is 192.168.0.6,
type https://192.168.0.6:8082 in the address bar.

29
SGOS Administration Guide

2. Enter the user name and password that you created during initial configuration. Upon
successful login, the browser displays the Management Console.

Note: The event log records all successful and failed login attempts.

Run the Management Console using Java Web Start

Using Java Web Start simulates the experience of running the Management Console in a
browser. If you access the Management Console using a browser that does not support
NPAPI, the browser presents a message including a link for you to download a JNLP file.
Alternatively—provided you can access the Internet—you can download the JNLP file
from MySymantec.

Run the Management Console using Java Web Start:

1. (Optional; applicable if you can connect to the Internet) Download the JNLP file from
MySymantec:
http://www.symantec.com/docs/TECH246041
Then, proceed to step 5.
2. In the browser’s address bar, enter https://appliance_IP_address:port
The default management port is 8082.
For example, if the IP address configured during initial configuration is 192.168.0.6,
type https://192.168.0.6:8082 in the address bar.
The browser prompts you to enter your user name and password.

30
 Chapter 2: Accessing the Appliance

3. Enter the user name and password that you created during initial configuration.
The browser displays a message stating that NPAPI is not supported.

4. In the message, click the link to download the JNLP file (mc.jnlp). Alternatively, in
the Management Console footer, click the “Click here if your browser does not
support embedded applets” link to download the file.
If you have already downloaded the JNLP file, you can run it instead of downloading
a copy; go to step 5.
Save the file to a convenient location on disk. To avoid downloading copies of the
JNLP file, note the location for future use.
5. Open the JNLP file. When prompted, enter your user name and password again.

Upon successful login, the applet loads the Management Console.

Note: The event log records all successful and failed login attempts.

Launch Multiple Management Consoles

The Management Console Launcher allows you to manage and launch multiple
Management Console instances from a single interface.

Note: Deployments whose appliances all run versions earlier than 6.6.5.x must have
access to the internet to download the launcher.JNLP file from MySymantec (see http://
www.symantec.com/docs/TECH246041).

Launch multiple Management Consoles:

1. If you have already downloaded the JNLP file, you can run it instead of downloading
a copy; go to step 4.

31
SGOS Administration Guide

2. Designate an appliance running SGOS 6.6.5.x or later as the one you will use to
launch multiple consoles.
Log in to this appliance using steps 2 and 3 in "Run the Management Console
using Java Web Start" on page 30. When you are logged in, the browser displays
the Management Console banner. In the banner, click the Launcher link.

3. Download the JNLP file (loader.jnlp) to a convenient location on disk. To avoid

downloading copies of the JNLP file, note the location for future use.
4. Run the JNLP file. The Management Console Launcher opens.
Figure 2–2 Management Console Launcher - Main dialog

5. Select an appliance in the list and click Launch.

When prompted, enter your console user name and password. After a few moments,
Java Web Start launches the Management Console.
To manage the list of appliances, see "Use the Management Console Launcher" on page
33.

32
 Chapter 2: Accessing the Appliance

Use the Management Console Launcher

Use the Management Console Launcher to manage multiple Management Console
instances from a single interface. On the main Launcher dialog, click the Manage Devices
link to display the Device Connection Manager dialog. See Figure 2–3.
Figure 2–3 Management Console Launcher - Device Connection Manager dialog

Manage multiple instances through the Management Console Launcher:

1. Perform the following tasks as required:
• Add or remove appliance using Launcher - See "Add or Remove a Device" on
page 33.
• Change an appliance’s network properties or description - See "Modify a Device’s
Properties" on page 34.
• Back up or restore the list of managed appliances - See "Import or Export a List of
Devices" on page 34.
• Change the order in which the appliances appear in the list - See "Re-order the
List of Devices" on page 36.
2. Launch a Management Console. On the main Launcher dialog, select the instance and
click Launch.

Add or Remove a Device

Use Launcher to add or remove appliances for convenient management of multiple
appliances across your organization.

Add or remove a device:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a “Device
Connection Manager” list. See Figure 2–3.
2. To add an appliance, specify the device properties:

33
SGOS Administration Guide

Note: If you ran Launcher using the Launcher link in the Management Console
banner, the IP address and port fields are pre-populated with the appliance’s
console IP address and port.

a. Select the protocol (HTTP or HTTPS) and type the IP address in the field.
b. In the Port field, type the port number of the appliance’s Management
Console.
c. (Recommended) In the Description field, enter a description for the appliance
to help identify it.
d. Click Add as New. The appliance you added appears in the list of devices.
e. (Recommended) Test connectivity to the appliance you added. Select the
appliance in the list and click Test.
If the test is successful, a green checkmark appears beside the Test button.
If the test is unsuccessful, a red “X” appears beside the Test button. Check the
settings you entered and modify them if needed (see "Modify a Device’s
Properties" on page 34). Then, test the connection again.
3. To remove an appliance, select it in the list and click Delete. The appliance is deleted
from the list.
4. Click Done. Return to Launcher. The dialog displays the updated list of devices.

Note: You can also add appliances from the main Launcher dialog. The steps are similar
to the ones outlined previously.

Modify a Device’s Properties

If a managed appliance has changed network settings or other details, update its details in
the Launcher.

Modify a device’s properties:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a “Device
Connection Manager” list. See Figure 2–3 on page 33.
2. Select a device.
3. Change or edit the protocol, IP address, port, or description as needed.
4. Click Update.
5. (If applicable) Modify other devices as needed.
6. Click Done. Return to Launcher. The dialog displays the list of devices.

Import or Export a List of Devices

The import/export function in the Launcher allows you to:

34
 Chapter 2: Accessing the Appliance

❐ Create a list of devices in comma-separated values (CSV) format outside of Launcher,

and then import it through the Launcher.
❐ Back up (export) the list of managed appliances.
❐ Restore (import) a list of appliances.

Note: Deleting installed applications and applets in the Java Control Panel removes
the list of appliances from Launcher; thus, to prevent inadvertent deletion, export the
list periodically or when you make significant changes to it.

Prepare a list of devices for import:

1. Create/modify a CSV file. Enter one device per row with the following properties:
• First cell: Type “TRUE” for HTTPS and “FALSE” for HTTP (not including the
quotation marks).
• Second cell: Enter the device IP address.
• Third cell: Enter the port number for the device’s HTTP/S console.
• Fourth cell: Enter a description for the device.
2. Save the file to a convenient location on disk. Note the location for when you are
ready to import the file.

Import/export devices:
1. On the Launcher dialog, click the Manage Devices link. The dialog displays a “Device
Connection Manager” list.
2. To import a list of devices:
a. Click the Import link at the top right of the dialog. See Figure 2–3 on page 33.
b. In the dialog that opens, browse to the location of the CSV file to import and
select the file.
c. Specify what to do if devices already exist in the Launcher list:
• Merge with current list - This is selected by default. If devices exist in
Launcher already, they are combined with the list of devices you import.
• Replace the current list - If devices exist in Launcher already, the list of
devices you import replaces the existing list.
d. Click Done. Return to Launcher. The list of devices is imported.
3. To export the list of devices:
a. Click the Export link at the top right of the dialog. See Figure 2–3 on page 33.
b. In the dialog that opens, browse to the location where you want to save the
CSV file. Enter a name for the file and save it.
4. Click Done. Return to Launcher. The list of devices is exported.

35
SGOS Administration Guide

Re-order the List of Devices

You can change the order of devices of the list to make it easier to manage. For example,
if you are managing a large list of devices, you might want to move the ones you monitor
more frequently to the top of the list.

Change the order of the devices on the list:

1. On the Launcher dialog, click the Manage Devices link. The dialog displays a “Device
Connection Manager” list. See Figure 2–3 on page 33.
2. Select a device and use the arrows to move it up or down in the list.
3. (If applicable) Move other devices as needed.
4. Click Done. Return to Launcher. The dialog displays the list of devices.

About the Management Console Banner

After you log in to the ProxySG appliance, the Management Console displays a banner at
the top of the page.

The Management Console banner provides the following information:

❐ Appliance identification— the appliance name, hardware serial number, and the
software version.
❐ Appliance health status— The health state is represented by a text string and a color
that corresponds to the health of the system (OK-green, Warning- yellow or Critical -
red). The system health changes when one or more of the health metrics reaches a
specified threshold or returns to normal. The health state indicator is polled and
updated every 10 seconds on the ProxySG appliance.
To obtain more information about the health state, click the Health: status link — OK,
Warning, Critical. The Statistics > Health page displays; it lists the current condition of
the system’s health monitoring metrics. See "Verifying Service Health and Status" on
page 1481 for more information about the health monitoring metrics.
❐ License status and version— Your ProxySG license includes all the component
licenses for the features that you have purchased. To view a list of the license
components and their expiration date, go to the Maintenance > Licensing > View tab.
By default, for a new ProxySG appliance, the trial edition is enabled— at initial set-up
you had elected to use either the Proxy edition or the MACH5 edition. For the first 60
days of the trial period, all licensable components for the edition you chose are active
and available to use. During the trial period, the Base SGOS license allows unlimited
concurrent users. To view the specifics of your trial edition license, click the Trial
Period link.

36
 Chapter 2: Accessing the Appliance

❐ Symantec product documentation and customer support links. You must have a Blue
Touch Online account to access documentation and to request support. To log out of
the Management Console, click the Log Out link.

Viewing the Benefits of Deploying the ProxySG Appliance

The Statistics > Summary page displays the role of the ProxySG appliance in boosting the
performance of traffic within your network using its acceleration, optimization, policy
control, and caching techniques. The Summary page visually demonstrates the overall
performance and efficiency of your network.
If you have just completed initial setup and have not configured the appliance to intercept
any traffic, the Summary page will not display much information. For example, you cannot
view bandwidth efficiency and savings for traffic being intercepted by the ProxySG
appliance.

Note: To view performance statistics, retrieve your license and create/enable

services on the ProxySG appliance. For information on enabling services, see
Chapter 7: "Managing Proxy Services" on page 123. For licensing details, see
Chapter 3: "Licensing" on page 55.

When the ProxySG appliance is deployed and configured to meet your business needs, the
Summary page monitors and reports information on your network traffic and applications.
The on-screen information is automatically refreshed every 60 seconds.

Viewing Efficiency and Performance Metrics

The Statistics > Summary > Efficiency tab displays the bandwidth gain achieved within
your network in the Savings panel, and the performance of each interface in the Interface
Utilization panel on the ProxySG appliance. These metrics represent the last hour of
traffic, and are updated every 60 seconds.
The Savings panel displays the top 5 services that are intercepted by the ProxySG
appliance, in your network. For detailed information on each service, click the service and
view the details in the Statistics > Traffic History page.

❐ Service: A service represents the type of traffic that is being intercepted; the top 5
services are ranked in descending order of bytes saved.

37
SGOS Administration Guide

❐ Bytes Saved Last Hour: Bytes saved display bandwidth savings in the last 60 minutes.
It represents data that did not traverse the WAN because of object and byte caching,
protocol optimization, and compression. It is calculated as:
Client Bytes - Server Bytes,
where Client Bytes is the data rate calculated to and from the client on the client-
side connection, and Server Bytes is the data rate calculated to and from the server
on the server-side connection.
For Inbound ADN, bytes saved represents:
Unoptimized Bytes - Optimized Bytes

❐ Percent Savings: A percentage value of bytes saved, calculated as:

{(Client Bytes - Server Bytes)/ Client Bytes} * 100

In the Savings panel shown above, the Percent Savings for FTP is 50% and bandwidth
savings is 2x, which is calculated as Client Bytes/Server Bytes.

Note: The graph in the percent savings column represents savings over the last hour,
while the label reflects the percent savings in the last minute. For more information on
bandwidth savings, click on any row and navigate to the Statistics > Traffic History
page. By default, the traffic history page displays bandwidth usage and bandwidth
gain statistics for the corresponding service over the last hour.

The Interface Utilization panel displays statistics on interface use, reveals network
performance issues, if any, and helps determine the need to expand your network.

❐ Interface: The
interfaces are labeled with an adapter number followed by an interface
number. For example, on 2-port bridge cards, the interface number is 0 for WAN and
1 for LAN connections; 4-port bridge cards have 0 and 2 for WAN and 1 and 3 for
LAN.
❐ Link state: Indicates whether the interface is in use and functioning. It also displays the
duplex settings and includes the following information:
• Up or Down: Up indicates that the link is enabled and can receive and transmit
traffic. Down indicates that the link is disabled and cannot pass traffic.
• Auto or Manual: Indicates whether the link is auto-negotiated or manually set
• 10Mbps, 100 Mbps or 1Gbps: Displays the capacity of the link.

38
 Chapter 2: Accessing the Appliance

• FDX or HDX: Indicates whether the interface uses full duplex or half duplex
connection, respectively. In some cases, if a duplex mismatch occurs when the
interface is auto-negotiated and the connection is set to half-duplex, the display
icon changes to a yellow warning triangle. If you view a duplex mismatch, you
can adjust the interface settings in the Configuration > Network > Adapters tab.
❐ Transmit Rate and Receive Rate: Displays number of bits processed per second, on
each interface.
The graphs in the transmit rate and receive rate columns represent interface activity
over the last hour, while the value in the label represents interface activity over the last
minute.
❐ Errors: Displays the number of transmission errors, if any, in the last hour. Interfaces
with input or output errors are displayed in red.
For more information on an interface, click on any row; the Statistics > Network > Interface
History page displays.

Monitoring System Resources and Connectivity Metrics

The Statistics > Summary > Device tab displays a snapshot of the key system resources,
identification specifics, and the status of external devices that are connected to the
ProxySG appliance.
The identification panel provides information on the name of the ProxySG appliance, IP
address, hardware serial number, software version and the build (release) ID. You can
copy and paste the information on this panel, into an email for example, when
communicating with Symantec Support.

This information is also displayed on the Management Console banner and under
Configuration > General > Identification. To assign a name to your ProxySG appliance, see
"Configuring the ProxySG Appliance Name" on page 45.

39
SGOS Administration Guide

The Statistics area displays the current percentages of CPU usage and memory utilization,
and the number of concurrent users. Concurrent users represents the number of unique IP
addresses that are being intercepted by the ProxySG appliance. For more information on
these key resources, click the link; the corresponding panel under Statistics > System >
Resources displays.
The Statistics panel also displays whether the ProxySG appliance is enabled to:
❐ participate in an Application Delivery Network (ADN)
❐ serve as a ProxyClient Manager
The status information displayed for ADN and the remote clients include the following
options:

Feature Status Description

ADN Disabled This ProxySG appliance is not participating

in an Application Delivery Network.

Open ADN This ProxySG appliance is an ADN peer and

can form a tunnel connection with any other
ADN peer.
An ADN Manager is not required for Open
ADN.

Configured as a This ProxySG appliance serves as an ADN

Manager Manager.

Connected to ADN is enabled and this ProxySG appliance

Managers is connected to the Primary and the Backup
ADN Manager.

Connected to ADN is enabled and this ProxySG appliance

Primary Manager is connected to the Primary ADN Manager.

Connected to ADN is enabled and this ProxySG appliance

Backup Manager is connected to the Backup ADN Manager.
Implication: This appliance is unable to
connect to the Primary ADN Manager.
Inspect the Primary ADN Manager
configuration in the Configuration > ADN >
General tab.

40
 Chapter 2: Accessing the Appliance

Not Connected to Although ADN is enabled, this ProxySG

Either Manager appliance is not connected to the Primary or
the Backup ADN Manager.
Implication: The ADN is not functioning
properly. Inspect the Primary and the
Backup ADN Manager configuration in the
Configuration > ADN > General tab.

ProxyClient and Client Manager This ProxySG appliance serves as a Client

Unified Agent Enabled; <number> Manager. Also displayed is the number of
Active Clients active clients that are connected to this
Client Manager.

Disabled This ProxySG appliance is not configured as

a Client Manager.

The Connectivity area displays the status of external devices and services that the ProxySG
appliance relies on, for effective performance. The status indicates whether the appliance
is able to communicate with the external devices and services that are configured on it.

The external devices or services, that can be configured on the ProxySG appliance,
include:
❐ WCCP capable routers/switches
❐ External ICAP devices (such as Symantec ProxyAV or Content Analysis appliances)
❐ DNS Servers
❐ Authentication realms
Only those external devices or services that are configured on the ProxySG appliance are
displayed on this panel. If, for example, ICAP is not yet enabled on the ProxySG
appliance, ICAP is not listed in the connectivity panel.
The connectivity status for these external devices is represented with an icon — Ok,
Warning, or Critical. The icon and the text portray the most severe health status, after
considering all the health checks configured, for the device or service.
With the exception of WCCP, click on any row to view the health status details in the
Statistics > Health Checks tab. The Statistics > Health Checks tab provides information on
the general health of the Content Analysis services configured on the ProxySG appliance,
allows you to perform routine maintenance tasks and to diagnose potential problems. For
more information on health checks, see "Verifying Service Health and Status" on page
1481.

41
SGOS Administration Guide

To view details on the status of WCCP capable devices in your network, click on the
WCCP service row, the Statistics> Network > WCCP tab displays. The Statistics > Network
> WCCP tab provides information on the configured service groups and their operational
status. For more information on how to configure WCCP on the ProxySG appliance, see
Chapter 33: "WCCP Configuration" on page 813. For more detailed information about
WCCP, refer to the WCCP Reference Guide.

Logging Out of the Management Console

To exit the current session, click the Log out link on the Management Console banner. If
you launched the Management Console through Java Web Start or Launcher, clicking Log
out closes the applet window.
You may be logged out of the ProxySG appliance automatically when a session timeout
occurs. This security feature logs the user out when the Management Console is not
actively being used. For more information, see "Changing the ProxySG Appliance
Timeout" on page 48.
Thirty seconds before the session times out, the console displays a warning dialog. Click
the Keep Working button or the X in the upper-right corner of the dialog box to keep the
session alive.

If you do not respond within the 30-second period, you are logged out and lose all unsaved
changes. To log in again, click the You need to log in again to use the console hyperlink in
the browser (legacy Management Console only). To log out completely, close the browser
window.
If you launched the Management Console using Java Web Start or the Launcher, the
window closes.

42
 Chapter 2: Accessing the Appliance

Section 2 Accessing the ProxySG Appliance Using the CLI

You can connect to the ProxySG appliance command line interface via Secure Shell
(SSH) using the IP address, username, password that you defined during initial
configuration. The SSH management console service is configured and enabled to use
SSHv2 and a default SSH host key by default. If you wish to access the CLI, you can use
SSHv2 to connect to the ProxySG appliance. An SSH host key for SSHv2 and an SSH
management service are configured by default. If you want to use SSHv1 or Telnet
without additional configuration.

Note: You can also access the CLI using Telnet or SSH v1. However, these
management services are not configured by default. For instructions on configuring
management services, see Chapter 73: "Configuring Management Services" on page
1387.

To log in to the CLI, you must have:

❐ the account name that has been established on the ProxySG appliance
❐ the IP address of the ProxySG appliance
❐ the port number (22 is the default port number)
SGOS supports different levels of command security:
❐ Standard, or unprivileged, mode is read-only. You can see but not change system
settings and configurations. This is the level you enter when you first access the CLI.
❐ Enabled, or privileged, mode is read-write. You can make immediate but not
permanent changes to the ProxySG appliance, such as restarting the system. This is
the level you enter when you first access the Management Console.
❐ Configuration mode allows you to make permanent changes to the ProxySG appliance
configuration. To access Configuration mode, you must be in Enabled mode.
When you log in to the Management Console using your username and password, you are
directly in configuration mode.
However, if you use the CLI, you must enter each level separately:
Username: admin
Password:
> enable
Enable Password:
# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)
For detailed information about the CLI and the CLI commands, refer to the Command
Line Interface Reference.

Note: Most tasks can be performed in both the Management Console and the CLI. This
guide covers procedures for the Management Console; refer to the Command Line
Interface Reference for related CLI tasks. Tasks that are available only in the Management
Console or only in the CLI are noted as such.

43
SGOS Administration Guide

Section A: Configuring Basic Settings

This sections describes how to configure basic settings, such as the ProxySG appliance
name, time settings, and login parameters. It includes the following topics:
❐ "How Do I...?" on page 44
❐ "Configuring the ProxySG Appliance Name" on page 45
❐ "Changing the Login Parameters" on page 46
❐ "Viewing the Appliance Serial Number" on page 49
❐ "Configuring the System Time" on page 50
❐ "Synchronizing to the Network Time Protocol" on page 52

How Do I...?
To navigate this section, identify the task to perform and click the link:

How do I...? See...

Assign a name to identify the ProxySG "Configuring the ProxySG Appliance Name"
appliance? on page 45

Change the logon parameters? "Changing the Login Parameters" on page 46

Locate the Appliance Serial Number? "Viewing the Appliance Serial Number" on
page 49

Configure the local time on the ProxySG "Configuring the System Time" on page 50
appliance?

Synchronize the ProxySG appliance to use "Synchronizing to the Network Time Protocol"
the Network Time Protocol (NTP)? on page 52

Change the log-in username and password? "Changing the Administrator Account
Credentials" on page 46
Configure a console realm name to identify "Changing the ProxySG Appliance Realm
the ProxySG appliance that I am accessing Name" on page 47
(before I log in to the Management Console)?

Configure the time for console log out on the "Changing the ProxySG Appliance Timeout"
ProxySG appliance? on page 48

44
 Chapter 2: Accessing the Appliance

Section 3 Configuring the ProxySG Appliance Name

You can assign any name to a ProxySG appliance. A descriptive name helps identify the
system.

To set the ProxySG appliance name:

1. Select Configuration > General > Identification.
2. In the Appliance name field, enter a unique name for the appliance.
3. Click Apply.

45
SGOS Administration Guide

Section 4 Changing the Login Parameters

You can change the console username and password, the console realm name which
displays when you log in to the appliance, and the auto-logout time. The default value is
900 seconds.
The Management Console requires a valid administrator username and password to have
full read-write access; you do not need to enter a privileged-mode password as you do
when using the CLI. A privileged-mode password, however, must already be set.

Note: To prevent unauthorized access to the ProxySG appliance, only give the console
username and password to those who administer the system.

Changing the Administrator Account Credentials

During the initial configuration of your ProxySG appliance, a console administrator
username and password was created. This is a special account that can always be used to
administer the appliance from either the web-based Management Console or the
Command Line Interface. You can change the username and the password of this
administrator account.

Note: Changing the console account’s username or password causes the Management
Console to refresh, requiring you to log in again using the new credentials. Each
parameter must be changed and individually refreshed. You cannot change both
parameters at the same time.

To change the username:

1. Select Configuration > Authentication > Console Access > Console Account.

2. Edit the username of the administrator that is authorized to view and revise console
properties. Only one console account exists on the ProxySG appliance. If you change
the console account username, that username overwrites the existing console account
username. The console account username can be changed to anything that is not null
and contains no more than 64 characters.

46
 Chapter 2: Accessing the Appliance

3. Click Apply. After clicking Apply, an Unable to Update configuration error is displayed.
This is expected: although the username change was successfully applied, the
configuration could not be fetched from the ProxySG appliance because the old
username was offered in the fetch request.
4. Refresh the screen. You are challenged for the new username.

To change the password:

The console password and privileged-mode password were defined during initial
configuration of the system. The console password can be changed at any time. The
privileged-mode, or enabled-mode, password can only be changed through the CLI or the
serial console.
1. Select Configuration > Authentication > Console Access > Console Account.
2. Click Change Password.
3. Enter and re-enter the console password that is used to view and edit configuration
information. The password must be from 1 to 64 characters long. As you enter the new
password, it is obscured with asterisks. Click OK.

Note: This does not change the enabled-mode password. You can only change the
enabled-mode password through the CLI.

4. Refresh the screen, which forces the SGOS software to re-evaluate current settings.
When challenged, enter the new password.
5. (Optional) Restrict access by creating an access control list or by creating a policy file
containing <Admin> layer rules. For more information, see "Limiting Access to the
ProxySG Appliance" on page 69.

Changing the ProxySG Appliance Realm Name

When you have multiple ProxySG appliances in your network, you can configure a
console realm name to identify the appliance that you are accessing.
When you log in to the Management Console, using a browser, the browser’s pop-up
dialog displays. This dialog identifies the ProxySG appliance that is requesting the
username and password.
If configured, the realm name displays on the pop-up dialog. The default realm name is
usually the IP address of the ProxySG appliance. You can, however, change the display
string to reflect your description of the appliance.

To change the realm name:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Enter a new realm name in Console realm name.
3. Click Apply.
The next time you log in to the Management Console, the new realm name displays on the
browser’s pop-up dialog.

47
SGOS Administration Guide

Realm Name

Changing the ProxySG Appliance Timeout

The timeout is the length of time a Web or CLI session persists before you are logged out.
The default timeout for these options is as follows:
❐ Enforce Web auto-logout—15 minutes
❐ Enforce CLI auto-logout—5 minutes

To change the timeout:

1. Select Configuration > Authentication > Console Access > Console Account.
2. Configure the timeout by doing one of the following:
• Set values for the Web or CLI auto-logout. Acceptable values are between 1 and
1440 minutes.

• Deselect the auto-timeout to disable it.

3. Click Apply.

48
 Chapter 2: Accessing the Appliance

Section 5 Viewing the Appliance Serial Number

The ProxySG appliance serial number assists Technical Support when analyzing
configuration information, including heartbeat reports. The appliance serial number is
visible on the Management Console banner.

49
SGOS Administration Guide

Section 6 Configuring the System Time

To manage objects, the ProxySG appliance must know the current Coordinated Universal
Time (UTC), which is the international time standard and is based on a 24-hour clock. The
ProxySG appliance accesses the Network Time Protocol (NTP) servers to obtain accurate
UTC time and synchronizes its time clock.
By default, the ProxySG appliance connects to an NTP server in the order they are listed
on the NTP tab and acquires the UTC time. You can view UTC time under UTC in the
Configuration > General > Clock > Clock tab. If the appliance cannot access any of the listed
NTP servers, you must manually set the UTC time.
You can, however, also record time stamps in local time. To record time stamps in local
time, you must set the local time based on your time zone. The ProxySG appliance ships
with a limited list of time zones. If a specific time zone is missing from the included list,
you can update the list at your discretion. The list can be updated by downloading the full
time zone database from http://download.bluecoat.com/release/timezones.tar. Also, the
time zone database might need to be updated if the Daylight Savings rules change in your
area.

To set local time:

1. Select Configuration > General > Clock > Clock.

2. Click Set Time zone. The Time Zone Selection dialog displays.

50
 Chapter 2: Accessing the Appliance

3. Select the time zone that represents your local time. After you select the local time
zone, event logs record the local time instead of GMT. To add additional time zones to
the list, update the appliance's time zone database, as described in the following
procedure.
4. Click OK to close the dialog.
5. Click Apply.

To update the database:

1. Select Configuration > General > Clock > Clock.
2. Enter the URL from which the database will be downloaded or click Set to default.
3. Click Install.

To acquire the UTC:

1. Ensure that Enable NTP is selected.
2. Click Acquire UTC Time.

51
SGOS Administration Guide

Section 7 Synchronizing to the Network Time Protocol

The Network Time Protocol (NTP) is used to synchronize the time of a computer client or
server to another server or reference time source, such as a radio or satellite receiver or
modem. There are more than 230 primary time servers, synchronized by radio, satellite
and modem.
The ProxySG appliance ships with a list of NTP servers available on the Internet, and
attempts to connect to them in the order they appear in the NTP server list on the NTP tab.
You can add others, delete NTP servers, and reorder the NTP server list to give a specific
NTP server priority over others.
The ProxySG appliance uses NTP and the Coordinated Universal Time (UTC) to keep the
system time accurate.
You can add and reorder the list of NTP servers the appliance uses for acquiring the time.
(The reorder feature is not available through the CLI.)

To add an NTP server:

1. Select Configuration > General > Clock > NTP.

2. Click New. The Add List Item dialog displays.

3. Specify one of the following:
• Domain name: Enter a domain name of an NTP server that resolves to an IPv4 or
IPv6 address.
• IP address: Enter an IPv4 or IPv6 address of an NTP server.
4. (Optional) If the NTP server supports authentication:
a. Specify a Key ID. The ID must be a value from 1 to 65534.
b. For Key Type, select sha1.
c. In the Key field, enter the plaintext shared secret from the NTP authority.
5. Click OK to close the dialog.

52
 Chapter 2: Accessing the Appliance

6. Click Apply.

To change the access order:

NTP servers are accessed in the order displayed. You can organize the list of servers so the
preferred server appears at the top of the list. This feature is not available through the CLI.
1. Select Configuration > General > Clock > NTP.
2. Select an NTP server to promote or demote.
3. Click Promote entry or Demote entry as appropriate.
4. Click Apply.

53
SGOS Administration Guide

Section 8 Appendix: Required Ports, Protocols, and Services

Depending on your ProxySG appliance configuration, you must open certain ports and protocols on
your firewalls for the appliance to function as intended, or to allow connectivity to various
components and data centers. For full details, refer to the following knowledge base article:
https://www.symantec.com/docs/INFO5294

54
Chapter 3: Licensing

This section describes ProxySG licensing behavior and includes the following topics:
❐ "About Licensing" on page 55
❐ "Disabling the Components Running in Trial Period" on page 60
❐ "Registering and Licensing the Appliance" on page 61
❐ "Enabling Automatic License Updates" on page 66
❐ "Viewing the Current License Status" on page 67

Note: The information in this chapter does not apply to the Secure Web Gateway
Virtual Appliance (SWG VA). For licensing and upgrade information specific to the
SWG VA, refer to the Secure Web Gateway Initial Configuration Guide.

About Licensing
Each ProxySG appliance requires a license to function. The license is associated with
an individual serial number and determines what software features are available and the
number of concurrent users that are supported.
When you configure a new hardware appliance, the initial configuration wizard
automatically installs a trial license that allows you to use all software features with
support for an unlimited number of concurrent users for 60 days. (Trial periods are not
applicable to virtual appliances.)
The following sections describe the licensing options:
❐ "License Expiration" on page 60
❐ "License Types" on page 58
❐ "License Expiration" on page 60

License Editions
The license edition determines what features are available. SGOS supports two license
editions:
❐ Proxy Edition License—Supports all security and acceleration features. The Proxy
Edition allows you to secure Web communications and accelerate the delivery of
business applications.
❐ MACH5 Edition License—Supports acceleration features and Symantec Cloud
Service; on-box security features are not included in this edition. The MACH5 base
license allows acceleration of HTTP, FTP, CIFS, DNS, MAPI, and streaming
protocols.

55
SGOS Administration Guide

During the setup process, you indicate how you will deploy the appliance, which
determines trial license edition is installed. If you indicate that you will be using the
appliance as an acceleration node, a MACH5 trial license is installed. For other
deployment types, the wizard prompts you to select Proxy edition.
Proxy Edition and MACH5 license edition can run on any platform. The only differences
are the supported software features and the default configuration settings. These
differences are described in the following sections:
❐ "Differences in Default Configuration Settings"
❐ "MACH5 Feature Set" on page 57
❐ "Switching Between the License Editions" on page 58

Differences in Default Configuration Settings

Because the different license editions are intended for different deployments, some of the
default configuration settings are different between license editions. The Proxy Edition is
meant to provide security and is thus more restrictive in allowing traffic through whereas
the MACH5 edition is geared for application acceleration and is therefore more
permissive. The difference in the defaults are as follows:
❐ Default policy on the ProxySG: This setting determines whether, by default, all traffic
is allowed access or denied access to requested content.
• MACH5 Edition: Allow
• Proxy Edition: Deny
❐ Trust destination IP provided by the client: (only applicable for transparent proxy
deployments) This setting determines whether or not the ProxySG will perform a
DNS lookup for the destination IP address that the client provides.
• MACH5 Edition: Enabled. The proxy trusts the destination IP included in the
client request and forwards the request to the OCS or services it from cache.
• Proxy Edition: Disabled
❐ HTTP tolerant request parsing: The tolerant HTTP request parsing flag causes certain
types of malformed requests to be processed instead of being rejected.
• MACH5 Edition: Enabled. Malformed HTTP requests are not blocked.
• Proxy Edition: Disabled
❐ Transparent WAN intercept on bridge cards: This setting indicates whether the proxy
should intercept or bypass packets on the WAN interface.
• MACH5 Edition: Bypass transparent interception
• Proxy Edition: Allow transparent interception
❐ Resource overflow action: This setting indicates whether the proxy should bypass or
drop new connections when resources are scarce.
• MACH5 Edition: Bypass
• Proxy Edition: Drop

56
 Chapter 3: Licensing

MACH5 Feature Set

The MACH5 license edition provides a subset of the full feature set provided by the Proxy
Edition license. The following table describes feature support on an appliance running a
MACH5 license:

Table 3–1 MACH5 Feature Support

Feature MACH5 Support

Access Logging Supported; CIFS, Endpoint Mapper, FTP, HTTP,

TCP Tunnel, Windows Media, Real Media/
QuickTime, SSL, HTTPS Forward Proxy, MAPI
and Flash

ADN Supported

Authentication On-box authentication supported for administrative

access (IWA, LDAP, RADIUS, SiteMinder,
COREid, and local realms only).
User authentication is not supported on-box except
when combined with Symantec Cloud Service.
When using the Web Security Module of the
Symantec Cloud Service, LDAP and IWA are
supported to provide user authentication details for
cloud-based policy enforcement.

Bandwidth Management Supported

Content Filtering Not supported on-box; Use Symantec Cloud

Security Services for Content Filtering.

Content Analysis (ICAP) Not supported

Forwarding Forwarding hosts: Supported

SOCKS: Not supported

HTTP Compression Supported

Peer-to-Peer Not supported

Policy Controls Acceleration-based policy controls: Supported

Exception pages: Not supported

ProxyClient Acceleration: Supported

Content Filtering: Not Supported

Proxy Services CIFS, FTP, HTTP, MAPI and Streaming (Windows

Media, Real Media and QuickTime) are Supported.
Flash proxy is also supported, however you must
purchase and install an add-on license to use this
service.
SSL Termination is also supported. Some appliance
models include an SSL license; other models
require that you purchase and install an add-on
license.

57
SGOS Administration Guide

Table 3–1 MACH5 Feature Support (Continued)

Feature MACH5 Support

Threat Protection Services Not supported

Unified Agent Not supported

Switching Between the License Editions

This section describes the effects of switching between the license editions.
❐ Upgrading from the MACH5 Edition to the Proxy Edition—You can upgrade from
the MACH5 Edition license to the Proxy Edition license at any time, as long as you
use the same hardware. Upon upgrade, the entire license file is regenerated. This is
because the defaults must be readjusted to reflect the change in functionality, and must
include some proxy-specific configurations, such as advanced services and access
logging logs and formats, which are added during the upgrade.

Note: The existing configuration is not changed during the upgrade.

All the MACH5 Edition functionality is supported in the Proxy Edition, so an upgrade
does not affect CLI or policy commands.
❐ Downgrading from a Proxy Edition to a MACH5 Edition—You must install a new
license to switch from a Proxy Edition license to a MACH5 Edition license. This
license downgrade can be performed only by restoring the appliance to its factory
defaults; as a result, your existing configuration will be deleted and you will have to
reconfigure the appliance.

License Types
The following license types are available:
❐ Trial—The 60-day license that ships with new physical appliances. All licensable
components for the trial edition are active and available to use. In addition, the Base
SGOS user limit is unlimited. When a full license is installed, any user limits imposed
by that license are enforced, even if the trial period is still valid.
❐ Demo—A temporary license that can be requested from Symantec to extend the
evaluation period.
❐ Permanent—A license for hardware platforms that permanently unlocks the software
features you have purchased. When a permanent license is installed, any user limits
imposed by that license are enforced, even if the trial period is still valid.
❐ Subscription-based—A license that is valid for a set period of time. After you have
installed the license, the ProxySG appliance will have full functionality, and you will
have access to software upgrades and product support for the subscription period.

58
 Chapter 3: Licensing

Note: When a full license (permanent or subscription-based) or demo license is installed

during the trial period, components previously available in the trial period, but not part of
that license, remain available and active for the remainder of the trial period. However, if
the license edition is different than the trial edition you selected, only functionality
available in the edition specified in the license remains available for trial. If you do not
want the trial components to be available after you install a full license, you can disable
them. See "Disabling the Components Running in Trial Period" on page 60 for
instructions.

Licensing Terms
ProxySG Appliances
Within sixty (60) days of the date from which the user powers up the ProxySG
(“Activation Period”), the Administrator must complete the licensing requirements as
instructed by the appliance to continue to use all of the features. Prior to the expiration of
the Activation Period, the SGOS software will deliver notices to install the license each
time the Administrator logs in to manage the product. Failure to install the license prior to
the expiration of the Activation Period may result in some features becoming inoperable
until the Administrator has completed licensing.

ProxyClient/Unified Agent
The Administrator may install Symantec ProxyClient or Symantec Unified Agent only on
the number of personal computers licensed to them. Each personal computer shall count as
one “user” or “seat.” The ProxyClient or Unified Agent software may only be used with
ProxySG appliances. The Administrator shall require each user of the Symantec
ProxyClient software to agree to a license agreement that is at least as protective of
Symantec and the Symantec ProxyClient or Unified Agent software as the Symantec
EULA.

Virtual Appliances, MACH5 or Secure Web Gateway (SWG) Edition

The Virtual Appliances (MACH5 or Secure Web Gateway edition) are licensed on either a
perpetual or subscription basis for a maximum number of concurrent users. Support for
the Virtual Appliances will be subject to the separate support agreement entered into by
the parties if the Administrator licenses the Virtual Appliances on a perpetual basis. The
Virtual Appliances will (a) not function upon expiration of the subscription if the
Administrator licenses the Virtual Appliances on a subscription basis; or (b) if the traffic
exceeds the maximum number of concurrent users/connections, features may not function
beyond the maximum number of concurrent users/connections. This means that, in these
cases, the network traffic will only be affected by the default policy set by the
Administrator (either pass or deny). Such cessation of functionality is by design, and is not
a defect in the Virtual Appliances. The Administrator may not install the same license key
or serial number on more than one instance of the Virtual Appliance. The Administrator
may move the Virtual Appliance along with its license key and serial number to a different
server, provided that server is also owned by the Administrator and the Administrator
permanently deletes the prior instance of the Virtual Appliance on the server on which it

59
SGOS Administration Guide

was prior installed. The Virtual Appliances require a third party environment that includes
software and/or hardware not provided by Symantec, which the Administrator will
purchase or license separately. Symantec has no liability for such third party products.

License Expiration
When the base license expires, the appliance stops processing requests and a license
expiration notification message is logged in the Event Log (see "Viewing Event Log
Configuration and Content" on page 1446 for details on how to view the event log).
In addition, for services set to Intercept:
❐ In a transparent deployment, if the default policy is set to Allow, the appliance acts as if
all services are set to Bypass, passing traffic through without examining it. If default
policy is set to Deny, traffic to these services is denied with an exception. For details,
see "Exceptions Due to Base License Expiration" .
❐ In an explicit deployment, regardless of the default policy setting, traffic to these
services is denied with an exception. For details, see "Exceptions Due to Base License
Expiration" .

Exceptions Due to Base License Expiration

In some cases, the following exceptions occur when the base license expires:
❐ HTTP (Web browsers)—An HTML page is displayed stating the license has
expired.
❐ SSL—An exception page appears when an HTTPS connection is attempted, but only
if the appliance is deployed explicitly or in the case of transparent proxy deployments,
SSL interception is configured.
❐ FTP clients—If the FTP client supports it, a message is displayed stating the license
has expired.
❐ Streaming media clients—If the Windows Media Player, RealPlayer, or QuickTime
player version supports it, a message is displayed stating the license has expired.
❐ Unified Agent/ProxyClient—After the license has expired, remote clients cannot
connect to the Internet or ADN network. (Unified Agents do not support the ADN
network.)
❐ You can still perform configuration tasks through the CLI, SSH console, serial
console, or Telnet connection. Although a component is disabled, feature
configurations are not altered. Also, policy restrictions remain independent of
component availability.

Disabling the Components Running in Trial Period

You have the option to disable access to features that are running in trial period; however,
you cannot selectively disable trial period features. You must either enable all of them or
disable all of them.

Note: Because licensing trial periods are not offered on the VA, this option is not
available on virtual appliances.

60
 Chapter 3: Licensing

To disable trial period components:

1. Select Maintenance > Licensing > View.
2. Select the Trial Components are enabled option.
3. Click Apply.
4. Click Refresh Data. All licenses that are in trial period switch from Yes to No. Users
cannot use these features, and no dialogs warning of license expiration are sent.
Also notice that this option text changes to Trial Components are disabled: Enabled. Repeat
this process to re-enable trial licenses.

Registering and Licensing the Appliance

Before you can register and license your appliance, you must have the following:
❐ The serial number of your appliance. See "Locating the System Serial Number" on
page 61.
❐ A MySymantec account. See "Obtaining a MySymantec Account" on page 61.
You can then register the appliance and install the license key. The following sections
describe the available options for completing the licensing process:
❐ If you have not manually registered the appliance, you can automatically register the
appliance and install the software license in one step. See "Registering and Licensing
the Appliance and Software" on page 62.
❐ If you have a new appliance that previously has been registered, the license is already
associated with the appliance. In this case you just need to retrieve the license. See
"Installing a License on a Registered System" on page 62.
❐ If you have older hardware that previously has been registered or if the appliance does
not have Internet access, you must install the license manually. See "Manually
Installing the License" on page 63.
❐ After the initial license installation, you might decide to use another feature that
requires a license. The license must be updated to support the new feature.

Locating the System Serial Number

Each ProxySG serial number is the appliance identifier used to assign a license key file.
The appliance contains an EEPROM with the serial number encoded. The appliance
recognizes the serial number upon system boot-up. The appliance serial number is located
in the information bar at the top of the Management Console.
Serial numbers are not pre-assigned on the Virtual Appliance and the Secure Web
Gateway Virtual Appliance (SWG VA). You retrieve the serial number from the
Symantec Licensing Portal, and enter the serial number during initial configuration. Refer
to the MACH5 or Secure Web Gateway Virtual Appliance Initial Configuration Guide or
the SWG VA Initial Configuration Guide for more information.

Obtaining a MySymantec Account

Before you can register your appliance and retrieve the license key, you must have a
MySymantec account.

61
SGOS Administration Guide

If you do not have a MySymantec account or have forgotten your account information,
perform the following procedure.

To obtain a MySymantec account:

1. Select the Maintenance > Licensing > Install tab.
2. In the License Administration field, click Register/Manage. The browser opens the
Network Protection Licensing Portal.
3. Perform one of the following:
• To obtain a new account, click the link for Sign in, and then click Create an
Account. Complete the form to create an account.

• To obtain your current information for an existing account, click the Forgot
password? link.

Registering and Licensing the Appliance and Software

If you have not manually registered the appliance, you can automatically register the
appliance and install the software license in one step as described in the following
procedure.

To register the appliance and software:

1. In a browser, go to the following URL to launch the Management Console:
https://appliance_IP_Address:8082

2. Enter the access credentials specified during initial setup.

3. Click Management Console. The browser displays the License Warning tab.
4. Make sure the Register hardware automatically option is selected.
5. Enter your MySymantec credentials and click Register Now. This opens a new browser
page where you complete the registration process. When the hardware is successfully
registered, the Registration Status field on the License Warning tab will display the
Hardware auto-registration successful message. You can close the new
browser tab or window that displays the License Self-service page.
6. Click Continue.

Installing a License on a Registered System

If the ProxySG appliance is a new system and the appliance has been registered, retrieve
the associated license by completing this procedure.

To retrieve the software license:

1. Select the Maintenance > Licensing > Install tab.
2. Click Retrieve. The Request License Key dialog is displayed.

62
 Chapter 3: Licensing

3a

3b

3. Enter information:
a. Enter your MySymantec account login information.
b. Click Request License. The console displays the Confirm License Install
dialog.
c. Click OK to begin license retrieval (the dialog closes).
4. (Optional) Click Show results to verify a successful retrieval. If any errors occur,
check the ability for the appliance to connect to Internet.
5. Click Close to close the Request License Key dialog.
6. To validate the license, restart the appliance.
• In the Management Console, select Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.

Manually Installing the License

Perform manual license installation if:
❐ The ProxySG serial number is not associated with a software license (you have
registered the hardware separately)
❐ The appliance is unable to access the licensing portal.

Note: Locate the email from Symantec that contains the activation code(s) for your
software. You require these activation codes, as well as your appliance serial number, to
complete the licensing process on the Network Protection Licensing Portal.

Manually retrieve and install the license:

1. In the Management Console, select Maintenance > Licensing > Install.
2. Click Register/Manage. The licensing portal opens in a browser window and prompts
you for your MySymantec login information.

63
SGOS Administration Guide

3. Enter your login credentials and click Login. The Licensing Portal prompts you to
enter your activation code.
4. Enter the activation code and follow the prompts to complete the process. When
prompted to accept the license agreement, read and accept the terms.
The software license is now associated with the appliance.
5. (If necessary) Repeat the previous steps for your other activation codes.
6. Restart the appliance.

Download and manually install the license:

Tip: Follow these steps if the appliance does not have access to the Internet. In the
activation email, click the link to the Licensing Portal. The browser opens the portal on the
main page.
1. Select License Download. The portal prompts you for your appliance serial number.
2. Follow the prompts to enter your serial number and download the license file.

3. Save the license file to a location that your appliance can access.
4. In the Management Console, select Maintenance > Licensing > Install, and then select
the appropriate option from the License Key Manual Installation drop-down list:

Note: A message is written to the event log when you install a license through the
appliance.

• Remote URL—Choose this option if the file resides on a Web server; then
click Continue. The console displays the Install License Key dialog.
Enter the URL path and click Install. When installation is complete, click OK.
• Local File—Choose this option if the file resides in a local directory; then click
Continue. The Open window displays.

Navigate to the license file and click Open. When installation is complete,
click OK.
5. To validate the license, restart the appliance.
In the Management Console, select Maintenance > Tasks.
• Click Hardware and Software.
• Click Restart now.

64
 Chapter 3: Licensing

Section 1 Adding an Add-on License

If you purchased a supplemental license to enable add-on features, you must update
the license by logging into the Network Protection Licensing Portal and generating the
license activation code. To do this, you must have the code for your ordered add-on
feature that was sent in the e-mail from Symantec and the hardware serial number of
the appliance that is to run the add-on feature.

To add a supplemental license:

1. Obtain the e-mail sent by Symantec that contains the license activation code(s) for the
add-on license.
2. Click the link to the licensing portal in the e-mail. The browser opens the licensing
portal. If the portal prompts you to use your credentials again, enter them. The
browser displays the portal home page.
3. In the Enter Activation Code field, enter the add-on product code from the e-mail; click
Next. The Licensing Portal displays the Software Add-On Activation page.

4. In the Appliance Serial Number field, enter the serial number. Click Submit.
5. The portal displays the license agreement; read and accept the agreement.
The portal displays a screen with license details for the software add-on. You can click
Back and proceed to the next section.

Adding the Add-on License to the Appliance

You must retrieve the updated license to the appliance.

To update the license:

1. From the Management Console, select the Maintenance > Licensing > Install tab.
2. Click Retrieve. The appliance retrieves the license.
3. To verify a successful license update, select the Licensing > View tab; the console
displays the new license in the General License Information section.

65
SGOS Administration Guide

Section 2 Enabling Automatic License Updates

The license automatic update feature allows the appliance to contact the Symantec
licensing server 30 days before the license is to expire. If a new license has been
purchased and authorized, the license is automatically downloaded. If a new license is not
available on the Web site, the appliance continues to contact the Web site daily for a new
license until the current license expires. Outside the above license expiration window, the
appliance makes this connection once every 30 days to check for new license
authorizations. This feature is enabled by default.

To configure the license auto-update:

1. Select the Maintenance > Licensing > Install tab.
2. Select Use Auto-Update.
3. Click Apply.

66
 Chapter 3: Licensing

Section 3 Viewing the Current License Status

You can view the license status in the Management Console in the following ways:
❐ Select Statistics > Configuration > Maintenance. The license status displays as a link in
the upper right hand-corner. Hovering over the license link displays information, such
as the expiration date of the trial period. Click the link to switch to the View license
tab.
❐ Select Maintenance > Licensing > View. The tab displays the license components with
expiration dates.
❐ Select Maintenance > Health Monitoring. The tab displays thresholds for license
expiration dates.

Current high-
level license
data

For more
details, select
a license
component
and click View
Details.

Each licensable component is listed, along with its validity and its expiration date.
• To view the most current information, click Refresh Data.
• Highlight a license component and click View Details. A dialog displays more
detailed information about that component.
• If the trial period is enabled and you click Maintenance > Licensing > View, the
Management Console displays an option to disable the trial components. If the
trial period is disabled, the Management Console displays an option to enable the
trial components.

67
SGOS Administration Guide

View Intelligence Services Subscriptions

If you have Intelligence Services subscriptions, such as Application Protection and
Geolocation, you can view the data feeds and expiration dates on Maintenance > Licensing
> Subscription.
For details on Intelligence Services, see Chapter 20: "Filtering Web Content".

See Also
❐ "About Licensing" on page 55
❐ "Disabling the Components Running in Trial Period" on page 60
❐ "Locating the System Serial Number" on page 61
❐ "Obtaining a MySymantec Account" on page 61
❐ "Registering and Licensing the Appliance and Software" on page 62

68
Chapter 4: Controlling Access to the ProxySG Appliance

This section describes how to control user access to the ProxySG appliance. It includes
the following topics:
❐ "Limiting Access to the ProxySG Appliance" on page 69
❐ "About Password Security" on page 70
❐ "Limiting User Access to the ProxySG Appliance—Overview" on page 71
❐ "Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 74
❐ "Maximum Security: Administrative Authentication and Authorization Policy" on
page 75

Limiting Access to the ProxySG Appliance

You can limit access to the ProxySG appliance by:
❐ Restricting physical access to the system and by requiring a PIN to access the front
panel.
❐ Restricting the IP addresses that are permitted to connect to the ProxySG CLI.
❐ Requiring a password to secure the Setup Console.
For better security, use these safeguards in addition to the implementing a console
account user password and Enable password.
This section discusses:
❐ "Requiring a PIN for the Front Panel"
❐ "Limiting Workstation Access" on page 70
❐ "Securing the Serial Port" on page 70

Requiring a PIN for the Front Panel

On systems that have a front panel display, you can create a four-digit PIN to protect the
system from unauthorized use. The PIN is hashed and stored. You can only create a
PIN from the command line.
To create a front panel PIN, after initial configuration is complete:
From the (config) prompt:
SGOS#(config) security front-panel-pin PIN
where PIN is a four-digit number.
To clear the front-panel PIN, enter:
SGOS#(config) security front-panel-pin 0000

69
SGOS Administration Guide

Limiting Workstation Access

During initial configuration, you have the option of preventing workstations with
unauthorized IP addresses from accessing the ProxySG appliance for administrative
purposes. This covers all access methods - Telnet, SNMP, HTTP, HTTPS and SSH. If this
option is not enabled, all workstations are allowed to access the appliance administration
points. You can also add allowed workstations later to the access control list (ACL). (For
more information on limiting workstation access, see "Moderate Security: Restricting
Management Console Access Through the Console Access Control List (ACL)" on page
74.)

Securing the Serial Port

If you choose to secure the serial port, you must provide a Setup Console password that is
required to access the Setup Console in the future.
Once the secure serial port is enabled:
❐ The Setup Console password is required to access the Setup Console.
❐ An authentication challenge (username and password) is issued to access the CLI
through the serial port.
To recover from a lost Setup Console password, you can:
❐ Use the Front Panel display to either disable the secure serial port or enter a new Setup
Console password.
❐ Use the CLI restore-defaults factory-defaults command to delete all system
settings. For information on using the restore-defaults factory-defaults
command, see "Factory-Defaults" on page 1529.
❐ Use the reset button (if the appliance has a reset button) to delete all system settings.
Otherwise, reset the appliance to its factory settings by holding down the left arrow
key on the front-panel for 5 seconds. The appliance will be reinitialized.
To reconfigure the appliance or secure the serial port, refer to the hardware guides for your
appliance.

About Password Security

The appliance’s console administrator password, Setup Console password, and Enable
(privileged-mode) password are hashed and stored. It is not possible to reverse the hash to
recover the plain text passwords.
In addition, the show config and show security CLI commands display these passwords
in their hashed form. The length of the hashed password depends on the hash algorithm
used so it is not a fixed length.
Passwords that the appliance uses to authenticate itself to outside services are encrypted
using triple-DES on the appliance, and using RSA public key encryption for output with
the show config CLI command. You can use a third-party encryption application to
create encrypted passwords and copy them into the appliance using an encrypted-
password command (which is available in several modes and described in those modes). If
you use a third-party encryption application, verify it supports RSA encryption, OAEP
padding, and Base64 encoded with no new lines.

70
 Chapter 4: Controlling Access to the ProxySG Appliance

These passwords, set up during configuration of the external service, include:

❐ Access log FTP client passwords (primary, alternate)—For configuration information,
see "Editing the FTP Client" on page 706.
❐ Archive configuration FTP password—For configuration information, see Chapter 5:
"Backing Up the Configuration" on page 79.
❐ RADIUS primary and alternate secret—For configuration information, see
Chapter 62: "RADIUS Realm Authentication and Authorization" on page 1201.
❐ LDAP search password—For configuration information, see "Defining LDAP Search
& Group Properties" on page 1163.
❐ Content filter download passwords—For configuration information, see
"Downloading the Content Filter Database" on page 415.

Limiting User Access to the ProxySG Appliance—Overview

When deciding how to give other users read-only or read-write access to the ProxySG
appliance, sharing the basic console account settings is only one option. The following
summarizes all available options:

Note: If Telnet Console access is configured, Telnet can be used to manage the
appliance with behavior similar to SSH with password authentication.

SSL configuration is not allowed through Telnet, but is permissible through SSH.

Behavior in the following sections that applies to SSH with password authentication also
applies to Telnet. Use of Telnet is not recommended because it is not a secure protocol.

❐ Console account—minimum security

The console account username and password are evaluated when the ProxySG
appliance is accessed from the Management Console through a browser and from the
CLI through SSH with password authentication. The Enable (privileged-mode)
password is evaluated when the console account is used through SSH with password
authentication and when the CLI is accessed through the serial console and through
SSH with RSA authentication. The simplest way to give access to others is sharing
this basic console account information, but it is the least secure and is not
recommended.
To give read-only access to the CLI, do not give out the Enable (privileged-mode)
password.
❐ Console access control list—moderate security
Using the access control list (ACL) allows you to further restrict use of the console
account and SSH with RSA authentication to workstations identified by their IP
address and subnet mask. When the ACL is enforced, the console account can only be
used by workstations defined in the console ACL. Also, SSH with RSA authentication
connections are only valid from workstations specified in the console ACL (provided
it is enabled).

71
SGOS Administration Guide

After setting the console account username, password, and Enable (privileged-mode)
password, use the CLI or the Management Console to create a console ACL. See
"Moderate Security: Restricting Management Console Access Through the Console
Access Control List (ACL)" on page 74.
❐ Per-user RSA public key authentication—moderate security
Each administrator’s public keys are stored on the appliance. When connecting
through SSH, the administrator logs in with no password exchange. Authentication
occurs by verifying knowledge of the corresponding private key. This is secure
because the passwords never go over the network.
This is a less flexible option than CPL because you cannot control level of access with
policy, but it is a better choice than sharing the console credentials.
❐ Content Policy Language (CPL)—maximum security
CPL allows you to control administrative access to the ProxySG appliance through
policy. If the credentials supplied are not the console account username and password,
policy is evaluated when the appliance is accessed through SSH with password
authentication or the Management Console. Policy is never evaluated on direct serial
console connections or SSH connections using RSA authentication.
• Using the CLI or the Management Console GUI, create an authentication realm to
be used for authorizing administrative access. For administrative access, the realm
must support BASIC credentials—for example, LDAP, RADIUS, Local, or IWA
with BASIC credentials enabled.
• Using the Visual Policy Manager, or by adding CPL rules to the Local or Central
policy file, specify policy rules that: (1) require administrators to log in using
credentials from the previously-created administrative realm, and (2) specify the
conditions under which administrators are either denied all access, given read-
only access, or given read-write access. Authorization can be based on IP address,
group membership, time of day, and many other conditions. For more
information, refer to the Visual Policy Manager Reference.
• To prevent anyone from using the console credentials to manage the ProxySG
appliance, set the console ACL to deny all access (unless you plan to use SSH
with RSA authentication). For more information, see "Moderate Security:
Restricting Management Console Access Through the Console Access Control
List (ACL)" on page 74. You can also restrict access to a single IP address that
can be used as the emergency recovery workstation.
The following chart details the various ways administrators can access the ProxySG
console and the authentication and authorization methods that apply to each.

Table 4–1 ProxySG Console Access Methods/Available Security Measures

Security Measures Available Serial SSH with SSH with RSA Management
Console Password Authentication Console
Authentication
Username and password evaluated X X
(console-level credentials)

72
 Chapter 4: Controlling Access to the ProxySG Appliance

Table 4–1 ProxySG Console Access Methods/Available Security Measures (Continued)

Console Access List evaluated X X X (if console

(if console credentials are
credentials are offered)
offered)

CPL <Admin> Layer evaluated X (see Note 1 X (see Note 2

below) below)

Enable password required to enter X X X

privileged mode (see Note 2
below)

CLI line-vty timeout X X X

command applies.

Management Console Login/ X

Logout

Notes
❐ When using SSH (with a password) and credentials other than the console account, the
enable password is actually the same as the login password. The privileged mode
password set during configuration is used only in the serial console, SSH with RSA
authentication, or when logging in with the console account.
❐ In this case, user credentials are evaluated against the policy before executing each
CLI command. If you log in using the console account, user credentials are not
evaluated against the policy.

73
SGOS Administration Guide

Section 1 Moderate Security: Restricting Management Console Access

Through the Console Access Control List (ACL)
The ProxySG appliance allows you to limit access to the Management Console and CLI
through the console ACL. An ACL, once set up, is enforced only when console credentials
are used to access either the CLI or the Management Console, or when an SSH with RSA
authentication connection is attempted. The following procedure specifies an ACL that
lists the IP addresses permitted access.

To create an ACL:
1. Select Configuration > Authentication > Console Access > Console Access.

2b

2a

2. (Optional) Add a new address to the ACL:

a. Click New. The Add List Item dialog displays.
b. In the IP/Subnet fields, enter a static IP address. In the Mask fields, enter the
subnet mask. To restrict access to an individual workstation, enter
255.255.255.255.

c. Click OK to add the workstation to the ACL and return to the Console Access
tab.
3. Repeat step 2 to add other IP addresses.
4. To impose the ACL defined in the list box, select Enforce ACL for built-in
administration. To allow access to the CLI or Management Console using console
account credentials from any workstation, clear the option. The ACL is ignored.

Important: Before you enforce the ACL, verify the IP address for the workstation
you are using is included in the list. If you forget, or you find that you mis-typed the
IP address, you must correct the problem using the serial console.

5. Click Apply.

74
 Chapter 4: Controlling Access to the ProxySG Appliance

Maximum Security: Administrative Authentication and Authorization Policy

The ProxySG appliance permits you to define a rule-based administrative access policy.
This policy is enforced when accessing:
❐ the Management Console through HTTP or HTTPS
❐ the CLI through SSH when using password authentication
❐ the CLI through telnet
❐ the CLI through the serial port if the secure serial port is enabled
These policy rules can be specified either by using the VPM or by editing the Local policy
file. Using policy rules, you can deny access, allow access without providing credentials,
or require administrators to identify themselves by entering a username and password. If
access is allowed, you can specify whether read-only or read-write access is given. You
can make this policy contingent on IP address, time of day, group membership (if
credentials were required), and many other conditions.
Serial-console access is not controlled by policy rules. For maximum security to the serial
console, physical access must be limited.
SSH with RSA authentication also is not controlled by policy rules. You can configure
several settings that control access: the enable password, the console ACL, and per-user
keys configured through the Configuration > Services > SSH > SSH Client page. (If you use
the CLI, SSH commands are under Configuration> Services > SSH-Console.)

Defining Administrator Authentication and Authorization Policies

Administrative authentication uses policy, (either Visual Policy or CPL in the local policy
file) to authenticate administrative users to the appliance. This is done with two layers in
policy: one to define the realm that is used to authenticate users (Admin Authentication
layer) and the other to define security rights for authenticated users or groups (Admin
Access layer).

Note: If you choose a realm that relies on an external server and that server is
unavailable, the appliance will not be able to authenticate against that realm.

For best security, Symantec recommends the following authentication realms for
administrative authentication to the appliance.
❐ IWA-BCAAA (with TLS -- not SSL) with basic credentials
❐ Local
❐ .509 certificate based (including certificate realms; refer to the Common Access Card
Solutions Guide for information)
❐ LDAP with TLS (not SSL)
❐ IWA-Direct with basic credentials
❐ RADIUS
The following realms can be configured for administrative authentication, but pass
administrative credentials in clear text. These realms should not be used for administrative
authentication:

75
SGOS Administration Guide

❐ Windows SSO
❐ Novell SSO
❐ IWA-BCAAA without SSL or TLS
❐ LDAP without SSL or TLS

The following realms do not support administrative authentication:

❐ IWA-BCAAA/IWA-Direct realms that do not accept basic credentials
❐ SiteMinder
❐ COREid
❐ SAML (Policy Substitution)
❐ XML

Note: Other authentication realms can be used, but will result in administrative
credentials being sent in clear text.

Configure Administrative Authentication with a Local Realm

The process to provide read-only access for administrators includes the following steps:
❐ Create a local authentication realm.
❐ Create a list that includes usernames and passwords for members whom you wish to
provide read-only access in the Management Console.
❐ Connect the list to the local realm.
❐ Create policy to enforce read-only access to members included in the list.
Use the steps below to complete the tasks detailed above.
1. Create a local realm:
a. Select the Configuration > Authentication > Local > Local Realms tab.
b. Click New to add a new realm. In this example the realm is named
MC_Access.

2. Using the CLI, create a list of users who need read-only access. The list must include
a username and password for each user.
a. Enter configuration mode in the CLI; this example creates a list called
Read_Access.
#(config)security local-user-list create Read_Access

b. Edit the list to add user(s) and to create usernames and passwords. This
example adds a user named Bob Kent.
#(config)security local-user-list edit Read_Access
#(config)user create Bob_Kent
#(config)user edit Bob_Kent
#(config)password 12345

76
 Chapter 4: Controlling Access to the ProxySG Appliance

3. Connect the user list (created in Step 2) to the local realm (created in Step 1).
a. In the Configuration > Authentication > Local > Local Main tab, select
MC_Access from the Realm name drop-down menu.

b. Select Read_Access from the Local user list drop-down menu.

4. Use the for creating policy to enforce read-only access to the users in your list:
a. Launch the VPM.
b. Create an Admin Authentication Layer (or add a new rule in an existing layer).
This layer determines the authentication realm that will be used to
authenticate users who access the appliance Management Console.

c. In the Action column, right click and select Set. In the Set Action dialog that
displays, click New and select Authenticate. The Add Authentication Object
displays.

77
SGOS Administration Guide

d. In the Add Authenticate Object dialog that displays, select the local realm you
created in Step 1.
e. Create an Admin Access Layer.
f. In the Source column, right click and select Set. In the Set Source Object
dialog that displays, click New and select User. The Add User Object dialog
displays.

g. Enter the name of the user for whom you want to provide read-only access.
h. Click OK in both dialogs.

i. In the Action column, right click and select Allow Read-only Access.
5. Click Install Policy.
The user can now log in the Management Console as a user with read-only access.
Repeat step 4 and use Allow Read/Write access to define user access with read/write
privileges

78
Chapter 5: Backing Up the Configuration

This chapter describes how to back up your configuration and save it on a remote
system so that you can restore it in the unlikely event of system failure or replacement.
ProxySG appliance configuration backups are called archives.

Important: You should archive the system configuration before performing any
software or hardware upgrade or downgrade.

System archives can be used to

❐ Restore the appliance to its previous state in case of error.
❐ Restore the appliance to its previous state because you are performing maintenance
that requires a complete restoration of the system configuration. For example,
upgrading all the disk drives in a system.
❐ Save the system configuration so that it can be restored on a replacement appliance.
This type of configuration archive is called a transferable archive.
❐ Propagate configuration settings to newly-manufactured appliances. This process is
called configuration sharing.

Topics in this Chapter

The following topics are covered in this chapter:
❐ Section A: "About Configuration Archives" on page 80
❐ Section B: "Archiving Quick Reference" on page 82
❐ Section C: "Creating and Saving a Standard Configuration Archive" on page 86
❐ Section D: "Creating and Saving a Secure (Signed) Archive" on page 88
❐ Section E: "Preparing Archives for Restoration on New Devices" on page 91
❐ Section F: "Uploading Archives to a Remote Server" on page 101
❐ Section G: "Restoring a Configuration Archive" on page 107
❐ Section H: "Sharing Configurations" on page 109
❐ Section I: "Troubleshooting" on page 111

79
SGOS Administration Guide

Section A: About Configuration Archives

This section describes the archive types and explains archive security and portability.
This section includes the following topics:
❐ "About the Archive Types and Saved Information" on page 80
❐ "About Archive Security" on page 80
❐ "About Archive Portability" on page 81
❐ "What is not Saved" on page 81

About the Archive Types and Saved Information

Three different archive types are available. Each archive type contains a different set of
configuration data:
❐ Configuration - post setup: This archive contains the configuration on the current
system—minus any configurations created through the setup console, such as the IP
address. It also includes the installable lists but does not include SSL private key data.
Use this archive type to share an appliance’s configuration with another. See "Sharing
Configurations" on page 109 for more information.
❐ Configuration - brief: This archive contains the configuration on the current system and
includes the setup console configuration data, but does not include the installable lists
or SSL private key and static route information.

Note: An installable list is a list of configuration parameters that can be created

through a text editor or through the CLI inline commands and downloaded to the
appliance from an HTTP server or locally from your PC.

❐ Configuration - expanded: This is the most complete archive of the system

configuration, but it contains system-specific settings that might not be appropriate if
pushed to a new system. It also does not include SSL private key data. If you are
trying to create the most comprehensive archive, Symantec recommends that you use
the configuration-expanded archive.
Options in the Management Console enable you to create standard, secure, and
transferable versions of the three archive types.

About Archive Security

The ProxySG appliance provides two methods for creating archives, signed and unsigned.
A signed archive is one that is cryptographically signed with a key known only to the
signing entity—the digital signature guarantees the integrity of the content and the identity
of the originating device.
To create signed archives, your appliance must have an SSL certificate guaranteed by a
CA. You can then use a trusted CA Certificate List (CCL) to verify the authenticity of the
archive.

80
 Chapter 5: Backing Up the Configuration

Use signed archives only when security is high priority. Otherwise, use unsigned archives.
For information about creating secure archives, see "Creating and Saving a Secure
(Signed) Archive" on page 88.

About Archive Portability

To retain the option to transfer the configuration from the source appliance to another
appliance, the configuration cannot be restored unless you save the SSL keyrings, and the
configuration-passwords-key in particular.
The configuration-passwords-key keyring must be saved. This keyring is used to
encrypt and decrypt the passwords (login, enable, FTP, etc.) and the passwords cannot be
restored without it. This is because the purpose of public/private key authentication is to
disallow decryption by a device other than the device with the private key. To restore any
encrypted data from an archive, you must have the corresponding SSL keyring.
See "Creating a Transferable Archive" on page 93 for more information about creating
transferable archives.

What is not Saved

Archiving saves the ProxySG appliance configuration only. Archives do not save the
following:
❐ Cache objects
❐ Access logs
❐ Event logs
❐ License data (you might need to reapply the licenses)
❐ Software image versions
❐ SSL key data
❐ Content-filtering databases
❐ Exception pages
❐ (If the data source is set to Intelligence Services) Symantec WebFilter username and
password. See "Specifying a Data Source" on page 414 for information on specifying
the data source for content filtering and application classification.
To archive the WebFilter username and password, switch the data source to Webfilter
before saving the configuration file.

81
SGOS Administration Guide

Section B: Archiving Quick Reference

This section provides a table of quick reference tasks and describes the high-level archive
creation and restoration tasks.
This section includes the following topics:
❐ "Archiving Quick Reference Table" on page 83
❐ "Overview of Archive Creation and Restoration" on page 83

82
 Chapter 5: Backing Up the Configuration

Section 1 Archiving Quick Reference Table

The following table lists common archive management tasks and where to get more
information.

Table 5–1 Archiving Task Table

If You Want to... Go To...

Understand the archive and restoration process "Overview of Archive Creation and
Restoration" on page 83

Find out what is not archived "What is not Saved" on page 81

Learn about the archive types "About the Archive Types and Saved
Information" on page 80

Learn about secure archives "About Archive Security" on page 80

Learn about transferable archives "About Archive Portability" on page 81

A transferable archive is a configuration archive
that can be imported to a new device.

Create a standard archive "Creating and Saving a Standard

Configuration Archive" on page 86

Create a secure archive "Creating and Saving a Secure (Signed)

Archive" on page 88

Create a transferable archive "Creating a Transferable Archive" on page

93

Upload an archive to a remote server "Uploading Archives to a Remote Server"

on page 101

Schedule archive creation You cannot schedule archive creation from

the appliance. To schedule archive creation,
use Symantec Management Center or
Symantec Director. Refer to the
documentation on MySymantec.

Understand file name identifiers "Restoring a Configuration Archive" on

page 107

Restore an archive "To install the archived configuration:" on

page 107

Share Configurations "Sharing Configurations" on page 109

Troubleshoot archive configuration "Troubleshooting" on page 111

Overview of Archive Creation and Restoration

The following list describes all of the possible steps required to create and restore an
unsigned, signed, or transferable configuration archive. You do not have to perform all of
these steps to complete a standard, unsigned archive. Non-standard archiving steps are
indicated by the word “Optional.”

83
SGOS Administration Guide

1. Optional (for transferable archives only)—Record the configuration-passwords-

key data on the source ProxySG appliance, as described in "Option 1: Recording SSL
Keyring and Key Pair Information" on page 93. If you need to restore the archive onto
a different appliance, you must have this data.
Do not lose the password used to encrypt the private key. If you do, you will not be
able to recover your private keys.
2. Optional (for transferable archives only)—Record any other SSL keyring data you
want to save.
3. Determine the type of archive to create—secure or standard. See "About Archive
Security" on page 80.
If you are creating an standard archive, go to Step 5. Otherwise, go to Step 4.
4. Optional (for secure archives only)—Verify that the source appliance has an appliance
certificate, as described in "Using the Appliance Certificate to Sign the Archive" on
page 88. If it does not have an appliance certificate:
a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a certificate
signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR.
To get more information about appliance certificates, see "Managing X.509
Certificates" on page 1229.
5. Archive the configuration:
• Standard, unsigned archive—"Creating and Saving a Standard Configuration
Archive" on page 86.
• Secure archive—"Creating and Saving a Secure (Signed) Archive" on page 88
• Transferable archive—"Creating a Transferable Archive" on page 93.
6. Store the archive in a secure location.
7. If you are restoring the archive to another device, import the configuration-
passwords-key onto the target device, as described in "Restoring an Archived Key
Ring and Certificate" on page 99.
8. Restore the archive, as described in "Restoring a Configuration Archive" on page 107.
Figure 5–1 on page 85 describes the archive creation process.

84
 Chapter 5: Backing Up the Configuration

Figure 5–1 Flow Chart of Archive Creation Process

85
SGOS Administration Guide

Section C: Creating and Saving a Standard Configuration Archive

Use the Management Console to create a standard archive of the system configuration.
This is the simplest method of archive creation. This type of archive cannot be transferred
to another appliance unless you save the SSL keyrings as described in Section E:
"Preparing Archives for Restoration on New Devices" on page 91.

To create a standard configuration archive:

1. Access the Management Console of the ProxySG appliance you want to back up:
https://Appliance_IP:8082

2. Select Configuration > General > Archive. The Archive Configuration tab displays.

3b

3a

3. Select a configuration type:

a. In the View Current Configuration section, select Configuration - expanded
from the View File drop-down list.
b. View the configuration you selected by clicking View.
A browser window opens and displays the configuration.

Note: You can also view the file by selecting Text Editor in the Install Configuration
panel and clicking Install.

4. Save the configuration.

You can save the file two ways:
• Use the browser Save As function to save the configuration as a text file on your
local system. This is advised if you want to re-use the file.
• Copy the contents of the configuration. (You will paste the file into the Text
Editor on the newly-manufactured system.)

To restore a standard archive:

1. Select Configuration > General > Archive.
2. Select Local File and click Install.

86
 Chapter 5: Backing Up the Configuration

3. Browse to the location of the archive and click Open. The configuration is installed,
and the results screen displays.

87
SGOS Administration Guide

Section D: Creating and Saving a Secure (Signed) Archive

This section describes how to use the Management Console to save a secure (signed)
archive of the system configuration. A signed archive is an archive signed with a digital
signature that can only be read by the device that created it, thus guaranteeing the integrity
and authenticity of the archive. To create signed archives, your appliance must have an
SSL certificate guaranteed by a CA.
Signed archives have a .bcsc extension and contain the following files:
❐ show configuration output
❐ PKCS#7 detached signature
This section includes the following topics:
❐ "Using the Appliance Certificate to Sign the Archive" on page 88
❐ "Creating Signed Configuration Archives" on page 89
❐ "Modifying Signed Archives" on page 90

Before Reading Further

If you are not familiar with SSL authentication, read the following before proceeding:
❐ "About Archive Security" on page 80
❐ The device authentication information in "Authenticating an Appliance" on page
1415.
❐ The X.509, CCL, and SSL information in "Managing X.509 Certificates" on page
1229.

Using the Appliance Certificate to Sign the Archive

If your appliance has a built-in appliance certificate, you can use it, and the corresponding
appliance-ccl CCL, to sign the archive.

To determine if your device has an appliance certificate:

1. Use an SSH client to establish a CLI session with the appliance.
2. Enter enable mode:
# enable

3. Enter the following command:

# show ssl certificate appliance-key

The appliance certificate displays if the appliance has one. Otherwise, the following
error is displayed:
Certificate "appliance-key" not found

4. If the appliance does not have an appliance certificate, create one as follows:

88
 Chapter 5: Backing Up the Configuration

a. Create a keyring on the appliance.

A keyring contains a public/private key pair. It can also contain a certificate
signing request or a signed certificate.
b. Create a Certificate Signing Request (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR (this process results in a digital certificate).
d. Import the keyring and certificate as described in "Restoring an Archived Key
Ring and Certificate" on page 99.
For more information about appliance certificates, see "Managing X.509 Certificates"
on page 1229.

Creating Signed Configuration Archives

This section describes how to save a signed configuration archive to the computer you are
using to access the Management Console.

To create and save a signed configuration archive to your computer:

1. Access the Management Console of the appliance you want to back up:
https://Appliance_IP:8082

2. Select the Configuration > General > Archive > Archive Storage tab.

3. From the Sign archives with keyring drop-down list, select a signing keyring to use or
accept the default (appliance-key).
4. Click Apply.

Note: If you do not click Apply, a pop-up displays when you click Save that indicates
that all unsaved changes will be saved before storing the archive configuration. The
unsaved changes are the Sign archives with keyring option changes you made in Step
3.

5. From the Save archive drop-down list, select the archive type (Symantec recommends
Configuration - expanded).

6. Click Save.

89
SGOS Administration Guide

A new browser window displays, prompting you to open or save the configuration to
the local disk of the device you are using to access the appliance.

To restore a signed archive:

1. Connect to the appliance Management Console of the target appliance, that is the
appliance that you are installing the configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version that was
used to create the archive. For example:
Software version: SGOS 6.8.1.1

You can also verify the version from the appliance CLI:
# enable
# show version

3. Select Configuration > General > Archive.

4. In the Install Configuration panel, check the setting of the Enforce installation of signed
archives option. If this option is selected, only signed archives can be restored.

5. Select a CCL to use to verify the archive from the Verify signed archive with CCL drop-
down list. If you used the appliance-key keyring, select appliance-ccl.
6. Select Local File and click Install.

Modifying Signed Archives

If you modify a signed archive, you must subsequently restore it as an unsigned archive.
If you created a signed archive and want to verify its authenticity before modifying it, use
OpenSSL or another tool to verify the signature before making modifications. (The use of
OpenSSL is beyond the scope of this document.) Because a signed archive contains the
output of the show configuration command, you can extract the show configuration
command output, modify it as required, and treat the archive as unsigned thereafter.

90
 Chapter 5: Backing Up the Configuration

Section E: Preparing Archives for Restoration on New Devices

While a configuration archive will back up the appliance configuration, that configuration
cannot be transferred to another device unless you save the SSL keyrings on the
appliance—especially the configuration-passwords-key keyring. The process of
creating the archive and saving the associated SSL keyrings is called creating a
transferable archive.

Note: You must also save the SSL keyrings if you plan to restore an encrypted archive
after a reinitialization. When you reinitialize the appliance, new keys get created, and you
will therefore not be able to restore the configuration unless you first restore the
configuration-passwords-key.

This section includes the following topics:

❐ "About the configuration-passwords-key" on page 91
❐ "Creating a Transferable Archive" on page 93
❐ "Option 1: Recording SSL Keyring and Key Pair Information" on page 93
❐ "Option 2: Changing Encrypted Passwords to Clear Text" on page 98
❐ "Restoring an Archived Key Ring and Certificate" on page 99

About the configuration-passwords-key

The configuration-passwords-key is an SSL keyring. SSL is a method of securing
communication between devices. SSL uses a public key to encrypt data and private key to
decrypt data. These keys (stored in “keyrings”) are unique to the device. This ensures that
date encrypted with a device’s public key can only be decrypted by the corresponding
private key.
On ProxySG appliances, the configuration-passwords-key SSL keyring is used to
encrypt and decrypt the following passwords on the appliance:
❐ Administrator console passwords (not needed for shared configurations)
❐ Privileged-mode (enable) passwords (not needed for shared configurations)
❐ The front-panel PIN (recommended for limiting physical access to the system)
❐ Failover group secret
❐ Access log FTP client passwords (primary, alternate)
❐ Archive configuration FTP password
❐ RADIUS primary and alternate secret
❐ LDAP search password
❐ SNMP read, write, and trap community strings
❐ RADIUS and TACACS+ secrets for splash pages
Because every appliance has a different configuration-passwords-key, you will receive
a decryption error if you try to restore an archive to another device.

91
SGOS Administration Guide

To ensure that the archive can be transferred to another appliance, you must do one of the
following:
❐ Restore the original configuration-passwords-key keyring
While it is possible to reset each of the passwords using the Management Console, it is
easier to save the original keyring so that you can import it to the new appliance
(before restoring the configuration). Restoring the keyring allows all previously
configured passwords to remain valid after archive restoration.
❐ Change the encrypted passwords to clear text so that they can be regenerated.

Note: To save an SSL keyring, you must be able to view it. If the key is marked no-
show, you cannot save it.

92
 Chapter 5: Backing Up the Configuration

Section 2 Creating a Transferable Archive

This section describes the steps required to create a transferable archive.

To create a transferable archive:

1. Record the configuration-passwords-key data on the source ProxySG appliance,
as described in "Option 1: Recording SSL Keyring and Key Pair Information" on page
93. If you need to restore the archive onto a different appliance, you must have this
data.
Do not lose the password used to encrypt the private key. If you do, you will not be
able to recover your private keys.
2. Record any other SSL keyring data you want to save.
3. Store the keyring data and archive in a secure location.
4. Create the archive as described in "Creating and Saving a Standard Configuration
Archive" on page 86.

To restore a transferable archive:

1. Connect to the appliance Management Console of the target appliance, that is the
appliance that you are installing the configuration onto.
https://Appliance_IP:8082

2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version that was
used to create the archive. For example:
Software version: SGOS 6.8.1.1 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

3. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring an
Archived Key Ring and Certificate" on page 99.
4. Select Configuration > General > Archive.
5. Select Local File and click Install.
6. Browse to the location of the archive and click Open. The configuration is installed,
and the results screen displays.

Option 1: Recording SSL Keyring and Key Pair Information

For security reasons, Symantec recommends that you do not change encrypted passwords
to clear text. Instead, preserve the configuration-passwords-key keyring on the source
device (the appliance that you created the archive from) and import that keyring to the
target device before you restore the archive.
You can also use the following procedure to save any other keyrings required to reload
SSL-related configuration that references those keyrings.

93
SGOS Administration Guide

To record the configuration-passwords-key keyring on the source appliance:

1. Copy the following template to a text file and use it to record the certificate
information so that you can import and restore it later. This template allows you to
import a certificate chain containing multiple certificates, from the CLI.
Alternatively, you can simply copy the SSL data into a blank text file.

Note: The following example is shown in smaller text to preserve the structure of the
commands.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
!
end-inline
inline keyring show default "end-inline"
!
end-inline
!
inline certificate default "end-inline"
!
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Do not specify your passwords; the system will prompt you for them when you restore
the keys. You can modify the template to include other keyrings and certificates.
2. From the CLI, access the config prompt (using the serial console or SSH):
# config terminal

3. Enter the following commands:

#(config) ssl
#(config ssl) view keyring

A listing of existing keyrings (and certificates) is displayed.

For example (your keyrings might be different):
#(config ssl) view keyring
Keyring ID: appliance-key
Private key showability: no-show
Signing request: present
Certificate: absent

94
 Chapter 5: Backing Up the Configuration

Keyring ID: configuration-passwords-key

Private key showability: show
Signing request: absent
Certificate: absent

Keyring ID: default

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:04 2007 GMT
Certificate valid to: Dec 03 20:11:04 2009 GMT
Certificate thumbprint:
9D:B2:36:E5:3D:B7:88:21:CB:0A:08:39:2C:A1:4B:CB

Keyring ID: passive-attack-protection-only-key

Private key showability: show
Signing request: absent
Certificate: present
Certificate issuer: Blue Coat SG200 Series
Certificate valid from: Dec 04 20:11:07 2007 GMT
Certificate valid to: Dec 03 20:11:07 2009 GMT
Certificate thumbprint:
0B:AD:07:A7:CF:D9:58:03:89:5B:67:35:43:B9:F2:C9

4. Enter the following command:

#(config ssl) view keypair configuration-passwords-key

Note: The aes128 and aes256 encryption options are also supported. If you use
these options, the CLI prompts you to enter a password. Do not lose the password
used to encrypt the private key. If you do, you will not be able to recover your private
keys.

For example:
#(config ssl)view keypair configuration-passwords-key
-----BEGIN RSA PRIVATE KEY-----
aFqxQNOD+321IXdQjCGmT+adeQqMiQDAyCOvWd+aJ+OmDjITpd7bwijcxWA89RB8
y65NSia0UmTClY9MM4j6T/fXhBspEu7Wyc/nM+005pJldxTmZgPig6TiIiOlXtMI
ymCLolxjAr+vFSx7ji6jUT13JxZHfksNd9DS06DHLr6hJNERDi9dGog561zlwBo8
zvs0x4PqB+mq05qewmReMs9tnuLkGgBXguH+2Nw9hI0WKEa9KPFWrznD/+zEZbEo
nM+VOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBn0uBOMR4a3C+F/W/v0p71jJ9o
JL6Ao/S46A4UgPkuswGMYXo1kG3K2J/Ev4nMBua6HSZgM87DxvMSiCZ1XxlKlBqv
F9P+l1o3mdR3g2LzK1DLTvlcA9pEPbW65gmnpGj/WLqhEyNPm+DkplxMtMESxNqM
4attb8fXAEcRI+1iUWpjxnycqlm+dcFqq6/bLixYSQ4HGXFLx5qTot+FtIvB5h3g
KwQusgaLVTiesn9K7BQK4wjXJKlDclIrog+ET1fkxtj2oA5/7HN10Ar0ogBxsZLj
0LS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRfiWe3e/eJvazIaErEk40NvIaaXP1j9p
ENzK2dw9WS7xtcU5kAcdoiX1lFONauKDVUkHwhvqz3KnMt1p81fkdUpiD1xaVfMg
s2FApgjAsYciEJxDUfPLzYV1vpOpx6DW3t0D0AlEKkPVNmd9RzlnXjk2CPTdPErC
pKN+EIKs2kqpRE6hHu37zzN06ipPNu2cCSHI/ozc0X4=

95
SGOS Administration Guide

-----END RSA PRIVATE KEY-----

5. Copy the configuration-passwords-key and paste it into the template (copied in

step 1) beneath the line inline keyring show configuration-passwords-key
"end-inline".

6. If a certificate is associated with a keyring, enter the following command:

#(config ssl) view certificate keyring-name

For example:
#(config ssl)view certificate appliance-key
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwHhcNMDcxMjA0MjAxMTA3WhcNMDkxMjAzMjAxMTA3WjBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ/F/Sn3CzYvbFPWDD03g9Y/
O3jwCrcXLU8cki6SZUVl9blgZBTgBY3KyDl2baqZNl2QGwkspEtDI45G3/K2GRIF
REs3mKGxY7fbwgRpoL+nRT8w9qWHO393pGrlJKFldXbYOzn3p31EXUuGRfXkIqeA
919uvOD5gOX0BEzrvDRnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEASgIR9r2MuRBc
ltHq/Lb5rIXn13wFZENd/viO54YOiW1ZixlpCBbDIkef3DdJZLxVy3x7Gbw32OfE
3a7kfIMvVKWmNO+syAn4B2yasy0nxbSyOciJq1C42yPJ+Bj1MuYDmgIvMP6ne5UA
gYYhe/koamOZNcIuaXrAS2v2tYevrBc=
-----END CERTIFICATE-----

7. Copy the certificate and paste it into the template (copied in step 1) beneath the
inline certificate cert_name "end-inline" line).

8. Optional—For each named keyring that you want to restore, repeat steps 4
to 7.

Note: The appliance-key keyring's private key is not viewable, and cannot be
transferred to another appliance. The default and passive-attack-protection-
only-key keys typically do not need to be restored either.

9. Save the template with the configuration-passwords-key and other SSL key data
on a secure server.
10. Save the password information (if you encrypted the keys) in a secure place.
After saving this data, create a configuration archive as described in "Creating a
Transferable Archive" on page 93. When you are ready to restore the archive, you must
first restore the SSL data on the target appliance as described in "Restoring an Archived
Key Ring and Certificate" on page 99.

96
 Chapter 5: Backing Up the Configuration

Example: Completed SSL Data Template

The following example shows how the template might look after completing the
procedure in "To record the configuration-passwords-key keyring on the source
appliance:" on page 94.
The template allows you to import a certificate chain containing multiple certificates, from
the CLI. When you restore the data to the appliance, you will be prompted for the
encryption password that you used to encrypt the keys.

Note: The commands in the following example are bounded by the document text
area and wrap to the next line. They are not shown here as they would appear in the
CLI. See Step 1 in "Option 1: Recording SSL Keyring and Key Pair Information" on
page 93 to view an example of how the commands should appear.

!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
-----BEGIN RSA PRIVATE KEY-----

1lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsB
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3N
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzE
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline keyring show default "end-inline"
-----BEGIN RSA PRIVATE KEY-----

2lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsC
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3G
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzW
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v

97
SGOS Administration Guide

86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline certificate default "end-inline"
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFjnHtzANBgkqhkiG9w0BAQQFADBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTwwHhcNMDcxMDI1MTkxNzExWhcNMTcxMDI1MTkxNzExWjBuMQswCQYDVQQGDAJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UEdwwKMjEwNzA2MzI1ODEUMBIGA1UEAwwLMTAuOS41OS4x
NTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANF9BL25FOJuBIFVyvjo3ygu
ExUM0GMjF1q2TRrSi55Ftt5d/KNbxzhhz3i/DLxlwh0IFWsjv9+bKphrY8H0Ik9N
Q81ru5HlXDvUJ2AW6J82CewtQt/I74xHkBvFJa/leN3uZ+D+fiZTXO15m9+NmZMb
zzGGbCWJRzuqp9z1DVNbqgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAwMUYIa1KFfI0
J+lS/oZ+9g9IVih+AEtk5nVVLoDASXuIaYPG5Zxo5ddW6wT5qvny5muPs1B7ugYA
wEP3Eli+mwF49Lv4NSJFEkBuF7Sgll/R2Qj36Yjpdkxu6TPX1BKmnEcpoX9Q1Xbp
XerHBHpMPwzHdjl4ELqSgxFy9aei7y8=
-----END CERTIFICATE-----
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
exit ; returns to config mode
!

Option 2: Changing Encrypted Passwords to Clear Text

Important: Symantec strongly recommends recording your SSL keyring and key pair
data because changing encrypted passwords to clear text is highly insecure. Use the
following procedure at your own risk.

You can edit the configuration to change encrypted passwords to clear text if you choose
to keep the existing configuration-passwords-key keyring intact on the new appliance.
You do not need to change hashed passwords to clear text—when you restore the archive,
new hashed-passwords are automatically generated using the target ProxySG appliance’s
configuration-passwords-key keyring.

98
 Chapter 5: Backing Up the Configuration

Important: This procedure is not valid for signed archives. Signing guarantees that
the archive has not been modified.

To change encrypted passwords to clear text:

Manually search for every instance of encrypted-password, remove the encrypted-
prefix, and change the encrypted password to clear text. For example:
security encrypted-password "$1$rWzR$BT5c6F/RHLPK7uU9Lx27J."
In the previous example, if the actual password is symantec, then you must edit the entry
as follows:
security password "symantec"

Note: Hashed passwords do not have to be changed to clear text. When you restore the
archive, they are restored as specified on the source device. The difference between
hashing and encryption is that encryption enables information to be decrypted and
read, while hashing is a mathematical function used to verify the validity of data. For
example, a system might not need to know a user’s password to verify that password.
The system can run a hash function on the password and confirm that the mathematical
result matches that specified for the user.

Restoring an Archived Key Ring and Certificate

Use the following procedure to import key pair and certificate data (saved in "Option 1:
Recording SSL Keyring and Key Pair Information" on page 93) onto the system you are
restoring the archive to.

Note: You can also import a certificate chain containing multiple certificates. Use the
inline certificate command to import multiple certificates through the CLI. See
"Example: Completed SSL Data Template" on page 97 for more information.

If you are importing a keyring and one or more certificates onto an appliance, first import
the keyring, followed by its related certificate. The certificate contains the public key from
the keyring, and the keyring and certificate are related.

Importing the configuration-passwords-keyring:

1. Retrieve your saved configuration-passwords-key data.
2. Select Configuration > SSL > Keyrings > SSL Keyrings.
3. Examine the existing keyrings. If a configuration-passwords-key keyring already
exists, select the keyring and click Delete and Apply.
4. Click Create. The Create Keyring dialog displays.

99
SGOS Administration Guide

5a

5b
5c

5d

5e

5. Configure the keyring options:

a. In the Keyring Name field, enter configuration-passwords-key.
b. Select Show keypair.

c. Select Import Existing Private Key.

d. Paste the configuration-passwords-key data into the Private Key text field.
e. Select Private Key Password and enter the configuration-passwords-key
password into the field. This is the password you saved when you archived the
keyring.
6. Click OK.
7. Click Apply.
The configuration-passwords-key does not have a certificate. However, if one or more
keyrings has a certificate, you must import it and associate it with a keyring.

To import a certificate and associate it with a keyring:

1. Copy the certificate onto the clipboard.
2. Select Configuration > SSL > Keyrings and click Edit/View.
3. From the drop-down list, select the keyring that you just imported.
4. Click Import in the Certificate field.
5. Paste the certificate into the Import Certificate dialog that appears. Be sure to include
the ----BEGIN CERTIFICATE---- and -----END CERTIFICATE---- statements.
6. Click OK.

100
 Chapter 5: Backing Up the Configuration

Section F: Uploading Archives to a Remote Server

This section describes how to create an archive and upload it to a remote server. Archives
can be uploaded using HTTPS, HTTP, FTP, or TFTP. If you are concerned about security,
use HTTPS.
This section includes the following topics:
❐ "Creating and Uploading an Archive to a Remote Server" on page 102
❐ "Uploading a Configuration Archive to a Remote Server using SCP" on page 103
❐ "Restoring a Configuration Archive" on page 107

101
SGOS Administration Guide

Section 3 Creating and Uploading an Archive to a Remote Server

Use the following procedure to create a signed or unsigned archive and upload it to a
secure, remote host. This procedure applies to HTTP. HTTPS, FTP, and TFTP.
To upload using SCP, see "Uploading a Configuration Archive to a Remote Server using
SCP" on page 103.

To create and upload an archive to a remote server:

Note: This procedure creates only Configuration - expanded archives. You cannot
choose another type.

1. (If you use HTTPS) Specify an SSL device profile to use for the SSL connection.
An SSL device profile, which can be edited, contains the information required for
device authentication, including the name of the keyring with the private key and
certificate this device uses to authenticate itself. The default keyring is appliance-
key. (For information on private keys, public keys, and SSL device profiles, see
"Managing X.509 Certificates" on page 1229.)
2. Obtain write permission to a directory on a secure, remote host. This is where the
archive will be stored.
3. Access the Management Console of the appliance you want to back up:
https://Appliance_IP:8082

4. Select Configuration > General > Archive.

5. Select the Archive Storage tab.

7a
7b
7c
7d
7e

6. For signed archives, ensure that a keyring has been selected in the Sign archive with
keyring option.

7. In the Remote Upload section, configure the upload settings:

102
 Chapter 5: Backing Up the Configuration

a. From the Protocol drop-down list, select an upload protocol.

b. (Optional) Add filename prefixes to identify the archive. The prefixes add
unique, time-based variables to the filename. The default filename is
SG_%l_%Y%m%d%H%M. See "Restoring a Configuration Archive" on page 107 for
a list of allowed substitution values.
c. (Optional, for HTTPS) Select an SSL device profile to use for the SSL
connection.
See "Uploading Archives to a Remote Server" on page 101 for more information
about device profiles.
d. Enter the remote server host name or IP address and port number. The remote
server can have an IPv4 or IPv6 address, or be a domain name that resolves to
an IPv4 or IPv6 address.
e. (Optional) Enter the remote server upload path (not required for TFTP).
f. Enter the user name associated with the remote host (not required for TFTP).
g. (Optional) Enter the password associated with the remote host.
8. Click Upload.

Uploading a Configuration Archive to a Remote Server using SCP

You can upload the configuration archive to a secure, remote host using SCP. As with
other protocols, you can automatically upload the archive at a set time daily, or at a
specified interval.
Most of the following steps are available only in the CLI. Refer to the Command Line
Interface Reference for full details.

To upload configuration archives to a remote server using SCP:

1. Specify SCP as the protocol:
#(config) archive-configuration protocol scp

2. Set the remote host parameters as follows:

a. (Optional) Configure the archiving signing options.
#(config) archive-configuration archive-signing [subcommands]

b. Specify the host to which the archive will be uploaded.

#(config) archive-configuration host host
where host is the hostname or an IPv4 or IPv6 address and port
c. (Optional) Specify the remote server upload path.
#(config) archive-configuration path path

103
SGOS Administration Guide

d. (Optional) Add filename prefixes to identify the archive.

#(config) archive-configuration filename-prefix prefix

The prefixes add unique, time-based variables to the filename. The default
filename is SG_%l_%Y%m%d%H%M. See "Restoring a Configuration Archive" on page
107 for a list of allowed substitution values.
3. Configure SCP authentication using one of the following methods:
Table 5–2 SCP authentication for archive configuration uploads

Authentication Instructions
method

Remote host’s Specify the authentication method:

username and #(config) archive-configuration scp-authentication password
password Set the username and password:
#(config) archive-configuration username username
#(config) archive-configuration password password
The password must not be empty.

Appliance’s SSH Specify the authentication method:

client keys #(config) archive-configuration scp-authentication client-key
Create the SSH client keys:
In the Management Console, select Configuration > Authentication > SSH
Outbound Connection > Client Keys. For instructions, see "Managing SSH
Client Keys for Outbound Connections" on page 1024.
For related CLI commands, refer to #(config ssh-client) client-keys in
the Command Line Interface Reference.

Try to authenticate Specify the authentication method:

with SSH client keys #(config) archive-configuration scp-authentication all
first. If unsuccessful, Refer to the previous steps in this table to set the username and password, and the
try with the username SSH client keys.
and password. The
event log shows
which method was
used successfully.

To clear configured SCP authentication settings, use the command:

#(config) archive-configuration scp-authentication none

4. Configure automatic uploads:

#(config) archive-configuration periodic-upload {daily upload_hour |
minutes minutes}
Specify a daily upload time, where upload_hour is a value from 0 to 23.
Alternatively, specify an interval at which to upload archives, where minutes is the
number of minutes.
5. Include the host key in the appliance’s known hosts list. For instructions, see "Fetch
host key" on page 1022. For related CLI commands, refer to #(config ssh-client)
known-hosts in the Command Line Interface Reference.

104
 Chapter 5: Backing Up the Configuration

See "Adding Identifier Information to Archive Filenames" on page 105 for details.

Adding Identifier Information to Archive Filenames

Use the following prefix substitutions to add unique ID information to archive filenames.
Specify these prefixes when using the Remote Upload option in the Management Console,
and the #(config) archive-configuration filename-prefix command.

Table 5–3 Filename Specifiers

Specifier Description
%% Percent sign.
%a Abbreviated weekday name.
%A Full weekday name.
%b Abbreviated month name.
%B Full month name.
%C The appliance name.
%d Day of month as decimal number (01 – 31).
%H Hour in 24-hour format (00 – 23).
%i First IP address of the appliance, displayed in x_x_x_x format, with leading
zeros removed.
%I Hour in 12-hour format (01 – 12).
%j Day of year as decimal number (001 – 366).
%l The fourth (last) octet in the appliance IP address (For example, for the IP address
10.11.12.13, %l would be 13)

%m Month as decimal number (01 – 12).

%M Minute as decimal number (00 – 59).
%p Current locale’s A.M./P.M. indicator for 12-hour clock.
%S Second as decimal number (00 – 59).
%U Week of year as decimal number, with Sunday as first day of week (00 – 53).
%w Weekday as decimal number (0 – 6; Sunday is 0).
%W Week of year as decimal number, with Monday as first day of week (00 – 53).
%y Year without century, as decimal number (00 – 99).
%Y Year with century, as decimal number.
%Z Time-zone name or abbreviation; no characters if time zone is unknown.

105
SGOS Administration Guide

1.

106
 Chapter 5: Backing Up the Configuration

Section G: Restoring a Configuration Archive

To restore a configuration archive, you must:
❐ Perform pre-restoration tasks, for example, restoring the SSL configuration.
❐ For signed archives—Select a CCL to use to verify the archive.
❐ Restore the archive.

To install the archived configuration:

1. Download a content filter database, if you previously had one and it was lost.
If you restore the archive and it includes content filtering policy, the database must
exist so that categories referenced within policy can be matched with the currently
installed database.
2. Connect to the appliance Management Console of the target appliance, that is the
appliance that you are installing the configuration onto.
https://Appliance_IP:8082

3. In the Management Console, click the Home link and look for the software version in
the banner to verify that the appliance is running the same software version that was
used to create the archive. The banner displays a version such as:
SGOS 7.1.1.1 Proxy Edition

You can also verify the version from the appliance CLI:
# enable
# show version

4. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring an
Archived Key Ring and Certificate" on page 99.
5. Select Configuration > General > Archive.

6. Optional, for signed archives—Select a CCL to use to verify the archive from the
Verify signed archive with CCL drop-down list. If you used the appliance-key keyring,
select appliance-ccl.

107
SGOS Administration Guide

7. Optional, for signed archives—In the Install Configuration panel, check the setting of
the Enforce installation of signed archives option. If this option is selected, only signed
archives can be restored.

Note: Depending on the CA that was used to sign the certificate used for the archive
signature, you might have to import a CA certificate and create an appropriate CCL.
For details, see Chapter 65: "Managing X.509 Certificates" on page 1229.

8. Install the configuration using one of the following methods:

• Local File: If you saved the file to your system, select Local File and click Install.
Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.
• Text File: If you copied the contents of the file, select Text Editor and click Install.
Copy the contents of the text file into the Edit and Install the Configuration dialog
and click Install. The configuration is installed, and the results screen displays.
• Remote Download: If you uploaded the archive to a remote URL, select Remote
URL and click Install. Enter the full path to the archive into the Install
Configuration dialog and click Install. The configuration is installed, and the
results screen displays.
The username and password used to connect to the server can be embedded into
the URL. For FTP, the format of the URL is:
ftp://username:password@ftp-server

where ftp-server is either the IP address or the DNS-resolvable hostname of the

FTP server.
If you do not specify a username and password, the appliance assumes that an
anonymous FTP is desired and thus sends the following as the credentials to
connect to the FTP server:
username: anonymous
password: proxy@

Note: A message is written to the event log when you install a configuration on
the appliance.

108
 Chapter 5: Backing Up the Configuration

Section H: Sharing Configurations

To ease initial configuration, you can take a configuration from a running appliance and
use it to configure another appliance. This process is called configuration sharing. You
can take a post-setup configuration file (one that does not include those configuration
elements that are established in the setup console) from an already-configured appliance
and push it to a newly-manufactured or restored system that is to have the same or similar
configuration.

Note: Symantec Director allows you to push a configuration from one ProxySG
appliance to multiple appliances at the same time. For more information on using
Director, refer to the Director Configuration and Management Guide.

If you push a configuration archive to an appliance that is already configured, the archive
is applied to the existing configuration, changing any existing values. This means, for
instance, that if the new configuration creates a realm called RealmA and the existing
configuration has a realm called RealmB, the combined configuration includes two realms,
RealmA and RealmB.

Configuration Sharing Requirements

To share configurations, you must download a content filter database, if the configuration
includes content filtering.
You can use either the Management Console or the CLI to create a post-setup
configuration file on one appliance and push it to another.

Note: You cannot push configuration settings to a newly-manufactured system

until you have completed initial setup of the system.

To create a configuration archive of the source device’s settings using the CLI:
1. Use an SSH client to establish a CLI session with the already configured appliance.
2. From the enable prompt (#), enter the following command:
show configuration post-setup

This displays the configuration on the current system, minus any configurations
created through the setup console, such as the hostname and IP address. It also
includes the installable lists.
3. Save the configuration. You can save the file two ways:
• Copy the contents of the configuration to the clipboard.
• Save it as a text file on an FTP server accessible to the appliance. This is advised
if you want to re-use the file.

109
SGOS Administration Guide

4. On the newly-manufactured appliance, retrieve the configuration file by doing one of

the following:
• If you saved the configuration to the clipboard, go to the (config) prompt and
paste the configuration into the terminal.
• If you saved the configuration on a remote server:
At the enable command prompt, enter the following command:
# configure network “url”

See "Uploading Archives to a Remote Server" on page 101 for more information
about formatting the URL for FTP.

110
 Chapter 5: Backing Up the Configuration

Section I: Troubleshooting
When pushing a shared configuration or restoring an archived configuration, keep in mind
the following issues:
❐ If the content-filtering database has not yet been downloaded, any policy that
references categories is not recognized.
❐ Unless you restore the SSL configuration-passwords-key keyring from the source
device, archives can only be restored onto the same device that was the source of the
archive. This is because the encrypted passwords in the configuration (login, enable,
FTP, etc.) cannot be decrypted by a device other than that on which it was encrypted.
❐ Do not take an expanded archive from an operational appliance and install it onto
another appliance. Expanded archives contain system-specific settings (for example,
hostnames, IP addresses, and connection forwarding settings) that will cause conflicts.
❐ To use signed archives, your appliance must have an SSL certificate guaranteed by a
CA. If your appliance has a built-in appliance certificate, you can use it and the
corresponding appliance-ccl CCL to sign the archive. Devices manufactured
before July 2006 do not support appliance certificates. If your appliance does not have
a built-in appliance certificate, you must do the following:
• Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a certificate
signing request or a signed certificate.
• Create a Certificate Signing Request (CSR) and send it to a Certificate Signing
Authority (CA).
• Have the CA sign the CSR.
To determine if your appliance has a built-in certificate, see "Using the Appliance
Certificate to Sign the Archive" on page 88.

See Also
For more information about appliance certificates, see Chapter 65: "Managing X.509
Certificates" on page 1229.

111
SGOS Administration Guide

112
Chapter 6: Explicit and Transparent Proxy

Whether you select explicit or transparent proxy deployment is determined by factors

such as network configuration, number of desktops, desired user experience, and
desired authentication approach.

Note: While you must configure proxying to do authentication, verify the proxy is
configured correctly and is functioning before adding authentication to the mix. Many
network or other configuration problems can appear similar to authentication errors.

Topics in this Section

❐ "About the Explicit Proxy" on page 113
❐ "About the Transparent Proxy" on page 119
❐ "Transparent Proxies" on page 120
❐ "Configuring IP Forwarding" on page 121

About the Explicit Proxy

In an explicit proxy configuration, every client system (user agent or browser) must be
explicitly configured to use a proxy server. You can either manually configure each
client with the IP address and port number of the proxy service (the ProxySG appliance)
or you can configure the client to download the proxy settings from a Web server. The
proxy settings are contained in a file called a Proxy Auto-Configuration (PAC) file.
After the client is configured for explicit proxy, all user requests are sent to the
ProxySG appliance rather than to the OCS. The ProxySG appliance will then determine
whether to allow or deny the request based on proxy service and policy configuration
settings. For allowed transactions, the appliance will either service the request locally
(for example, by returning cached objects) or, if necessary, it will send a request to the
OCS on behalf of the client.

Note: Explicit proxy allows a redundant configuration using IP address failover among
a cluster of machines. For information on creating a redundant configuration for
failover, see Chapter 40: "Configuring Failover" on page 895.

To configure browsers for explicit proxy, see:

❐ "Manually Configure Client Browsers for Explicit Proxy" on page 114
❐ "Creating an Explicit Proxy Server with PAC Files" on page 114

113
SGOS Administration Guide

Manually Configure Client Browsers for Explicit Proxy

If you are using an explicit proxy deployment, you must set up each client Web browser to
use the ProxySG appliance as its proxy server. Typically, the browser proxy configuration
requires the IP address or hostname of the appliance and the port on which the ProxySG
appliance will listen for traffic. The default port is 8080. The required hostname format
(that is, whether you must provide a fully qualified DNS hostname or a short hostname)
depends on the DNS configuration on your client systems.
Use the following table to help you locate the browser proxy settings:
Browser Proxy Configuration Settings

Internet Explorer Tools > Internet Options > Connections > LAN
Settings

Firefox Tools > Options > Advanced > Network > Settings >
Manual Proxy Configuration

Chrome Settings > Show advanced settings> Change proxy

settings > LAN settings

Safari (Macintosh) Apple menu > System Preferences >Internet &

Wireless > Network > Advanced > Proxies

Safari (Windows) Settings menu > Preferences > Advanced >

Proxies > Change Settings > LAN settings

Creating an Explicit Proxy Server with PAC Files

If your network does not use transparent proxy, clients on the network must configure
their browsers to use either an explicit proxy server or a Proxy Auto-Configuration (PAC)
file.
Two PAC files ship with the ProxySG appliance:
❐ default PAC file
❐ accelerated PAC file
They can be accessed using HTTP, port 80 or 8080. For example:
❐ http://Appliance_IP_Address:8080/proxy_pac_file for the default PAC file
❐ http://Appliance_IP_Address:8080/accelerated_pac_base.pac for the
accelerated PAC file.
As an alternative to port 8080, you can specify the port that is being intercepted for the
explicit HTTP proxy service. For example, if port 80 is being intercepted and has the
explicit attribute enabled, you can specify:
http://Appliance_IP_Address/accelerated_base_pac.pac

There is no need to specify the port number in the above example because port 80 is
assumed unless another port is specified.

Note: NEVER use the ProxySG management port (8081/8082) to host the PAC file.

114
 Chapter 6: Explicit and Transparent Proxy

Note: Only the accelerated_pac_base.pac file can be edited. Any text editor can be
used to edit and customize the accelerated PAC file to meet your needs. After editing the
file, you can load a PAC file only through the CLI:
#(config)inline accelerated-pac 123
-paste PAC file here-
123
Then, set the browser to use the following URL as the automatic configuration script:
http://Appliance_IP_Address:8080/accelerated_pac_base.pac

Example of an Accelerated PAC File

function FindProxyForURL(url, host)
{
if (shExpMatch(url, "*\.company\.com\.cn*") ||
(host == "ftp.company.com") ||
(host == "images.company.com") ||
(host == "graphics.company.com"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (url.substring(0, 4) == "mms:")
{
return "PROXY www.xxx.yyy.zzz:1755; DIRECT";
}
else if (url.substring(0, 5) == "rtsp:")
{
return "PROXY www.xxx.yyy.zzz:554; DIRECT";
}
else if (shExpMatch(url, "*streaming\.company\.com*"))
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
else if (isPlainHostName(host) ||
shExpMatch(host, "*\.company\.com") ||
dnsDomainIs(host, ".trouble-site.com"))
{
return "DIRECT";
}
else
{
return "PROXY www.xxx.yyy.zzz:8080; DIRECT";
}
}
This example PAC file tells the browser to:
❐ Use the proxy over port 8080 for URLs containing:

115
SGOS Administration Guide

• .company.com.cn anywhere within the URL

• ftp.company.com as the host
• images.company.com as the host
• graphics.company.com as the host
❐ Use the proxy over port 1755 for any URL using the scheme mms:// (Windows
Media).
❐ Use the proxy over port 554 for any URL using the scheme rtsp:// (Windows Media).
❐ Use the proxy over port 8080 for any URL containing “streaming.company.com”
anywhere within the URL.
❐ Go DIRECT (that is, not use a proxy) for any URL that:
• is a simple, one name host name (in other words, not fully qualified)
• is any internal, fully qualified host (for example, host.company.com)
• is any host in the trouble-site.com domain
❐ Otherwise, attempt to use the proxy on port 8080 (the default rule).
The “; DIRECT” after the proxy’s information means that any time the browser cannot
reach the ProxySG appliance, the browser is allowed to fall-back and “go direct.” This is
helpful for laptop/mobile users who will not have to adjust their browser connection
settings manually, since (typically) they can not reach their company ProxySG appliance
from a remote location (and therefore need their browser to “go direct”).

Methods to Load or Install a PAC File on the Appliance

You can either input the content of the PAC file directly on your appliance or you can put
the PAC file on an internal web server and reference the PAC file name on your ProxySG
appliance.

To install the PAC file directly on the appliance:

1. Go to the ProxySG CLI.
2. From enable mode, type:
inline accelerated-pac EOF
<enter your pac file contents here>
EOF

To reference a PAC file on an internal web server:

1. Ensure the read permissions are set on the web server so the ProxySG appliance can
read the text PAC file.
2. From the ProxySG command line, enter:
config t
#(config)accelerated-pac <path to the PAC file including file name>
#load accelerated-pac

116
 Chapter 6: Explicit and Transparent Proxy

To configure the browser to use the PAC script:

It’s common for modern browsers to have a field where the PAC URL can be entered.
Some browsers have an additional option to retrieve a PAC URL via DHCP option 252,
which might have to be added to some DHCP servers.
A PAC URL is typically in the form:
http://mycompany.com/accelerated_pac_base.pac
For this to work, the ProxySG TCP port 80 must be configured to accept explicit
connections. Internet Explorer can retrieve this URL via DHCP option 252 if your DHCP
server is configured to send option 252, and the host is using DHCP (as opposed to a host
configured with a static IP address).
The default name of the accelerated PAC file (as served by the ProxySG appliance) is
accelerated_pac_base.pac.
If you prefer, you can use policy to have the ProxySG appliance return the PAC file if an
alternate name is requested. For example, suppose you configure your browsers with the
PAC file name http://proxy.company.com/mypacfile. You will need to add policy to
your ProxySG appliance to redirect this request to the name accelerated_pac_base.pac,
as follows:
<Proxy>
url.path.exact="/pacfile" action.redirect_pac(yes)
define action redirect_pac
request_redirect(307,".*","http://<proxysIP>/
accelerated_pac_base.pac")
end
You also need to have the HTTP port 80 defined as “explicit” on your ProxySG appliance.
You can avoid this policy, and avoid the need for the browser to make two requests for the
PAC file, by naming the file accelerated_pac_base.pac.

To configure PAC files to be sent when using the WPAD method:

Another approach is to add the WPAD hostname to your internal DNS. When browsers
open and attempt to detect proxy settings, they issue an HTTP GET request to the host
named wpad.yourcompanydomain.com. In DNS, if you point wpad.company.com to the IP
address of your ProxySG appliance, and add local policy, the browser will successfully
install the PAC file.
1. Your DNS deployment: Add a DNS record to resolve the WPAD hostname with the
local domain to the ProxySG appliance IP address. For example, if the local domain is
example.com, add a record resolving wpad.example.com to the ProxySG appliance IP
address.
2. To receive the wpad.example.com requests, enable an explicit HTTP proxy service
for port 80 on the ProxySG appliance (Configuration > Services > Proxy Services).

Note: You can also use port 8080, but port 80 is preferred because it doesn’t require that
you specify a port for the PAC-URL in the users’ browsers.

3. Configure a redirect policy to convert the client’s http://wpad.example.com/

wpad.dat request into a request for http://Proxy_IP_Address_or_hostname/
accelerated_pac_base.pac to the proxy.

117
SGOS Administration Guide

Example policy:
<Proxy>
ALLOW url.path.exact=/wpad.dat action.ReturnRedirect1(yes)

define action ReturnRedirect1

request_redirect( 302, ".*", "http://wpad.example.com/
accelerated_pac_base.pac" )
end

PAC File Tips and Additional Information

❐ Not all applications know how to parse PAC files correctly. Internet Explorer, Firefox,
Chrome, and most other browsers can use PAC files, but other applications don’t
always know what to do.
❐ Using TCPView.exe from http://www.sysinternals.com will show you where the
browser is connecting. For example, you may expect the PAC file to tell the browser
to connect via the ProxySG appliance, but TCPView shows that the browser is
connecting “direct.” This utility can help you troubleshoot your PAC file.
❐ Typically, if there's a problem with the PAC script syntax, a typo, or if the PAC script
cannot be found, browsers will just go “direct.” This is where TCPView can come in
handy as well.
❐ Browsers cache the PAC file. Making any changes to the PAC file won’t be reflected
in the browser unless you clear the browser’s cache and close all open browser
windows. The only times the browser re-reads the PAC file are when it is opening a
new session and if the file not cached.
❐ PAC file syntax is JavaScript. You will need to use Shell expressions instead of
Regular expressions for text comparisons. Internet Explorer allows you to use the
alert(); JavaScript function to pop-up an alert. This can be handy when
troubleshooting PAC-file logic.
❐ Although it is perfectly valid to use the hostname of the proxy server within the PAC
file’s PROXY directive, using an IP address will minimize the need for the browser to
do a DNS lookup. Those clients with a small DNS cache or low timeout value, may
see a performance boost if only the Proxy’s IP address were used within the PAC file’s
PROXY string.
❐ A browser must parse the PAC file’s JavaScript for EVERY URL the browser finds
within the HTML page you have browsed.
❐ For a web page that contains a large number of URLs, a poorly written PAC file may
cause browser performance problems.
❐ It’s best to write your PAC files as small and efficiently as possible. Fast and efficient
JavaScript performs better within the browser, especially in web pages with numerous
elements.

118
 Chapter 6: Explicit and Transparent Proxy

Serving Multiple PAC files

For steps to configure your ProxySG appliance to serve multiple PAC files, refer to
TECH241646:
http://www.symantec.com/docs/TECH241646

About the Transparent Proxy

When transparent proxy is enabled, the client (browser) does not know the traffic is being
processed by a machine other than the OCS. The browser believes it is talking to the OCS,
so the request is formatted for the OCS and the proxy determines for itself the destination
server based on information in the request, such as the destination IP address in the packet,
or the Host: header in the request.
To enable the ProxySG appliance to intercept traffic sent to it, you must create a service
and define it as transparent. The service is configured to intercept traffic for a specified
port, or for all IP addresses on that port. A transparent HTTP proxy, for example, typically
intercepts all traffic on port 80 (all IP addresses).
To ensure that the appropriate traffic is directed to the ProxySG appliance, deploy
hardware (such as a Layer-4 switch or a WCCP router) or a ProxySG appliance software
bridge that redirects selected traffic to the appliance. Traffic redirection is managed
through polices you create on the redirection device.
For detailed information on explicit proxies, continue with the next section; for detailed
information on transparent proxies, continue with "Transparent Proxies" on page 120.

119
SGOS Administration Guide

Transparent Proxies
Configure transparent proxy in the following ways:
❐ Through hardware: See "Configuring Transparent Proxy Hardware" on page 120.
❐ Through bridging: "Bridging" on page 120.
❐ Through using the appliance as a gateway: See "Configuring IP Forwarding" on page
121.
In addition to the transparent proxy configuration, you must create a proxy service for the
transparent proxy and enable the service. At this time, you can also set other attributes for
the service, including the destination IP address and port range. For information on
creating or editing a proxy service for transparent configuration, see Chapter 7:
"Managing Proxy Services" on page 123.

Configuring Transparent Proxy Hardware

For transparent proxy to work, you must use one of the following:
❐ A bridge, either hardware or software
❐ Layer-4 switch
❐ WCCP

Bridging
Network bridging through the ProxySG appliance provides transparent proxy pass-
through and failover support. This functionality allows ProxySG appliances to be
deployed in environments where L4 switches and WCCP-capable routers are not feasible
options.
The ProxySG appliance provides bridging functionality by two methods:
❐ Software—A software, or dynamic, bridge is constructed using a set of installed
interfaces. Within each logical bridge, interfaces can be assigned or removed. Note
that the adapters must of the same type. Although the software does not restrict you
from configuring bridges with adapters of different types (10/100 or GIGE), the
resultant behavior is unpredictable.
For instructions on setting up a software bridge, see "Configuring a Software Bridge"
on page 1377.
❐ Hardware—The Blue Coat Pass-Through card is a 10/100 dual interface Ethernet
device that enables a bridge, using its two adapters, so that packets can be forwarded
across it. However, if the system crashes, the Pass-Through card becomes a network:
the two Ethernet cables are connected so that traffic can continue to pass through
without restriction.
When the Pass-Through card is installed on the ProxySG appliance, a bridge is
automatically created and traffic going through the bridge is intercepted according to
the proxy-service setting. Note that:
• Forwarding traffic behavior: By default, the bridge forwards packets that are not
to be intercepted.

120
 Chapter 6: Explicit and Transparent Proxy

• Proxy request behavior: Requests are proxied on either adapter, so if you connect
one side of the bridge to your Internet connection, there might be a number of
issues.

Configuring a Layer-4 Switch

In transparent proxy acceleration, as traffic is sent to the origin content server, any traffic
sent on port 80 is redirected to the ProxySG appliance by the Layer 4 switch. The benefits
to using a Layer 4 switch include:
❐ Built-in failover protection. In a multi-ProxySG appliance setup, if one fails, the Layer
4 switch can route to the next ProxySG appliance.
❐ Request partitioning based on IP address instead of on HTTP transparent proxying.
(This feature is not available on all Layer 4 switches.)
❐ ProxySG appliance bypass prevention. You can configure a Layer 4 device to always
go through the ProxySG appliance even for requests to a specific IP address.
❐ ProxySG appliance bypass enabling. You can configure a Layer 4 device to never go
through the ProxySG appliance.
For information on configuring a layer-4 switch, refer to the manufacturer’s
documentation.

Configuring a WCCP-Capable Router

WCCP is a Cisco®-developed protocol that allows you to establish redirection of the
traffic that flows through routers.
The main benefits of using WCCP are:
❐ Scalability—With no reconfiguration overhead, redirected traffic can be automatically
distributed to up to 32 appliances.
❐ Redirection safeguards—If no appliances are available, redirection stops and the
router forwards traffic to the original destination address.
For information on using WCCP with a ProxySG appliance, see "WCCP Configuration"
on page 857.

Configuring IP Forwarding
In a transparent proxy deployment, you can deploy the ProxySG appliance as the next hop
in an IP routing chain by either setting the appliance as a static default route on the client
computers, or by deploying routing policy on the routers in the network.
In such a deployment, packets are addressed to the ProxySG network adapter, but not to
the ProxySG IP address. All traffic that matches a proxy service with an intercept action is
processed by that proxy service. For traffic that matches a bypass action, the ProxySG
appliance checks if IP forwarding is enabled or not. If IP forwarding is enabled, bypassed
traffic is forwarded to the next hop in the IP routing chain according to the ProxySG
appliance’s local routing table. If IP forwarding is disabled, all traffic which is routed to
the ProxySG appliance but not intercepted is dropped. Symantec recommends only
enabling IP forwarding when traffic is being routed to the ProxySG appliance via IP

121
SGOS Administration Guide

routing and the appliance is bypassing some traffic; for example, you configure a default
route on the client computers, which results in the ProxySG appliance receiving all non-
local traffic.
By default, IP forwarding is disabled to maintain a secure network.

Important: When IP forwarding is enabled, be aware that all ProxySG appliance ports
are open and all the traffic coming through them is not subjected to policy, with the
exception of the ports that have explicitly defined through the Configuration > Services >
Proxy Services tab.

To enable IP forwarding:
1. Select the Configuration > Network > Routing > Gateways tab.
2. Select the Enable IP forwarding option at the bottom of the pane.
3. Click OK; click Apply.

122
Chapter 7: Managing Proxy Services

This chapter discusses proxy services and service groups and their roles in intercepting
traffic.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Proxy Services Concepts" on page 124
❐ Section B: "Configuring a Service to Intercept Traffic" on page 131
❐ Section C: "Creating Custom Proxy Services" on page 134
❐ Section D: "Proxy Service Maintenance Tasks" on page 139
❐ Section E: "Global Options for Proxy Services" on page 142
❐ Section F: "Exempting Requests From Specific Clients" on page 156
❐ Section G: "Trial or Troubleshooting: Restricting Interception From Clients or To
Servers" on page 161
❐ Section H: "Reference: Proxy Services, Proxy Configurations, and Policy" on
page 164

123
SGOS Administration Guide

Section A: Proxy Services Concepts

This section describes the purposes of ProxySG appliance proxy services.
❐ "About Proxy Services"
❐ "About Proxy Service Groups" on page 125
❐ "About the Default Listener" on page 126
❐ "About Multiple Listeners" on page 126
❐ "About Proxy Attributes in the Services" on page 128

About Proxy Services

In Symantec terminology, proxy service defines:
❐ The combinations of IP addresses and ports that the proxy matches against.
❐ Whether to intercept or bypass matched traffic; if intercepted, which proxy to use to
process the traffic.
• When a service is set to Intercept, the ProxySG appliance listens on the port for
traffic and upon detection, terminates the connection, performs an action (such as
a policy check), and initiates a new connection to the traffic destination.
• When a service is set to Bypass, the traffic pass through the appliance. Proxy
Edition: By default, services are set to Bypass.
❐ A collection of attributes that control what type of processing the appliance performs
on the intercepted traffic.

Important: Upon an upgrade to SGOS 6.x, all services existing before the upgrade are
preserved.

❐ For a ProxySG appliance with a MACH5 Edition license:

• A transparent TCP tunnel connection listening on port 23 is created in place of the
default Telnet service.
• HTTPS reverse proxy, SOCKS, and Telnet services are not created and are not
included in trend data.
• All defined services are set to Intercept by default
A proxy service listener specifies where a ProxySG appliance service listens for traffic.
Four attributes comprise the listener:
❐ Source address—Most of the time, this attribute is set to all source addresses, which
means any IPv4 or IPv6 address that originates the request. You can also specify
specific IP addresses and subnets. For example, you want to exclude a network
segment, so you specify a subnet and set to Bypass.

124
 Chapter 7: Managing Proxy Services

❐ Destination address—

• All addresses, which means any IPv4 or IPv6 destination.

• Transparent—Acts on connections without awareness from the client or server.
Only connections to IPv4 or IPv6 destination addresses that do not belong to the
appliance are intercepted. This setting requires a bridge, such as that available in
the appliance; a Layer-4 switch, or a WCCP-compliant router. You can also
transparently redirect requests through an appliance by setting the workstation’s
gateway to the appliance IP address.
• Explicit—Requires Web browser and service configuration. It sends requests
explicitly to a proxy instead of to the origin content servers. Only destination
addresses that match one of the IPv4 or IPv6 addresses on the appliance are
intercepted.
• Destination IP address or subnet/prefix length—This listener type ensures that
only destination addresses matching the IPv4/IPv6 address or subnet/prefix length
are intercepted.
❐ Port—A specific port or port range. All default appliance services are configured to
their industry-standard ports. For example, the explicit HTTP service is configured to
listen on ports 80 and 8080.
❐ Action—The aforementioned action to take on traffic detected by this service:
Intercept or Bypass.

Note: For a complete list of supported proxy services and listeners, see "Reference:
Proxy Services, Proxy Configurations, and Policy" on page 164.

About Proxy Service Groups

Th ProxySG appliance groups services into predefined service groups based on the type of
traffic that service carries. Service groups enable you to:
❐ Quickly locate a specific service and view its attributes.
❐ Create a custom service group and add custom services or existing services to that
group.

Predefined Service Groups and Services

Table 7–1, "Service Groups and Services" lists all service groups and their associated
services.

Note: This list applies to new installations or the result of restoring the appliance to
factory defaults after the ab upgraded from a lower version. Upon upgrading to the current
version, the Services tab retains existing services, service group names, and policies.

125
SGOS Administration Guide

Table 7–1 Service Groups and Services

Services Group Services Group Description Predefined Service Types

Name (or Examples)
Standard The most commonly intercepted • HTTP/HTTPS—external
services. (transparent and explicit) and
internal
• Endpoint Mapper (for MAPI
protocol—Microsoft
Exchange)
• CIFS (file sharing)
• Streaming (MMS, RTSP)
• FTP
• DNS
• SOCKS
Bypass Services that contain encrypted data • Cisco VPN
Recommended and therefore recommended to not be • Symantec ADN
ADN-optimized; also includes other
• Symantec management
interactive services.
• Oracle over SSL
• Other encrypted services
Tunnel Services that employ the TCP Tunnel • Citrix, IMAP, LDAP, Lotus
Recommended proxy to provide basic application- Notes, and various other
independent acceleration. common business
applications
Default See "About the Default Listener".

Note: The HTTPS Reverse Proxy service is also available but not created by default. For
information about configuring the HTTPS Reverse Proxy, see Chapter 17: "Configuring
and Managing an HTTPS Reverse Proxy" on page 353.

About the Default Listener

The Default listener detects any traffic that does not match any other listeners on any of the
services.

About Multiple Listeners

A listener identifies network traffic based on a source IP address or range, destination IP
address or range, or both. Multiple listeners can be defined for a proxy service or console
service. Each service has a set of default actions to apply to the traffic identified by the
listeners it owns.

126
 Chapter 7: Managing Proxy Services

The destination IP address of a connection can match multiple proxy service listeners.
Multiple matches are resolved using the most-specific match algorithm used by routing
devices. A listener is more specific if it has a larger Destination IP subnet prefix. For
example, the subnet 10.0.0.0/24 is more specific than 10.0.0.0/16, which is more
specific than 10.0.0.0/8.
When a new connection is established, the ProxySG appliance first finds the most specific
listener destination IP. If a match is found, and the destination port also matches, the
connection is then handled by that listener. If the destination port of the listener with the
most specific destination IP does not match, the next most-specific destination IP is found;
this process continues until either a complete match is found or no more matching
addresses are found. If a destination IP address is not specified, the closest matching
explicit proxy service listener has priority over a subnet match. In that instance, the
explicit proxy service listener handles the connection instead of the subnet listener.
Explicit port 80 listeners with a destination host IP identical to the appliance have priority
over other explicit listeners.
For example, assume the following services were defined as given in the following table.

Table 7–2 Example Configuration for Most Specific Match Algorithm

Proxy Service Listener

Service Name Proxy Source IP Address Destination IP Address Port Range

New York Data Center HTTP 192.168.20.22 10.167.10.0/24 80

New York CRM HTTP 10.167.10.2 80

HTTP Service HTTP <Transparent> 80

An HTTP connection initiated to server 10.167.10.2 could match any of the three
listeners in the above table. The most specific match algorithm finds that a listener in the
New York CRM service is the most specific and since the destination port of the
connection and the listener match, the connection is handled by this service. The
advantage of the most specific match algorithm becomes evident when at some later point
another server is added in the New York Data Center subnet. If that server needs to be
handled by a different service than the New York Data Center service, a new service with
a listener specific to the new server would be added. The administrator does not need to be
concerned about rule order in order to intercept traffic to this particular server using the
new, most specific service listener.
As another example, assume the following service and listeners were defined:
Table 7–3 Second Example Configuration for Most Specific Match Algorithm

Listener Name Proxy Destination IP Address Port Range

L1 HTTP Explicit 80

L2 HTTP 10.0.0.0/8 80

Consider the following scenario: an HTTP connection to an appliance matches to all

listeners in the above table. L2 is a subnet match with the appliance, however, the
destination IP address is not specified within the listener configuration. When there is only

127
SGOS Administration Guide

a subnet and explicit proxy service listener match, the explicit listener (L2) is the better
match. Among explicit listener matches, a port 80 IP address listener has priority. Only
listeners with a specific destination IP address are considered a better match to explicit
listeners.

About Proxy Attributes in the Services

In addition to the listener information, each service contains one or more settings that
affect how the appliance proxies the traffic. The following sections provide an overview of
those settings. The proxy configuration topics provide more information about these
attributes.

About Authenticate-401
Available on the Explicit HTTP and External HTTP services.
When this option is selected, all transparent and explicit requests received on the port
always use transparent authentication (cookie or IP, depending on the policy
configuration).
If you have deployed Authentication in the way recommended by Symantec—where only
the ProxySG appliance nearest the user performs the authentication tasks—configuring
Authenticate-401 is not necessary. However, multiple, explicitly-configured appliances in
a proxy chain are all attempting to perform authentication tasks can cause issues with
browsers. By forcing one of the proxies (recommended: the one furthest away from the
client) to use 401-style authentication instead of the standard proxy 407-style
authentication, the browser can better handle the multiple authentication challenges.

About Protocol Detection

Applies to the HTTP, HTTPS, SOCKS, and TCP Tunnel services.
Protocol detection identifies HTTP, SOCKS CONNECT requests, and TCP tunnels. You
can enable protocol detection on the aforementioned services or implement it using policy.
Policy can further be used to negate protocol detection for SSL requests. Defining a policy
for protocol detection enhances granularity by matching on a richer set of conditions
rather than the specific service; policy always overrides manual settings.
If protocol detection is enabled, the appliance inspects the first bytes sent from the client
and determines if a corresponding application proxy is available to hand off the
connection. For example, an HTTP request identified on a TCP tunnel has full HTTP
policy applied to it, rather than just simple TCP tunnel policy. In particular, this means
that:
❐ The request arrives as a client protocol HTTP rather than a TCP Tunnel.
❐ The URL used while evaluating policy is an http:// URL of the tunneled HTTP
request, not a tcp:// URL to which the tunnel was connecting.
❐ Forwarding policy is applied based on the new HTTP request; therefore, the selected
forwarding host selected support HTTP. A forwarding host of type TCP cannot handle
the request, which forces the request to be blocked.

128
 Chapter 7: Managing Proxy Services

Enabling protocol detection helps accelerate the flow of traffic. However, the TCP session
must be fully established with the client before either the application proxy or the TCP
tunnel proxy contacts the origin server. In some cases, like in the active-mode FTP data
connections, enabling protocol detection might cause a delay in setting up the connection.
To avoid this connection delay, either use a protocol specific proxy, such as the FTP proxy,
or disable protocol detection.
If protocol detection is disabled, traffic flows over a TCP tunnel without acceleration
provided by a protocol-specific proxy.

Note: Protocol detection is disabled by default.

About ADN Optimizations

Applies to the HTTP, HTTPS, CIFS, Endpoint Mapper, FTP, SSL, and TCP Tunnel proxies.
Controls whether ADN optimizations—byte caching and/or compression—are enabled on
a specific service. Note that enabling these ADN optimizations does not guarantee
accelerated connections. It depends on ADN routing (for explicit deployments) and
network configuration (for transparent deployments).
Byte caching is an optimization that replaces byte sequences in traffic flows with reference
tokens. The byte sequences and the token are stored in a byte cache on a pair of ProxySG
appliances (for example, one at the branch, the other at the data center). When a matching
byte sequence is requested or saved, the ProxySG appliance transmits the token instead of
the byte sequence.
GZIP compression removes extraneous/predictable information from traffic before it is
transmitted. The information is decompressed at the destination’s ProxySG appliance.

About Early Intercept

Opening a TCP connection involves a three-way handshake involving packets: the client
contacts the server, the server acknowledges the client, and the client acknowledges the
server.
❐ With early intercept, the appliance returns a server acknowledgment back to the client
and waits for the client acknowledgment, which completes the TCP 3-way handshake,
before the appliance connects upstream to the server. Furthermore, proxies that
support object caching (such as HTTP), the appliance serves from the cache—a server
connection is not necessary.
❐ With delayed intercept, the appliance attempts to connect upstream immediately after
receiving the client's initial connection request, but waits to return the server
acknowledgment until determining whether or not the upstream connection succeeds.
This provides greater transparency, as the client receives either an RST or no
response, which mirrors what is sent from a server when connections fail.
For every proxy listener except CIFS and TCP Tunnel services, early intercept is hard-
coded to enabled.

129
SGOS Administration Guide

❐ For CIFS, the listener is hard-coded as delayed intercept because of a specific issue
with the way clients attempt to connect to ports 139 and 445 simultaneously. Without
a full transparency in our response to the TCP three-way handshakes, client
connections might break.
❐ For TCP Tunnel, you have the option to select either (disabled by default). For the TCP
Tunnel service, the Early Intercept option is selectable and disabled by default. When
this option is disabled, the proxy delays responding to the client until after it has
attempted to contact the server. For maximum transparency, disable this option. If
reduced latency is more important, enable it.

130
 Chapter 7: Managing Proxy Services

Section B: Configuring a Service to Intercept Traffic

This section describes:
❐ "Changing the State of a Service (Bypass/Intercept)" on page 132
❐ "Moving a Service" on page 139
❐ "Deleting a Service or Service Group" on page 140
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 140
❐ "Importing a Service from the Service Library" on page 140
To learn more details about Symantec services, see "Proxy Services Concepts" on page
124.

131
SGOS Administration Guide

Section 1 Changing the State of a Service (Bypass/Intercept)

There are two service states:
❐ Bypass—Traffic for this service passes through the ProxySG appliance without
receiving an optimization or policy checking (as applicable).
❐ Intercept—The appliance intercepts traffic for this service and applies optimization or
policy checks (as applicable).
Depending on the type of installation performed on the appliance, the state of existing
services varies.
❐ Upgrade from a previous release—Supported services remain in their original service
groups and retain their bypass/intercept states.
❐ New installation or you invoke a re-initialization—All services are set to Bypass
unless during a new installation process, the person performing the installation might
have set some services, such as External HTTP, to Intercept
You cannot change the state of entire predefined group; you must set each service required
for your deployment to Intercept.
Changing the state of a service to Intercept is only the first step in configuring a protocol
proxy. To achieve your corporate deployment goals, you must also configure the proxy
settings and define policy, both of which determine how the appliance processes the
intercepted traffic. These aspects are discussed in each proxy section later in this guide.
For more conceptual information about services, see "About Proxy Services" on page 124.

To change the state of a service:

1. In the Management Console, select the Configuration > Services > Proxy Services >
Proxy Services tab.

2: Click to
expand a group

3 (optional)

2. Click the group name to expand the group. For example, you want to intercept the
CIFS services.
3. Optional: Select the Default Action for traffic that does not match any current service.

132
 Chapter 7: Managing Proxy Services

Source IP->Destination IP/Port Select action

4. From the drop-down for the service or an individual service port, select to Bypass or
Intercept.

5. Repeat for other services, as required.

6. Click Apply.

Next Tasks
As previously mentioned, setting a service to Intercept is one step in controlling specific
traffic types. There are other options for the services themselves, plus proxy
configurations and policy definitions. You can also create custom services and service
groups.

Proxy Configuration/Policy Definitions

"Reference: Service/Proxy Matrices" on page 166

Other Service Options

❐ "Moving a Service" on page 139
❐ "Deleting a Service or Service Group" on page 140
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 140
❐ Section C: "Creating Custom Proxy Services" on page 134
❐ Section E: "Global Options for Proxy Services" on page 142

133
SGOS Administration Guide

Section C: Creating Custom Proxy Services

This section describes how to create a new proxy service. Follow this procedure if you
need to create a proxy service for a custom application.
You can also create custom proxy service groups and populate them with custom services
or move default services to them. For example, this ProxySG appliance serves a specific
purpose and you want a custom group that contains only those services. This procedure
discusses creating a service group, creating a new service, and placing that service in the
custom group.

Note: If you only need to change the state of the proxy service (Bypass/Intercept), you
can do so from the main Proxy Services tab. You do not need to enter New/Edit mode to
change this setting.

Before you begin, you must understand the goal of your deployment, how the application
proxy operates, and the IP addresses (source and/or destination) and ports to intercept.
Some proxy services, such as DNS, are simple—comprised only of IP addresses and ports.
Others, such as HTTP, have more attributes to consider.
For a high-level description of these options, see "About Proxy Attributes in the Services"
on page 128.
For specific proxy descriptions, see

To create a new proxy service:

1. From the Management Console, select the Configuration > Services > Proxy Services
tab.

2
3

2. At the bottom of the tab, click New Service Group. The New Service Group dialog
displays.
3. In the Service Group field, name the custom service group.

134
 Chapter 7: Managing Proxy Services

4. Click OK. The new service group displays under Custom Service Groups.

5. Click New Service. The New Service dialog displays.

6a

6b

6c

6d

6. Configure service attributes, including applicable proxy settings:

a. In the Name field, enter a name that describes the service.
b. From the Service Group drop-down list, select which group displays the
service on the main page. You can add the service to a default group or any
already-created custom group.
c. Proxy settings—From the Proxy drop-down list, select the supported proxy
that is compatible with the application protocol.
The Proxy settings sub-options are dynamic (including TCP/IP Settings), based on
the selected proxy. See "About Proxy Attributes in the Services" on page 128 for
overviews of these options; for more detailed information, see the chapter that
explains each proxy in more detail.

135
SGOS Administration Guide

Note: The Detect Protocol setting is disabled by default. You must select this
check box for filtering to be recognized.

d. Application Delivery Network Settings (Not available for all proxies):

Enable ADN—This setting does not guarantee acceleration for this service—it also
depends on ADN routing (for explicit deployments) or network setup (for
transparent deployments).
Enable byte caching —This acceleration technique replaces byte sequences in
traffic flows with reference tokens and stores them in a byte cache on a pair of
ProxySG appliances at each end of the WAN. When a matching byte sequence is
requested again, the ProxySG appliance transmits a token instead of the byte
sequence.
Enable compression—Uses a variety of algorithms to remove extraneous/
predictable information from the traffic before it is transmitted. The information is
reconstituted at the destination based on the same algorithms.

Note: To get the maximum benefit of ADN, both byte caching and compression
should be enabled. In cases where byte caching may be causing issues for an ADN
deployment, you can turn off the Enable byte caching option and just use
compression (or vice versa). If you know the traffic for this proxy is already
compressed or encrypted, you can conserve resources by clearing the Enable byte
caching and Enable compression options. For additional information about byte
caching and compression, see "ADN Acceleration Techniques" on page 789.

Enable thin client processing—Applies special treatment to application traffic

from thin client applications (such as RDP, VNC, and Citrix). This processing
improves responsiveness of thin client actions. For example, end-users will notice
that the desktop displays significantly faster. In addition, thin client data is not
retained in the byte cache as long as other types of data because this data is are
more temporal in nature; the byte cache, therefore, can be used more efficiently
for other types of traffic that can better leverage it.
This option is available for TCP Tunnel proxies only, and is only available when
ADN is enabled and byte caching and/or compression is enabled. Retention
priority and thin client processing are mutually exclusive settings; you cannot
enable both options for a service.

136
 Chapter 7: Managing Proxy Services

Note: For thin client processing to be most effective, you must deactivate the
thin client’s software-based encryption and compression.

Retention priority—You can control how long data is stored in the byte cache
dictionary by assigning a retention priority to a particular service. If you want to
keep certain types of data in the dictionary for as long as possible, set a high
retention priority for the service. Or for data that isn’t likely to get much benefit
from byte caching, you can set a low retention priority for the related service.
Most services are set to normal priority by default. This option is available only if
byte caching is enabled for the service.
You can use this option to preserve the most relevant content in the byte cache in
the face of continually incoming, competing byte cache data. For example, when
an application is being used for backup, you may want to set the retention priority
to high so that competing traffic doesn’t evict the backup data. However, if an
application is being used for data replication, you may want to set the service’s
retention priority to low as the data most likely will only be hit in the next short
duration.

7. Create a listener, or the IP address(es) and ports that this application protocol uses. In
the Listeners area, click New. The New Listener dialog displays.

137
SGOS Administration Guide

8a

8b

8c

8d

8. Configure the new listener attributes:

a. In the Source address area, the most common selection is All, which means
the service applies to requests from any client (IPv4 and IPv6). You can also
restrict this listener to a specific IP address (IPv4 or IPv6) or user subnet (for
IPv4) or prefix length (for IPv6).
b. Select a Destination address from the options. The correct selection might
depend on network configuration. For overviews of the options, see "About
Proxy Services" on page 124.
c. In the Port Range field, enter a single port number or a port range on which
this application protocol broadcasts. For a port ranges, enter a dash between
the start and end ports. For example: 8080-8085
d. In the Action area, select the default action for the service: Bypass configures
the service to ignore any traffic matching this listener. Intercept configures the
service to intercept and proxy the associated traffic.
e. Click OK to close the dialog. The new listener displays in the Listeners area.
9. Click OK to add the new service to the selected service group.
10. Click Apply.

See Also
❐ "Moving a Service"
❐ "Importing a Service from the Service Library"

138
 Chapter 7: Managing Proxy Services

Section D: Proxy Service Maintenance Tasks

This section provides various tasks for managing existing services.
❐ "Moving a Service"
❐ "Deleting a Service or Service Group" on page 140
❐ "Bypassing All Proxy Services (Troubleshooting)" on page 140
❐ "Importing a Service from the Service Library" on page 140

Moving a Service
The predefined services are not anchored to their default groups. You can move a service
to any other predefined or custom group.

Note: You must move the entire service; that is, you cannot move individual service
listeners.

To move a service to another service group:

1. From the Management Console, select the Configuration > Services > Proxy Services
tab.

2a

2b

2c

2. Move the service:

a. Select a service.
b. Click Move Service. The Move Service dialog displays.
c. From the drop-down list, select an existing service group (custom or pre-
defined).
d. Click OK.

139
SGOS Administration Guide

3. Click Apply.

Deleting a Service or Service Group

You can delete a service within a predefined service group but you cannot delete an empty
predefined service group itself. However, you can delete a custom service group if it is
empty.
You can add back a default service you deleted from the service library by using the
Import Service feature. See "Importing a Service from the Service Library" on page 140.

To delete a service:
1. From the Management Console, select the Configuration > Services > Proxy Services
tab.
2. Select the service or custom service group to delete.
3. Click Delete. A confirmation prompt displays.
4. Click Yes. The selected service or custom service group is deleted.
5. Click Apply.

Bypassing All Proxy Services (Troubleshooting)

The Bypass All Proxies feature is intended as an interim solution while application-
breaking problems are repaired. When Force Bypass is invoked, transparent proxy
connections are bypassed and explicit proxy connections are rejected.

Note: Downgrading to a version that does not support force bypass while running in
bypass mode will result in restoration of proxy services.

To bypass all proxy services:

1. From the Management Console, select the Configuration > Services > Proxy Services
tab.

2. In the Force Bypass area, select the Temporarily bypass all proxy services option. The
bypass statement to red.
3. Click Apply.

Importing a Service from the Service Library

Importing a service procedure is required if you delete a default service and want to re-add
it. If you import an existing service, you are prompted to confirm the replacement of a
service. Existing service settings are overwritten with the default settings.

140
 Chapter 7: Managing Proxy Services

In addition, after upgrading the software, any new services added to the service library
must be imported if you want to use them.

To import a service from the service library:

1. From the Management Console, select the Configuration > Services > Proxy Services >
Proxy Services tab.

2. Click Import Service. The Import Service dialog displays.

3a

3b

3c

3. Configure the import service options:

a. From the Name drop-down list, select the service to import.
b. All other settings adjust automatically to the service’s default values. Perform
changes if required.
c. Click New to configure a new listener or Edit to modify existing listener
settings.
d. Click OK.
4. Click Apply.

141
SGOS Administration Guide

Section E: Global Options for Proxy Services

This section describes features that apply to all proxies and services. See "Proxy Service
Global Options" for details.

142
 Chapter 7: Managing Proxy Services

Section 2 Proxy Service Global Options

Symantec provides optional settings that apply to all proxy services when configured:
❐ "Ensuring Application Availability (Tunnel on Protocol Error)"
❐ "Using the Client IP Address for Server Connections" on page 145
❐ "Improving Performance by Not Performing a DNS Lookup" on page 146
❐ "Managing Licensed User Connection Limits (ProxySG to Server)" on page 150

Note: You can subscribe to the CachePulse service to optimize HTTP traffic. For
information, see "Enabling CachePulse" on page 198.

Ensuring Application Availability (Tunnel on Protocol Error)

HTTP Proxy
In many networks, business-critical applications send traffic over port 80—the default
HTTP port—because it is used as a generic route through the firewall. However, the
ProxySG appliance HTTP proxy encounters problems when it receives non-HTTP
requests from clients or browsers. The client receives an exception page and the
connection closes. The following deployment operations create this situation:
❐ The client request from an application or browser is not HTTP.
❐ The request is HTTP but also contains components that are not HTTP.
❐ The request contains an unexpected formatting error in a line or header.
The appliance provides an option that enables the HTTP proxy to tunnel the connection
when it receives non-HTTP traffic or broken HTTP request. This allows application traffic
to continue and employee production to continue. The transactions remain labeled as
HTTP; therefore, the access logs and the Traffic Mix and Active Sessions statistics display
TCP_TUNNELED to indicate when a connection passed through the HTTP proxy. The
HTTP proxy cannot apply security policies; however, benefits provided by ADN
configurations might occur.
The TCP Tunnel on Error option is viable with the following deployments:
❐ Applies only to HTTP traffic; HTTPS is not supported in either forward or reverse
proxy modes.
❐ Applies only to errors in requests from the client browser or application to the
appliance. Any issues that arise from server responses are not accommodated by this
feature.

SSL Proxy
For the SSL proxy, the Tunnel on Protocol Error option applies when non-SSL traffic
arrives at the SSL port (443 by default). A common scenario that causes this is having
peer-to-peer applications (such viz, Skype, BitTorrent, and Gnutella) configured to enable

143
SGOS Administration Guide

port 443 for peer-to-peer traffic without SSL set as the transport protocol. An appliance
transparently intercepting all 443 traffic cannot process these connections, rendering the
application unusable.
With an explicit proxy deployment, SSL errors during the initial handshake causes the
same issue. The following example illustrates this:
❐ The appliance is configured to have an explicit HTTP service on port 8080.
❐ The HTTP service is configured with detect protocol enabled, which hands off SSL
traffic to the SSL proxy from an HTTP CONNECT request. Detect Protocol is set to OFF
by default.

Note: The same applies to an explicit SOCKS proxy deployment with protocol detection
enabled or an explicit TCP listener.

Forwarding Note
Enabling the TCP Tunnel on Error option might cause issues if the appliance has
forwarding rules that direct traffic to upstream proxies or other devices:
❐ Forwarding hosts are not viewed as HTTP proxies (even if they are). The initial HTTP
proxy connects with a TCP tunnel to the forwarding host. If the appliance has a policy
to forward and tunnels on error, the forwarding rule might not match if the forwarding
rule has a condition based on information that is not present—any HTTP conditions,
such as:
• Request method
• Request URL
• Request headers
❐ In the case of tunnel on error with explicit proxy, HTTP must match a forwarding host
for the connection of a successful TCP tunnel to occur. If no forwarding host matches,
HTTP will not tunnel on error.

To enable TCP tunnel on HTTP protocol errors:

1. Select the Configuration > Proxy Settings > General > General tab.

2. In the Tunnel on Protocol Error area, select TCP tunnel requests when a protocol error is
detected.

3. Click Apply.

144
 Chapter 7: Managing Proxy Services

Related Policy
The Visual Policy Manager (VPM) provides the Client Certificate Requested object in the
SSL Intercept Layer > Service column (the equivalent CPL is
client.certificate.requested={yes|no}).Use this policy in conjunction with an
SSL.Intercept(no) action, or a Do Not Intercept SSL action in the VPM, to minimize
traffic disruption when the SSL proxy intercepts secure traffic where the OCS requests a
client certificate.
When Tunnel on Error is enabled, the first detection of a client certificate request from an
OCS causes the connection to fail. The appliance adds the details for that exchange to an
internal list of connections for which SSL interception should be negated. Subsequent
requests function as expected.

Using the Client IP Address for Server Connections

This section discusses configuring the ProxySG appliance to use the IP address of the
client to connect to destination servers rather than use the appliance address.

About Reflecting the Client Source IP when Connecting to Servers

By default, the ProxySG appliance uses its own IP address as the source IP address for
requests (when connecting to servers). If Reflect Client IP is enabled, the appliance uses
the client IP address for all requests. Enabling this option is not an arbitrary decision; it
depends on the deployment and role of the appliance. For example, if this ProxySG is
acting as a branch peer in an Application Delivery Network (ADN) deployment, enable
client IP address reflection. This provides maximum visibility for network usage statistics
and enables user-based access control to network resources.

Note: The Reflect Client IP option is only supported in transparent deployments.

You can globally enable the Reflect Client IP option for all services that will be
intercepted. To apply Reflect Client IP option to only a few services, first enable this
option globally and then create policy to disable the Reflect Client IP option for the
exceptions. Or, disable the option globally and create policy to enable it.

Enabling Reflect Client Source IP

To configure the appliance to connect to servers using client source IP
addresses:
1. Select the Configuration > Proxy Settings > General > General tab.

145
SGOS Administration Guide

2. In the Reflect Client IP area, select Reflect client’s source IP when connecting to servers.
3. Click Apply.

Important: If you enable Reflect Client IP and want the appliance to preserve persistent
client connections, you must also add policy.
VPM object: Web Access Layer > Action > Support Persistent Client Requests (static)
CPL:
<proxy>
http.client.persistence(preserve)

Improving Performance by Not Performing a DNS Lookup

This section describes how to improve performance by configuring the appliance to trust
the destination IP address provided by the client.

About Trusting the Destination IP Address Provided by the Client

If, in your environment, a client sometimes provides a destination IP address that the
ProxySG appliance cannot identify, you have the option to configure the appliance to not
perform a DNS lookup and allow that IP address. This can improve performance, but
potentially presents a security issue.
You can configure the appliance to trust a client-provided destination IP address in
transparent proxy deployments where:
❐ DNS configuration on the client is correct, but is not correct on the appliance.
❐ The client obtains the destination IP address using Windows Internet Name Service
(WINS) for NetBIOS name resolution.
❐ DNS imputing on the appliance is not configured correctly. On the appliance, you can
configure a list of suffixes to help with DNS resolution. In the event that the host name
is not found, these suffixes are appended to the host name provided by the client. For
information on DNS imputing, see "Resolving Hostnames Using Name Imputing
Suffixes" on page 909.
In each of the cases above, the appliance cannot obtain the destination IP address to serve
client requests. When you enable the appliance to trust a client-provided destination IP
address, the appliance uses the IP address provided by the client and does not perform a
DNS lookup.

146
 Chapter 7: Managing Proxy Services

Figure 7–1 No DNS lookup occurs; the transactions goes straight to the OCS.

Figure 7–2 The appliance initiates a DNS lookup and initiates a new connection to the server.
The appliance cannot trust the client-provided destination IP address in the following
situations if the appliance:
❐ receives the client requests in an explicit proxy deployment.
❐ has a forwarding rule configured for the request.
❐ has a SOCKS gateway rule configured for the request.
❐ has policy that rewrites the server URL.
A transproxy deployment is one where a client is configured to contact an appliance
explicitly, and a new appliance is deployed between the client and its explicit proxy. The
new appliance, now transparently intercepts the traffic between the client and its explicit
proxy. In a transproxy deployment, the destination IP address used by the client does not
match the host header in the HTTP request, since the client is configured to use the
explicit proxy. The path that the client request takes in a transproxy deployment depends
on whether or not Trust Destination IP is enabled on the transparently deployed appliance.
❐ When Trust Destination IP is enabled on the transparent appliance, the transparent
proxy trusts the destination IP included in the request and forwards the request to the
explicit proxy which is serviced either from cache or from the Origin Content Server
(OCS).

147
SGOS Administration Guide

❐ When Trust Destination IP is disabled on the transparent appliance, the transparent

proxy performs a DNS resolution on the host header in the request. The request is then
completed based on the configured policy—forwarding rules, SOCKS gateway policy,
and server URL rewrite policy.

Note: If a client gives the destination address of a blocked site but the host name of a
non-blocked site, with Trust Destination IP enabled, the appliance connects to the
destination address. This might allow clients to bypass the configured security policy for
your environment.

About the Default Settings

During the ProxySG initial configuration tasks, the administrator determined the default
Trust Destination IP setting. In most deployments, the role of the appliance determines the
setting:
❐ Acceleration role: enabled.
❐ Most other proxy deployments: disabled for tighter security.
You can change these defaults through the Management Console, the CLI, or through
policy. If you use policy, however, be aware that it overrides the setting in the in
Management Console.
For information about using the trust_destination_ip(yes|no) CPL property, refer to
the Content Policy Language Guide.

Configuring the Appliance to Trust or Not Trust the Destination IP

Address
To change the current trust destination default setting:
1. Select the Configuration > Proxy Settings > General tab.

148
 Chapter 7: Managing Proxy Services

2. Select or clear the Trust client-provided destination IP when connecting to servers

option.
3. Click Apply.

149
SGOS Administration Guide

Section 3 Managing Licensed User Connection Limits (ProxySG to

Server)
This section describes ProxySG appliance how to enable license-enforced user limits,
describes how to monitor user numbers, and describes how to configure the ProxySG
appliance to behave when a limit is breached.

About User Limits

If you have more users connecting through the system than is coded by the model license,
you have an option to configure the overflow behavior (after a permanent model license
has been applied to the system). The enforcement options are queue the connections or
bypass through the appliance and proceed directly to the server.
Only unique IP addresses of connections intercepted by proxy services are counted toward
the user limit; furthermore, the number of users depends on the hardware model and
whether or not ADN is enabled.
License-enforced user connection limits are advisory and are based on optimal
performance for each appliance. The default setting is to not enforce user limits; however,
when a user connection limit is breached, the appliance logs the event and the license
health indicator changes to Critical.
For WAN optimization deployments, Symantec recommends purchasing a ProxySG
model based on the maximum number of client connections it needs to support, not the
maximum number of users, since the connection limit is likely to be reached first; your
channel partner SE or local Symantec SE can assist you with WAN optimization
connection counts and sizing for your specific needs.
The following tables provide the user connection limits hard-coded into the license per
hardware or virtual appliance model.

Table 7–4 Hardware Models and Licensed Users

Hardware Model Number of Licensed Users

(Concurrent Source IP Addresses)
Without ADN With ADN
(SGOS only)

S200-10 Unlimited Unlimited

S200-20 Unlimited Unlimited

S200-30 Unlimited Unlimited

S200-40 Unlimited Unlimited

S400-20 Unlimited Unlimited

S400-30 Unlimited Unlimited

S400-40 Unlimited Unlimited

S500-10 Unlimited Unlimited

150
 Chapter 7: Managing Proxy Services

Table 7–4 Hardware Models and Licensed Users (Continued)

Hardware Model Number of Licensed Users

(Concurrent Source IP Addresses)

S500-20 Unlimited Unlimited

300-5 30 10

300-10 150 150

300-25 Unlimited Unlimited

600-10 500 500

600-20 1000 1000

600-35 Unlimited Unlimited

900-10 3500 3500

900-10B 3500 3500

900-20 6000 6000

900-30 Unlimited Unlimited

900-45

900-55 Unlimited Unlimited

9000-5 Unlimited Unlimited

9000-10
9000-20
9000-20B
9000-30
9000-40

Table 7–5 Virtual Appliance Models and Licensed Users

Virtual Appliance Model Number of Licensed Users

VA-5 10

VA-10 50

VA-15 125

VA-20 300

V-100 Up to 2500

Tasks for Managing User Limits

To learn more about user limits, see "About User Limits" on page 150.
Monitoring and managing user limits requires the following tasks:
❐ "Modifying User Limits Notifications" on page 152—Configure the ProxySG
appliance to monitor and alert you when a user limit is near.

151
SGOS Administration Guide

❐ "Determining Behavior When User Limits are Exceeded" on page 153—Determine

what happens when more user connections than allowed by the license occurs.

Note: If your platform and license support unlimited user connections, you do not have
to configure user limit notifications because the thresholds cannot be exceeded. Refer to
Table 7–4, "Hardware Models and Licensed Users" on page 150 and Table 7–5, "Virtual
Appliance Models and Licensed Users" on page 151 to determine the limits for your
hardware or virtual appliance model.

Modifying User Limits Notifications

You can set and monitor user limit thresholds of the model license. A threshold breach
triggers a notification and/or event log entry. Frequent breaches indicate that constant user
connections to this particular ProxySG model are exceeding the optimal design.

Note: You can access the Statistics > Health Monitoring > Licensing tab to view licensing
status, but you cannot make changes to the threshold values from that tab.

To view licensing metrics and set user limits notifications:

1. Click Maintenance > Health Monitoring > Licensing.

2. Select User License Utilization.

3. Click Edit. The Edit Health Monitor Settings dialog displays.

152
 Chapter 7: Managing Proxy Services

4a
4b

4. (Optional) Modify the threshold and interval values to your satisfaction. The
thresholds represent the percentage of license use.
a. Modify the Critical and/or Warning Threshold settings. These values are the
percentages of maximums. For example, if the appliance is an SG810-20 and
ADN is enabled, the maximum number of unique users connections is 1000.
With a Warning Threshold value of 80 (percent) and Critical Threshold value of
90, the notification triggers when user connectivity reaches 800 and 900,
respectively.
b. Modify the Critical and/or Warning Interval settings. These values are the
number of seconds that elapse between user limit checks. By default, both
critical and warning interval checks occur every 120 seconds.
5. Select the notification settings:
• Log adds an entry to the Event Log.
• Trap sends an SNMP trap to all configured management stations.
• Email sends an e-mail to the addresses listed in the Event Logging properties
(Maintenance > Event Logging > Mail).
6. Click OK to close the dialog.
7. Click Apply.
For information about licensing, see Chapter 3: "Licensing" on page 55.

Determining Behavior When User Limits are Exceeded

You can specify what happens when more users simultaneously connect through the
ProxySG appliance (overflow connections) than is allowed by the model license:
❐ Bypass the system: All connections exceeding the maximum are passed through the
system without processing.

153
SGOS Administration Guide

❐ Queue connections: All connections exceeding the maximum are queued, waiting for
another connection to drop off.
❐ Do not enforce the licensed user limit: This is the default option for hardware
appliances. This allows for unlimited connections; however, exceeding the license
limit triggers a health monitoring event. This option is not available for virtual
appliances because the ProxySG VA always enforces the licensed user limit.

To specify what happens when overflow connections occur:

1. Select Configuration > Proxy Settings > General.

2. In the User Overflow Action area, select an action that occurs when the licensed user
limits are exceeded:
• Do not enforce licensed user limit is the default. Unlimited user connections are
possible. If the limit is exceeded, the appliance health changes to CRITICAL. This
option is not available on the ProxySG VA because licensed user limits are always
enforced.
• Bypass connections from users over license limit—Any transaction from a user
whose connection exceeds the licensed limit is not susceptible to policy checks or
any other ProxySG benefit, such as acceleration. This option provides the best
user experience (with the caveat of potentially slower performance), but presents
a Web security risk. This is the default option for the ProxySG VA.
• Queue connections from users over license limit—Any transaction from a user
whose connection exceeds the licensed limit must wait (in order) for an available
ProxySG connection. This option provides the lowest user experience (and users
might become frustrated and, perceiving a hang, might attempt request refreshes),
but preserves Web security policies.
3. Click Apply.

Viewing Concurrent Users

View a snapshot of intercepted, concurrent users by selecting the Statistics > System >
Resources > Concurrent Users tab. The tab shows user connections going through the
ProxySG appliance for the last 60 minutes, day, week, month, and year. Only unique IP
addresses of connections intercepted by proxy services are counted toward the user limit.

154
 Chapter 7: Managing Proxy Services

See Also
❐ "Global Options for Proxy Services"
❐ "Enabling Reflect Client Source IP"
❐ "About Trusting the Destination IP Address Provided by the Client"
❐ "Managing Licensed User Connection Limits (ProxySG to Server)"

155
SGOS Administration Guide

Section F: Exempting Requests From Specific Clients

The bypass list contains IP addresses/subnet masks of client and server workstations. Used
only in a transparent proxy environment, the bypass list allows the appliance to skip
processing requests sent from specific clients to specific servers. The list allows traffic
between protocol incompliant clients and servers to pass through the appliance without a
disruption in service.

Note: This prevents the appliance from enforcing any policy on these requests and
disables any caching of the corresponding responses. Because bypass entries bypass
Symantec policy, use bypass sparingly and only for specific situations.

This section covers the following topics:

❐ "Adding Static Bypass Entries"
❐ "Using Policy to Configure Dynamic Bypass" on page 157

156
 Chapter 7: Managing Proxy Services

Section 4 Adding Static Bypass Entries

You can add entries to prevent the appliance from intercepting requests from specified
systems.

Note: Dynamic bypass cannot be configured through the Management Console. You
must define policy or use the CLI. For more information, see "Using Policy to
Configure Dynamic Bypass" on page 157.

To add static bypass entries:

1. Click the Configuration > Services > Proxy Services > Static Bypass List tab.

2. Click New to create a new list entry (or click Edit to modify a list entry). The New
Bypass List Entry dialog displays.
3. Create a Client Address or Server Address entry. The IP address can be IPv4 or IPv6. If
you enter an IPv4 address, you can specify a subnet mask. For IPv6 addresses, you can
specify a prefix length.
4. (Optional) Add a Comment that indicates why you are creating the static bypass rule
for the specific source/destination combination. This is useful if another administrator
needs to tune the settings later.
5. Click OK to close the dialog.
6. Click Apply.

Using Policy to Configure Dynamic Bypass

Dynamic bypass, available through policy, can automatically compile a list of response
URLs that return various types of errors.

157
SGOS Administration Guide

Note: Because bypass entries bypass Symantec policy, the feature should be used
sparingly and only for specific situations.

About Dynamic Bypass

Dynamic bypass keeps its own (dynamic) list of which connections to bypass, where
connections are identified by both source and destination. Dynamic bypass can be based
on any combination of policy triggers. In addition, some global settings can be used to
selectively enable dynamic bypass based on specific HTTP response codes. After an entry
exists in the dynamic bypass table for a specific source/destination IP pair, all connections
from that source IP to that destination IP are bypassed in the same way as connections that
match against the static bypass list.
For a configured period of time, further requests for the error-causing URLs are sent
immediately to the origin content server (OCS), bypassing the appliance. The amount of
time a dynamic bypass entry stays in the list and the types of errors that cause the
appliance to add a site to the list, as well as several other settings, are configurable from
the CLI.
After the dynamic bypass timeout for a client and server IP address entry ends, the
appliance removes the entry from the bypass list. On the next client request for the client
and server IP address, the appliance attempts to contact the OCS. If the OCS still returns
an error, the entry is again added to the local bypass list for the configured dynamic bypass
timeout. If the entry does not return an error, entries are again added to the dynamic list
and not the local list.

Notes
❐ Dynamic bypass entries are lost when the appliance is restarted.
❐ No policy enforcement occurs on client requests that match entries in the dynamic or
static bypass list.
❐ If a site that requires forwarding policy to reach its destination is entered into the
bypass list, the site is inaccessible.

Configuring Dynamic Bypass

Dynamic bypass is disabled by default. Enabling and fine-tuning dynamic bypass is a two-
step process:
❐ Set the desired dynamic bypass timeout and threshold parameters.
❐ Use policy (recommended) or the CLI to enable dynamic bypass and set the types of
errors that cause dynamic bypass to add an entry to the bypass list.

Adding Dynamic Bypass Parameters to the Local Bypass List

The first step in configuring dynamic bypass is to set the server-threshold,
max-entries, or timeout values in the CLI.

158
 Chapter 7: Managing Proxy Services

Note: This step is optional because the appliance uses default configurations if you do
not specify them. Use the default values unless you have specific reasons for changing
them. Contact Symantec Technical Support for detailed advice on customizing these
settings.

❐ The server-threshold value defines the maximum number of client entries before
the appliance consolidates client–server pair entries into a single server entry that then
applies to all clients connecting to that server. The range is 1 to 256. The default is 16.
When a consolidation occurs, the lifetime of the consolidated entry is set to the value
of timeout.
❐ The max-entries defines the maximum number of total dynamic bypass entries. The
range is 100 to 50,000. The default value is 10,000. When the number of entries
exceeds the max-entries value, the oldest entry is replaced by the newest entry.
❐ The timeout value defines the number of minutes a dynamic bypass entry can remain
unreferenced before it is deleted from the bypass list. The range is 1 to 86400. The
default value is 60.

Enabling Dynamic Bypass and Specifying Triggers

Enabling dynamic bypass and specifying the types of errors that causes a URL to be added
to the local bypass list are done with the CLI. You cannot use the Management Console.
Using policy to enable dynamic bypass and specify trigger events is better than using the
CLI, because the CLI has only a limited set of responses. For information about available
CLI triggers, refer to the Content Policy Language Reference. For information about using
policy to configure dynamic bypass, refer to the Visual Policy Manager Reference.

Bypassing Connection and Receiving Errors

In addition to setting HTTP code triggers, you can enable connection and receive errors
for dynamic bypass.
If connect-error is enabled, any connection failure to the origin content server (OCS),
including timeouts, inserts the OCS destination IP address into the dynamic bypass list.
If receive-error is enabled, when the cache does not receive an HTTP response on a
successful TCP connection to the OCS, the OCS destination IP address is inserted into the
dynamic bypass list. Server timeouts can also trigger receive-error. The default timeout
value is 180 seconds, which can be changed.

CLI Syntax to Enable Dynamic Bypass and Trigger Events

❐ To enter configuration mode for the service:
#(config) proxy-services
#(config proxy-services) dynamic-bypass

❐ The following subcommands are available:

#(config dynamic-bypass) {enable | disable}
#(config dynamic-bypass) max-entries number
#(config dynamic-bypass) server-threshold number
#(config dynamic-bypass) trigger {all | connect-error | non-http |
receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 | 504}

159
SGOS Administration Guide

#(config dynamic-bypass) timeout minutes

#(config dynamic-bypass) no trigger {all | connect-error | non
http | receive-error | 400 | 401 | 403 | 405 | 406 | 500 | 502 | 503 |
504}
#(config dynamic-bypass) clear
#(config dynamic-bypass) view

160
 Chapter 7: Managing Proxy Services

Section G: Trial or Troubleshooting: Restricting Interception From

Clients or To Servers
This section discusses Restricted Intercept topics. See "Restricted Intercept Topics" for
details.

161
SGOS Administration Guide

Section 5 Restricted Intercept Topics

❐ "About Restricted Intercept Lists"
❐ "Creating a Restricted Intercept List" on page 162

About Restricted Intercept Lists

By default, all clients and servers evaluate the entries in Proxy Services where the decision
is made to intercept or bypass a connection. To restrict or reduce the clients and servers
that can be intercepted by proxy services, create restricted intercept lists. A restricted
intercept list is useful in a rollout, before entering full production—you only want to
intercept a subset of the clients. After the appliance is in full production mode, you can
disable the restricted intercept list.
A restricted intercept list is also useful when troubleshooting an issue because you can
reduce the set of systems that are intercepted.

Notes
❐ Restricted intercepts lists are only applicable to transparent connections.
❐ An entry can exist in both the Static Bypass List and the Restricted Intercept List.
However, the Static Bypass List overrides the entries in the Restricted Intercept List.

Creating a Restricted Intercept List

To create a Restricted Intercept List:
1. From the Management Console, select the Configuration > Services > Proxy Services >
Restricted Intercept List tab.

3a

2. Select Restrict Interception to the servers and clients listed below-- all other connections
are bypassed.

162
 Chapter 7: Managing Proxy Services

3. Create a new entry:

a. Click New; the New Restricted Intercept Entry dialog displays.
b. Restrict interception from specific clients: In the Client Address area, select
Client host or subnet. Enter an IPv4 or IPv6 address in the IP Address field and
enter the subnet mask (for IPv4 addresses) or prefix length (IPv6) in the
Prefix/Subnet field.

c. Restrict interception to specific servers: In the Server Address area, select

Server host or subnet. Enter an IPv4 or IPv6 address in the IP Address field
and enter the subnet mask (for IPv4 addresses) or prefix length (IPv6) in the
Prefix/Subnet field.

d. Click OK to close the dialog.

4. Click Apply.

163
SGOS Administration Guide

Section H: Reference: Proxy Services, Proxy Configurations, and

Policy
This section provides reference material.
❐ "Reference: Proxy Types"
❐ "Reference: Service/Proxy Matrices" on page 166
❐ "Reference: Access Log Fields" on page 166

Reference: Proxy Types

This section provides descriptions of the available proxies.

Table 7–6 Proxy Types

Proxy Name Protocol/Description Capabilities and Benefits

CIFS Common Internet File Optimizes/accelerates file sharing across the WAN to users in
System branch offices.
DNS Domain Name Service • Speeds up domain name resolution by looking up domain
names in the appliance's DNS cache. If the name isn't found in
the cache, the appliance forwards the request to the configured
DNS server list.
• Ability to rewrite DNS requests and responses.
Flash Adobe Flash Real Time • Live streaming—The appliance fetches the live Flash stream
Messaging Protocol once from the OCS and serves it to all users behind the
appliance.
• Video-on-demand—As Flash clients stream pre-recorded
content from the OCS through the appliance, the content is
cached on the appliance. After content gets cached on the
appliance, subsequent requests for the cached portions are
served from the appliance; uncached portions are fetched from
the OCS.
FTP File Transfer Protocol • Controls, secures, and accelerates file transfer requests
• Caches FTP objects.
HTTP Hyper Text Transfer • Controls, secures, and accelerates Web traffic
Protocol • Caches copies of frequently requested web pages and objects.
HTTPS A proxy positioned in • Accelerates secure web requests, improving the response time
Reverse Proxy front of an HTTPS to clients.
server that answers • Because the Reverse Proxy is processing the requests, it allows
secure web requests the HTTPS server to handle a heavier traffic load.
from clients (using the
appliance's local cache
when possible)

164
 Chapter 7: Managing Proxy Services

Table 7–6 Proxy Types (Continued)

Proxy Name Protocol/Description Capabilities and Benefits

MAPI Messaging Application Accelerates the following Outlook processes: sending/receiving e-
Programing Interface; mail, accessing message folders, changing calendar elements.
protocol used by
Microsoft Outlook
(client) to communicate
with Microsoft
Exchange (server).
MMS Microsoft Media • Monitors, controls, limits, or blocks streaming media traffic that
Services; streaming uses Microsoft's proprietary streaming protocol.
protocol • Reduces stutter and improves the quality of streaming media.
• Logs streaming connections.
RTSP Real Time Streaming • Monitors, controls, limits, or blocks streaming media traffic that
Protocol uses the Internet standard RTSP protocol.
• Reduces stutter and improves the quality of streaming media.
• Logs streaming connections.
Shell A proxy that allows a • Monitors, controls, limits, or blocks outbound Telnet
client to connect to other connections.
destinations via Telnet, • Enforces access control to a group of users and destinations via
after the client has policy.
created an authenticated
• Logs all connections.
Telnet connection to the
appliance
SOCKS A proxy that allows a • Monitors, controls, limits, or blocks outbound client
client to connect to other connections requested using the SOCKS protocol.
destination servers/ports • Through policy, enforces access control to a group of users and
in a SOCKS tunnel, after destinations.
the client's connection to
• SOCKS traffic can be passed to other proxies (such as HTTP)
the SOCKS proxy is
for acceleration.
authenticated
• Logs all connections.
SSL Secure Socket Layer • Allows authentication, virus scanning and URL filtering of
encrypted HTTPS content.
• Accelerates performance of HTTPS content, using HTTP
caching.
• Validates server certificates presented by various secure
websites at the gateway.
TCP-Tunnel A tunnel for any TCP- Compresses and accelerates tunneled traffic.
based protocol for which
a more specific proxy is
not available

165
SGOS Administration Guide

Reference: Service/Proxy Matrices

Expanding on the service port listing at the beginning of this chapter, the table below
provides a list of the pre-defined proxy services and listeners that the Proxy can accelerate
and interpret. Links to the related proxy configuration sections are included.

Table 7–7 Proxy Name and Listeners (alphabetical order)

Service Proxy Destination Port Range Configuration Discussed

Name IP Address
CIFS CIFS Transparent 445, 139 Chapter 13: "Accelerating File
Sharing" on page 315
DNS DNS All 53 Chapter 14: "Managing DNS
Traffic" on page 331
Endpoint Endpoint All 135 Chapter 11: "Managing Outlook
Mapper Mapper Applications" on page 285
Explicit HTTP Explicit 8080, 80 Chapter 8: "Intercepting and
HTTP Optimizing HTTP Traffic" on
page 169
External HTTP Transparent 80
HTTP

FTP FTP All 21 Chapter 12: "Managing the FTP and

FTPS Proxies" on page 305
HTTPS SSL All 443 Chapter 9: "Managing the SSL
Proxy" on page 225
Internal TCP-Tunnel 192.168.0.0/16 80 Chapter 8: "Intercepting and
HTTP 10.0.0.0/8 Optimizing HTTP Traffic" on
172.16.0.0/16 page 169
169.254.0.0/16
192.0.2.0/24

MMS MMS All 1755 Chapter 27: "Managing Streaming

Media" on page 587
MS Terminal TCP-Tunnel Transparent 3389 Chapter 27: "Managing Streaming
Services Media" on page 587
SOCKS SOCKS Explicit 1080 Chapter 45: "SOCKS Gateway
Configuration" on page 929

Reference: Access Log Fields

The access log has two fields: service name and service group name.
❐ Name of the service used to intercept this connection:

166
 Chapter 7: Managing Proxy Services

• x-service-name (ELFF token) service.name (CPL token)

Note: The x-service-name field replaces the s-sitename field. The s-sitename field
can still be used for backward compatibility with squid log formats, but it has no CPL
equivalent.

❐ Service group name:

• x-service-group (ELFF token) service.group (CPL token)

Note: See Chapter 32: "Creating Custom Access Log Formats" on page 713 and
Chapter 34: "Access Log Formats" on page 731 for detailed information about creating
and editing log formats.

167
SGOS Administration Guide

168
Chapter 8: Intercepting and Optimizing HTTP Traffic

This chapter describes how to configure the HTTP proxy to manage traffic and
accelerate performance in your environment.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "About the HTTP Proxy" on page 171
❐ Section B: "Changing the External HTTP (Transparent) Proxy Service to Intercept
All IP Addresses on Port 80" on page 174
❐ Section C: "Managing the HTTP Proxy Performance" on page 175
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 190
❐ Section E: "Using a Caching Service" on page 197
❐ Section F: "Fine-Tuning Bandwidth Gain" on page 200
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy Authenticated
Data (CPAD)" on page 207
❐ Section H: "Viewing HTTP/FTP Statistics" on page 211
❐ Section I: "Supporting IWA Authentication in an Explicit HTTP Proxy" on page
217
❐ Section J: "Supporting Authentication on an Upstream Explicit Proxy" on page 219
❐ Section K: "Detect and Handle WebSocket Traffic" on page 220

How Do I...?
To navigate this chapter, identify the task to perform and click the link:

How do I...? See...

Intercept traffic on the HTTP Proxy? "Changing the External HTTP (Transparent)
Proxy Service to Intercept All IP Addresses on
Port 80" on page 174

Create a new HTTP Proxy service? Section C: "Creating Custom Proxy Services"
on page 134

Configure the HTTP Proxy for object "Allocating Bandwidth to Refresh Objects in
freshness? Cache" on page 201
Step 4 in "To set HTTP default object caching
policy:" on page 188

169
SGOS Administration Guide

How do I...? See...

Bypass the cache or not cache content Refer to:

using policy? Visual Policy Manager Reference
Content Policy Language Guide
Use either the VPM or CPL to create policy
that allows for bypassing the cache or for
prohibiting caching based on your needs.
Choose a proxy acceleration profile? "Selecting an HTTP Proxy Acceleration
Profile" on page 190

Cache content without having to use "Using a Caching Service" on page 197
policy?

Configure the HTTP proxy to be a: "About the Normal Profile" on page 190
server accelerator or reverse proxy?
"About the Portal Profile" on page 190
forward proxy?
"About the Bandwidth Gain Profile" on page
190
server-side bandwidth accelerator?

Fine-tune the HTTP Proxy for bandwidth "Using a Caching Service" on page 197
gain? "Using Byte-Range Support" on page 202

Configure Internet Explorer to explicitly "Supporting IWA Authentication in an

proxy HTTP traffic? Explicit HTTP Proxy" on page 217

Configure the appliance to detect and "Detect and Handle WebSocket Traffic" on
handle WebSocket traffic? page 220

170
Section A: About the HTTP Proxy
Before Reading Further
Before reading this section, Symantec recommends that you be familiar with the concepts
in these sections:
❐ "About Proxy Services" on page 124.
❐ Chapter 36: "Configuring an Application Delivery Network" on page 787 (optimize
ADN performance on the HTTP Proxy).
The HTTP proxy is designed to manage Web traffic across the WAN or from the Internet,
providing:
❐ Security
❐ Authentication
❐ Virus Scanning and Patience Pages
❐ Performance, achieved through Object Caching
❐ Transition functionality between IPv4-only and IPv6-only networks
The proxy can serve requests without contacting the Origin Content Server (OCS) by
retrieving content saved from a previous request made by the same client or another client.
This is called caching. The HTTP proxy caches copies of frequently requested resources
on its local hard disk. This significantly reduces upstream bandwidth usage and cost and
significantly increases performance.
Proxy services define the ports and addresses where an appliance listens for incoming
requests. The appliance has three default HTTP proxy services: External HTTP, Explicit
HTTP, and Internal HTTP. Explicit HTTP and External HTTP use the HTTP proxy, while
Internal HTTP uses TCP tunnel.

❐ The Explicit HTTP proxy service listens on ports 80 and 8080 for explicit connections.
❐ The Internal HTTP proxy service listens on port 80 and transparently intercepts HTTP
traffic from clients to internal network hosts.
❐ The External HTTP proxy service listens on port 80 for all other transparent
connections to the appliance. Typically, these requests are for access to Internet
resources.
Although you can intercept SSL traffic on either port, to enable the appliance to detect the
presence of SSL traffic you must enable Detect Protocol on the explicit HTTP service so
that the SSL traffic is handed off to the SSL Proxy. Default is set to OFF. For more
information on SSL proxy functionality, see Chapter 9: "Managing the SSL Proxy" on
page 225.
Furthermore, you can create a bypass list on the appliance to exclude the interception of
requests sent from specific clients to specific servers and disable caching of the
corresponding responses. The static bypass list also turns off all policy control and
acceleration for each matching request. For example, for all clients visiting
www.symantec.com you might exclude interception and caching of all requests, the

171
SGOS Administration Guide

corresponding responses, acceleration and policy control. To create a static bypass list,
used only in a transparent proxy environment, see "Adding Static Bypass Entries" on page
157.
When accessing internal IP addresses, Symantec recommends using the TCP tunnel proxy
instead of the HTTP proxy. Some applications deployed within enterprise networks are
not always fully compatible with HTTP specs or are poorly designed. Use of these
applications can cause connection disruptions when using HTTP proxy. As a result
internal sites and servers use the Internal HTTP service, which employs the TCP tunnel
proxy.

Important: The TCP tunnel does not support HTTP proxy service functionality. That is,
only the TCP header of a request, (containing source and destination port and IP) will be
visible to the appliance for policy evaluation. To ensure you get the most from the
appliance, you must edit the External (transparent) HTTP service to use the HTTP proxy
instead of the default TCP tunnel.

Supported HTTP Protocols

The ProxySG appliance supports HTTP 1.1 and the newer HTTP/2 protocol. HTTP/2
offers improved performance due to its compression of HTTP headers, and multiplexing
multiple requests and responses over a single connection.
To configure HTTP/2 on the appliance, use the #(config) http2 command. Refer to the
Command Line Interface Reference for details.
Create HTTP/2 policy as follows:
• Specify whether the proxy sends HTTP/2 requests to servers. Use the Request
HTTP/2 On Server-Side VPM object.
• Specify whether the proxy accepts HTTP/2 requests from clients. Use the Accept/
Do Not Accept HTTP/2 Client-Side Connections static VPM object.

IPv6 Support
The HTTP proxy is able to communicate using either IPv4 or IPv6, either explicitly or
transparently.
In addition, for any service that uses the HTTP proxy, you can create listeners that bypass
or intercept connections for IPv6 sources or destinations.

About Web FTP

Web FTP is used when a client uses the HTTP protocol to access an FTP server. Web FTP
allows you to connect to a FTP server with the ftp:// URL. The appliance translates the
HTTP request into an FTP request for the origin content server (OCS), if the content is not
already cached. Further, it translates the FTP response with the file contents into an HTTP
response for the client.
To manage Web FTP connection requests on the appliance, the HTTP service on port 80
(or 8080 in explicit deployments) must be set to Intercept.

172
For information on using an FTP client to communicate via the FTP protocol, see
Chapter 12: "Managing the FTP and FTPS Proxies" on page 305.

Configuring Internet Explorer for Web FTP with an Explicit HTTP

Proxy
Because a Web FTP client uses HTTP to connect to the appliance, the HTTP proxy
manages this Web FTP traffic. For an explicitly configured HTTP proxy, Internet Explorer
version 10.0 users accessing FTP sites over HTTP must clear the Enable folder view for
FTP sites browser setting.

To disable Web FTP in Internet Explorer v10.0:

1. In Internet Explorer, select Tools > Internet Options.
2. Click the Advanced tab.
3. Clear the Enable FTP folder view option and click OK.

173
SGOS Administration Guide

Section B: Changing the External HTTP (Transparent) Proxy Service

to Intercept All IP Addresses on Port 80
By default, the External HTTP service includes an HTTP proxy service listener configured
on port 80. During the initial ProxySG appliance configuration, if it hasn’t already been
set, you can set External HTTP to Intercept.
The following procedure describes how to set the service to Intercept mode.

To intercept traffic using the External HTTP proxy service:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Intercept External HTTP traffic:

a. Scroll the list of service groups, click Standard, and select External HTTP.
b. Select Intercept from the drop-down list.
3. Click Apply.
Now that the appliance is intercepting HTTP traffic, configure the HTTP proxy options.
The following sections provide detailed information and procedures:
❐ Section C: "Managing the HTTP Proxy Performance" on page 175
❐ Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 190
❐ Section E: "Using a Caching Service" on page 197
❐ Section G: "Caching Authenticated Data (CAD) and Caching Proxy Authenticated
Data (CPAD)" on page 207

174
Section C: Managing the HTTP Proxy Performance
This section describes the methods you can use to configure the HTTP proxy to optimize
performance in your network.
❐ "HTTP Optimization"
❐ "Customizing the HTTP Object Caching Policy"
❐ "About the HTTP Object Caching Policy Global Defaults" on page 184
❐ "About Clientless Requests Limits" on page 185
❐ "Preventing Exception Pages From Upstream Connection Errors" on page 187
❐ "Setting the HTTP Default Object Caching Policy" on page 188

HTTP Optimization
The HTTP proxy alleviates the latency in data retrieval and optimizes the delivery of
HTTP traffic through object caching. Caching minimizes the transmission of data over the
Internet and over the distributed enterprise, thereby improving bandwidth use. For objects
in cache, an intelligent caching mechanism in the appliance maintains object freshness.
This is achieved by periodically refreshing the contents of the cache, while maintaining
the performance within your network.
The method of storing objects on disk is critical for performance and scalability. SGOS,
the operating system on th appliance, uses an object store system which hashes object
lookups based on the entire URL. This hashing allows access to objects with far fewer
lookups, as compared to a directory-based file system found in traditional operating
systems. While other file systems run poorly when they are full, the appliance’s cache
system achieves its highest performance when it is full.

Customizing the HTTP Object Caching Policy

Object caching is the saving of an application object locally so that it can be served for
future requests without requiring retrieval from the OCS. Objects can, for example, be
documents, videos, or images on a Web page. When objects are cached, the only traffic
that crosses the WAN are permission checks (when required) and verification checks that
ensure that the copy of the object in cache is still fresh. By allowing objects to be shared
across requests and users, object caching greatly reduces the bandwidth required to
retrieve contents and the latency associated with user requests.
For more information on how the appliance executes permission checks to ensure
authentication over HTTP, see Section G: "Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)" on page 207.
In case of a reverse proxy, object caching reduces the load on the OCS and improves
scalability of the OCS.

175
SGOS Administration Guide

Figure 8–1 Object Caching on the appliance

Before you begin customizing your HTTP Proxy policy, read the following concepts:
❐ "About HTTP Object Freshness" on page 176
❐ "About Meta Tags" on page 177
❐ "About Tolerant HTTP Request Parsing" on page 177
❐ "About HTTP Compression" on page 178
❐ "About the HTTP Object Caching Policy Global Defaults" on page 184

About HTTP Object Freshness

HTTP proxy categorizes HTTP objects into three types:
❐ Type-T: The OCS specifies explicit expiration time.
❐ Type-M: Expiration time is not specified; however, the last modified time is specified
by the OCS.
❐ Type-N: Neither expiration nor last modified time has been specified.
The Asynchronous Adaptive Refresh (AAR) algorithm was designed to maintain the
freshness for all three types of cached HTTP objects in environments where the Internet
was characterized by larger, static pages and relatively low Internet connection speeds.
With AAR enabled, the appliance performs freshness checks with the OCS to expunge old
content from cache and to replace it with updated content. To maximize the freshness of
the next access to objects in the cache, the appliance uses the AAR algorithm to perform
asynchronous revalidations on those objects based on their relative popularity and the
amount of time remaining before their estimated time of expiration.
AAR is disabled by default on current systems. For information on how to configure this
feature to best serve your environment, see "Allocating Bandwidth to Refresh Objects in
Cache" on page 201.

176
About Meta Tags
A meta tag is a hidden tag that placed in the <head> of an HTML document. It provides
descriptions and keywords for search engines and can contain the attributes — content,
http-equiv, and name. Meta tags with an http-equiv attribute are equivalent to HTTP
headers.
The ProxySG appliance does not parse HTTP meta tag headers if:
❐ The meta tag does not appear within the first 256 bytes of the HTTP object body. To
be parsed, relevant HTTP meta tags must appear within the first 256 bytes of the
HTTP object body.
❐ The Blue Coat AV that is connected to your appliance adds or modifies the meta tags
in its response to the appliance. The response body modified by the Blue Coat AV is
not parsed.

Planning Considerations
You can use CPL properties in the <Cache> layer to control meta tag processing. The CPL
commands can be used in lieu of the check boxes for parsing meta tags through the
Management Console. For details on the meta-tags, see Step 7 in "To set HTTP default
object caching policy:" on page 188.
The following CPL commands are applicable for HTTP proxy, HTTP refresh, and HTTP
pipeline transactions:
http.response.parse_meta_tag.Cache-Control(yes|no)
http.response.parse_meta_tag.Expires(yes|no)
http.response.parse_meta_tag.Pragma.no-cache(yes|no)
VPM support to control the processing of meta tags is not available.

Related CLI Syntax to Parse Meta Tags

#(config) http [no] parse meta-tag cache-control
#(config) http [no] parse meta-tag expires
#(config) http [no] parse meta-tag pragma-no-cache

About Tolerant HTTP Request Parsing

The tolerant HTTP request parsing flag causes certain types of malformed requests to be
processed instead of being rejected. The defaults are:
❐ Proxy Edition: The HTTP tolerant request parsing flag is not set. By default,
the appliance blocks malformed HTTP requests, returning a 400 Invalid Request error.
❐ MACH5 Edition: The HTTP tolerant request parsing flag is set by default.
Malformed HTTP requests are not blocked.

Implementation of HTTP Tolerant Request Parsing

By default, a header line that does not begin with a <Tab> or space character must consist
of a header name (which contains no <Tab> or space characters), followed by a colon and
an optional value.

177
SGOS Administration Guide

When the tolerant HTTP request parsing flag is either not set or is disabled, if the header
name and required details are missing, the appliance blocks malformed HTTP requests
and returns a 400 Invalid Request error.
With tolerant request parsing enabled, a request header name is allowed to contain <Tab>
or space characters, and if the request header line does not contain a colon, then the entire
line is taken as the header name.
A header containing only one or more <Tab> or space characters is considered
ambiguous. The appliance cannot discern if this is a blank continuation line or if it is a
blank line that signals the end of the header section. By default, an ambiguous blank line is
illegal, and an error is reported. With tolerant request parsing enabled, an ambiguous
blank line is treated as the blank line that ends the header section.

To enable the HTTP tolerant request parsing flag:

Note: This feature is only available through the CLI.

From the (config) prompt, enter the following command to enable tolerant HTTP request
parsing (the default is disabled):
#(config) http tolerant-request-parsing
To disable HTTP tolerant request parsing:
#(config) http no tolerant-request-parsing

About HTTP Compression

Compression reduces a file size but does not lose any data. Whether you should use compression
depends upon three resources: server-side bandwidth, client-side bandwidth, and ProxySG CPU.
If server-side bandwidth is more expensive in your environment than CPU, always request
compressed content from the origin content server (OCS). However, if CPU is comparatively
expensive, the appliance should instead be configured to ask the OCS for the same compressions
that the client requested and to forward whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is not the case, you
can change the appliance behavior.

Note: Decompression, content transformation, and recompression increases response time by a

small amount because of the CPU overhead. (The overhead is negligible in most cases.) RAM
usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because compression results in
a smaller file being served to the client than was retrieved by the appliance from the origin content
server, bandwidth gain statistics reflect such requests/responses as negative bandwidth gain.

The ProxySG appliance supports the following content encodings: gzip, deflate, and Brotli.
Compression is disabled by default. If compression is enabled, the HTTP proxy forwards the
supported compression algorithm from the client’s request (Accept-Encoding: request header)
to the server as is, and attempts to send compressed content to client whenever possible. This
allows the appliance to send the response as is when the server sends compressed data, including
non-cacheable responses. Any unsolicited encoded response is forwarded to the client as is.

178
 Note: If compression is not enabled, the appliance does not compress the content if the server
sends uncompressed content. However, the appliance continues to uncompress content if necessary
to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page 211.

Understand Compression Behavior

ProxySG compression behavior is detailed in the tables below. Compression increases the overall
percentage of cacheable content, increasing the hit rate in terms of number of objects served from
the cache.

Note: A variant is the available form of the object in the cache—compressed or uncompressed.
The Content-Encoding: header Identity refers to the uncompressed form of the content.

For cache-hit compression behavior, see Table 8-1 below. For cache-miss compression behavior,
see Table 8-2.
.

Table 8-1. Cache-Hit Compression Behavior

Accept-Encoding: Variant Available when Variant Stored as a Content-Encoding: in

in client request the Request Arrived Result of the Request ProxySG response

Identity Uncompressed object None Identity

Identity No uncompressed object Uncompressed object Identity

gzip-compressed object

Identity Brotli-compressed object Uncompressed object Identity

gzip, deflate Uncompressed object gzip -compressed object gzip

gzip, deflate Uncompressed object None gzip

gzip-compressed object

gzip, deflate Uncompressed object None deflate

deflate-compressed object

deflate No uncompressed object deflate-compressed object deflate

gzip-compressed object (This is effectively a cache-
miss. The appliance does not
convert from gzip to deflate.)

br Uncompressed object Brotli-compressed object br

br Brotli-compressed object None br

179
SGOS Administration Guide

Table 8-2. Cache-Miss Compression Behavior

Accept- Accept- Content-Encoding: Generated Content-

Encoding: in Encoding: in in server response variants Encoding:
client request ProxySG request in ProxySG
response

Identity Identity Identity Uncompressed object Identity

gzip, deflate gzip, deflate Identity Uncompressed object gzip

gzip-compressed
object

gzip, deflate gzip, deflate gzipBrotli- No uncompressed gzip

object
gzip-compressed
object

gzip, deflate, gzip, deflate gzip No uncompressed gzip

compress object
gzip-compressed
object

gzip, deflate gzip, deflate compress (illegal response) Compressed object compress

br br Identity Uncompressed object br

Brotli-compressed
object

br br br No uncompressed br
object
Brotli-compressed
object

Compression Exceptions
❐ The appliance issues a transformation_error exception (HTTP response code 403), when
the server sends an unknown encoding and the appliance is configured to do content
transformation.
❐ The appliance issues an unsupported_encoding exception (HTTP response code 415 -
Unsupported Media Type) when the appliance is unable to deliver content due to configured
policy.
The messages in the exception pages can be customized. For information on using exception pages,
refer to “Advanced Policy Tasks” in the Visual Policy Manager Reference.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior

Three objects can be used to configure compression and compression levels through VPM:
❐ Client HTTP compression object: Allows you to determine the behavior when the client wants
the content in a different form than is in the cache.

180
 ❐ Server HTTP compression object: Allows you to enable or disable compression and to set
options.
❐ HTTP compression level object: Allows you to set a compression level of low, medium, or
high.
Refer to the Visual Policy Manager Reference to configure these HTTP compression
options.

Using Policy to Configure Compression Behavior

Compression and decompression are allowed if compression is enabled. If compression is not
enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the appliance. If compression is
turned off, uncompressed content is served to the client if a compressed variant is not available. If
decompression is disabled, an uncompressed version is fetched from the OCS if the variant does
not exist and the client requested uncompressed content.

Note: The appliance decompresses the content if transformation is to be applied, even if the
compression is not enabled.

You can use server-side or client-side controls to manage compression through policy, as described
in the following table.

Table 8-1. Compression Properties

Compression Properties Description

http.allow_compression(yes | no) Allow the appliance to compress content on demand if

needed.

http.allow_decompression(yes | no) Allow the appliance to decompress content on

demand if needed.

http.compression_level(low | medium | Set the compression level to be low (1), medium (6),
high) or high (9). Low is the default.

http.server.accept_encoding(client) Turn on only client encodings

http.server.accept_encoding(identity) Turn off all encodings

http.server.accept_encoding(all) Turn on all supported encodings, including the

client’s encodings.

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

deflate)

http.server.accept_encoding(gzip, Send specific encodings (order sensitive)

client)

http.server.accept_encoding.gzip(yes | Add/remove an encoding

no)

http.server.accept_encoding[gzip, Add/remove a list of encodings

deflate, identity](yes | no)

181
SGOS Administration Guide

Table 8-1. Compression Properties (Continued)

Compression Properties Description

http.server.accept_encoding.allow Allow/disallow unknown encodings.

_unknown (yes | no)

http.client.allow_encoding(identity); Allow no encodings (send uncompressed).

http.client.allow_encoding(client); Allow all client encodings. This is the default.

http.client.allow_encoding(gzip, Allow fixed set of encodings.

deflate);

http.client.allow_encoding(gzip, Allow fixed set of encodings.

client);

http.client.allow_encoding.gzip(yes | Add/remove one encoding

no);

http.client.allow_encoding[gzip, Add/remove list of encodings

deflate, identity](yes | no);

Default Behavior
By default, Symantec sends the client’s list of the accept encoding algorithms, except for unknown
encodings. If compression is not enabled, the default overrides any configured CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the compression
related policy settings shown in Table 8-1. The Accept-Encoding header modification can
continue to be used if no compression policies are applied, or if compression is not enabled.
Otherwise, the compression-related policies override any Accept-Encoding header
modification, even if the Accept-Encoding header modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client originally listed that
encoding in its Accept-Encoding header. If so, these encodings are added to the list of candidates
to be delivered to the client. The first cache object with an Accept-Encoding match to the client-
side list is the one that is delivered.

Suggested Settings for Compression

❐ If client-side bandwidth is expensive in your environment, use the following policy:
<proxy>
http.client.allow_encoding(client)
http.allow_compression(yes)
❐ If server-side bandwidth is expensive in your environment, compared to client-side bandwidth
and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)
❐ If CPU is expensive in your environment, compared to server-side and client-side bandwidth:
http.server.accept_encoding(client);If no content transformation
policy is configured
http.server.accept_encoding(identity);If some content transformation
policy is configured
http.allow_compression(no); default
http.allow_decompression(no); default

182
Notes
❐ Policy-based content transformations are not stored as variant objects. If content
transformation is configured, it is applied on all cache-hits, and objects might be compressed
all the time at the end of such transformation if they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a compression
choice with a higher qvalue. For example, if a client requests Accept-encoding:
gzip;q=1, deflate;q=0.1, and only a deflate-compressed object is available in the cache,
the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS. To change
this, write policy to disallow compression or decompression if Cache-Control: no-
transform response header is present.

❐ The appliance treats multiple content encoding (gzip, deflate or gzip, gzip) as an unknown
encoding. (These strings indicate the content has been compressed twice.)
❐ Compression formats are treated as completely separate and are not converted from one to the
other.
❐ Symantec recommends using gzip encoding (or allowing gzip in addition to other supported
encodings) when using the HTTP compression feature.
❐ If the appliance receives unknown content encoding and if content transformation is
configured (such as popup blocking), an error results.
❐ If the OCS provides compressed content with a different compression level then that specified
in policy, the content is not re-compressed.
❐ If the appliance compressed and cached content at a different compression level than the level
specified in a later transaction, the content is not re-compressed.
❐ Parsing of container HTML pages occurs on the server side, so pipelining (prefetching) does
not work when the server provides compressed content.
❐ Compressing a zip file breaks some browser versions, and compressing images does not
provide added performance.
❐ All responses from the server can be compressed, but requests to the server, such as POST
requests, cannot.
❐ Only 200 OK responses can be compressed.

183
SGOS Administration Guide

Section 1 About the HTTP Object Caching Policy Global Defaults

The appliance offers multiple configuration options that allow you to treat cached objects
in a way that best suits your business model.
The following table lists the options that you can configure.
Table 8–1 Settings for Configuring the Object Caching Policy

Settings to Configure Notes

Object Caching

Setting the maximum object Determines the maximum object size to store in the appliance. All objects
cache size retrieved that are greater than the maximum size are delivered to the client but are
not stored in the appliance.
Default: 10000 MB

Setting the TTL for negative Determines the number of minutes the SGOS stores negative responses for
responses in cache requests that could not be served to the client.
The OCS might send a client error code (4xx response) or a server error code
(5xx response) as a response to some requests. If you configure the appliance to
cache negative responses for a specified number of minutes, it returns the
negative response in subsequent requests for the same page or image for the
specified length of time. The appliance will not attempt to fetch the request from
the OCS. Therefore, while server-side bandwidth is saved, you could receive
negative responses to requests that might otherwise have been served by
accessing the OCS.
By default, the appliance does not cache negative responses. It always attempts to
retrieve the object from the OCS, if it is not already in cache.
Default: 0 minutes

Forcing freshness validation Verifies that each object is fresh upon access. Enabling this setting has a
before serving an object from significant impact on performance because the HTTP proxy revalidates requested
cache cached objects with the OCS before serving them to the client. This results in a
negative impact on bandwidth gain. Therefore, do not enable this configuration
unless absolutely required.
For enabling, select the Always check with source before serving object check
box.
Default: Disabled

184
 Settings to Configure Notes
Object Caching

Parsing HTTP meta tag Determines how HTTP meta tag headers are parsed in the HTML documents. The
headers meta tags that can be enabled for parsing are:
• Cache-control meta tag
The sub-headers that are parsed when this check box is selected are:
private, no-store, no-cache, max-age, s-maxage, must-re-
validate, proxy-revalidate
• Expires meta tag
This directive parses for the date and time after which the document should be
considered expired.
• Pragma-no-cache meta tag
This directive indicates that cached information should not be used and in-
stead requests should be forwarded to the OCS.
Default: Disabled

Allocating bandwidth on the Allows you to specify a limit to the amount of bandwidth the appliance uses to
HTTP proxy for maintaining achieve the desired freshness. For more information see, "Allocating Bandwidth
freshness of the objects in to Refresh Objects in Cache" on page 201.
cache Default: Disable refreshing

The previous settings are defaults on the proxy. If you want a more granular caching
policy, such as setting the TTL for an object, use Symantec Content Policy Language
(CPL). You can also use the VPM or CPL to bypass the cache or to prohibit caching for a
specific domain or server. Refer to the Content Policy Language Guide for more
information.

About Clientless Requests Limits

When certain HTTP proxy configurations are enabled, the appliance employs various
server-side connections to the OCS that are essential to caching and optimizing HTTP
traffic. The appliance automatically sends requests, called clientless requests, over these
connections. Performance and poor user experience might occur, however, when an
unlimited number of clientless requests are allowed. As clientless requests increase and
overwhelm the OCS, users might experience slow downloads in their Web browsers.
Furthermore, these excessive requests might trigger the defensive measures because the
corporate firewall determines that the appliance is a security threat.
The following sub-sections describe the HTTP proxy functionality involved.

HTTP Content Pre-population

Configuration: Symantec Director distributes content management commands; appliance
connects to the OCS.

185
SGOS Administration Guide

Symptom: The OCS becomes overwhelmed.

Figure 8–2 No Clientless Request Limits and HTTP Content Pre-population

The OCS becomes overwhelmed from content requests and content management
commands. In this deployment, a global limit is not sufficient; a per-server limit is
required.

Caching/Optimization (Pipelining)
Configuration: ProxySG appliance pipelining options enabled (Configuration > Proxy
Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed; users report slow access times in their Web
browsers.

Figure 8–3 No Clientless Request Limits and Pipelining Enabled

Responses to clients might contain embedded links that the appliance converts to pipeline
requests. As each link request results in a request to the OCS, performance might be
impacted; if the firewall in front of the OCS determines that the request storm from the
appliance represents a threat, requests are not allowed through. In this scenario, a per-page
limit prevents the problem.

Bandwidth Gain
Configuration: Enable Bandwidth Gain Mode option enabled (Configuration > Proxy
Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed.

Figure 8–4 No Clientless Request Limits and Bandwidth Gain is Enabled

186
 The appliance determines that objects in the cache require refreshing. This operation itself
is not costly, but the additional requests to the OCS adds load to the WAN link. A global
and per-server limit prevents the problem.
For new installations (or following a restoration to factory defaults), clientless limits are
enforced by default; the appliance capacity per model determines the upper default limit.
Continue with "Setting the HTTP Default Object Caching Policy" on page 188.

Preventing Exception Pages From Upstream Connection Errors

The appliance provides an option that prevents the appliance from returning TCP error
exception pages to clients when upstream connection errors or connection time outs occur.
These types of connection issues might be common when enterprises employ custom
applications. Though the connections issues are related to the server, administrators might
mistakenly conclude that the appliance is the source of the problem because of the issues
exception page from the proxy.
When the option is enabled, the appliance essentially closes connections to clients upon a
server connection error or timeout. To the user, the experience is a lost connection, but not
an indication that something between (such as a proxy) is at fault.
This feature is enabled (send exceptions on error) by default:
❐ After upgrading to SGOS 6.x from previous versions that have an Acceleration
License
❐ On systems that have the acceleration profile selected during initial configuration (see
Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 190).
This option can only be enabled/disabled through the CLI:
#(config) http exception-on-network-error
#(config) http no exception-on-network-error

187
SGOS Administration Guide

Section 2 Setting the HTTP Default Object Caching Policy

This section describes how to set the HTTP default object caching policy. For more
information, see "HTTP Optimization" on page 175.

To set HTTP default object caching policy:

1. Verify that the appliance is intercepting HTTP traffic (Configuration > Proxy Services;
Standard service group (by default)).

2. From the Management Console, select Configuration > Proxy Settings > HTTP Proxy >
Policies.

3. Configure default proxy policies (HTTP Proxy Policy area; see "About the HTTP
Object Caching Policy Global Defaults" on page 184):
a. In the Do not cache objects larger than field, enter the maximum object size to
cache. The default size is 10000 MB for new installations of SGOS.
b. In the Cache negative responses for field, enter the number of minutes that the
appliance stores negative responses. The default is 0.
c. Force freshness validation. To always verify that each object is fresh upon
access, select the Always check with source before serving object option.
Enabling this setting has a significant impact on performance, do not enable
this configuration unless absolutely required.
d. Disable meta-tag parsing. The default is to parse HTTP meta tag headers in
HTML documents if the MIME type of the object is text/html.
To disable meta-tag parsing, clear the option for:

188
 • Parse cache-control meta tag
The following sub-headers are parsed when this check box is selected:
private, no-store, no-cache, max-age, s-maxage, must-
revalidate, proxy-revalidate.

• Parse expires meta tag

This directive parses for the date and time after which the document should be
considered expired.
• Parse pragma-no-cache meta tag
This directive indicates that cached information should not be used and
instead requests should be forwarded to the OCS.
4. Configure Clientless Request Limits (see "About Clientless Requests Limits" on page
185):
a. Global Limit—Limits the number of concurrent clientless connections from
the appliance to any OCS. Strongly recommended if Pipeline options or the
Enable Bandwidth Gain Mode option is enabled on the Configuration > Proxy
Settings > HTTP Proxy > Acceleration Profile tab.

b. Per-server Limit—Limits the number of concurrent clientless connections

from the appliance to a specific OCS, as determined by the hostname of the
OCS. Strongly recommended if Pipeline options or the Enable Bandwidth Gain
Mode option is enabled on the Configuration > Proxy Settings > HTTP Proxy >
Acceleration Profile tab.

c. Per-page Limit—Limits the number of requests that are created as a result of

embedded objects.
5. Click OK; click Apply.

See Also
❐ "Customizing the HTTP Object Caching Policy" on page 175.
❐ "Clearing the Object Cache" on page 1529
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 190.

189
SGOS Administration Guide

Section D: Selecting an HTTP Proxy Acceleration Profile

This section discusses caching, pipelining behavior, and bandwidth gain.

Acceleration Profile Tasks

A proxy profile offers a collection of attributes that determine object caching and object
pipelining behavior. The attributes are pre-selected to meet a specific objective — reduce
response time for clients, reduce load on the OCS, reduce server-side bandwidth usage.
Based on your needs, you can select any of the three profiles offered or you can create a
customized profile by selecting or clearing the options available within a profile.
The available proxy profile are:
❐ Normal (the default setting) acts as a client accelerator, and is used for enterprise
deployments.
❐ Portal acts as a server accelerator (reverse proxy), and is used for Web hosting.
❐ Bandwidth Gain is used for Internet Service Provider (ISP) deployments.

Topic Links
❐ "About the Normal Profile"
❐ "About the Portal Profile"
❐ "About the Bandwidth Gain Profile" on page 190
❐ "About HTTP Proxy Profile Configuration Components" on page 191

About the Normal Profile

Normal is the default profile and can be used wherever the appliance is used as a normal
forward proxy. This profile is typically used in enterprise environments, where the
freshness of objects is more important than controlling the use of server-side bandwidth.
The Normal profile is the profile that most follows the HTTP standards concerning object
revalidation and staleness; however, pre-fetching (pipelining) of embedded objects and
redirects is disabled by default.

About the Portal Profile

When configured as a server accelerator or reverse proxy, the appliance improves object
response time to client requests, scalability of the origin content server (OCS) site, and
overall Web performance at the OCS. A server accelerator services requests meant for an
OCS, as if it is the OCS itself.

About the Bandwidth Gain Profile

The Bandwidth Gain profile is useful wherever server-side bandwidth is an important
resource. This profile is typically used in Internet Service Provider (ISP) deployments. In
such deployments, minimizing server-side bandwidth is most important. Therefore,
maintaining the freshness of an object in cache is less important than controlling the use of

190
 server-side bandwidth. The Bandwidth-Gain profile enables various HTTP configurations
that can increase page response times and the likelihood that stale objects are served, but it
reduces the amount of server-side bandwidth required.

About HTTP Proxy Profile Configuration Components

The following table describes each HTTP proxy acceleration profile option.

Table 8–2 Description of Profile Configuration Components

Management Console Definition

Check box Field
Pipeline embedded objects This configuration item applies only to HTML responses. When
in client request this setting is enabled, and the object associated with an embedded
object reference in the HTML is not already cached, HTTP proxy
acquires the object’s content before the client requests the object.
This improves response time dramatically.
If you leave this setting disabled, HTTP proxy does not acquire
embedded objects until the client requests them.
Pipeline redirects for client When this setting is enabled, and the response of a client request is
request one of the redirection responses (such as 301, 302, or 307 HTTP
response code), then HTTP proxy pipelines the object specified by
the Location header of that response, provided that the
redirection location is an HTML object. This feature improves
response time for redirected URLs.
If you leave this setting disabled, HTTP proxy does not pipeline
redirect responses resulting from client requests.
Pipeline embedded objects This configuration item applies only to HTML responses resulting
in prefetch request from pipelined objects. When this setting is enabled, and a
pipelined object’s content is also an HTML object, and that HTML
object has embedded objects, then HTTP proxy also pipelines
those embedded objects. This nested pipelining behavior can occur
three levels deep at most.
If you leave this setting disabled, the HTTP proxy does not
perform nested pipelining.
Pipeline redirects for When this setting is enabled, HTTP proxy pipelines the object
prefetch request specified by a redirect location returned by a pipelined response.
If you leave this setting disabled, HTTP proxy does not try to
pipeline redirect locations resulting from a pipelined response.

191
SGOS Administration Guide

Table 8–2 Description of Profile Configuration Components (Continued)

Management Console Definition

Check box Field
Substitute Get for IMS If the time specified by the If-Modified-Since: header in the
client’s conditional request is greater than the last modified time of
the object in the cache, it indicates that the copy in cache is stale. If
so, HTTP proxy does a conditional GET to the OCS, based on the
last modified time of the cached object.
To change this aspect of the If-Modified-Since: header on the
appliance, enable the Substitute Get for IMS setting.
When this setting is enabled, a client time condition greater than
the last modified time of the object in the cache does not trigger
revalidation of the object.
Note: All objects do not have a last-modified time specified by the
OCS.
Substitute Get for HTTP 1.1 HTTP 1.1 provides additional controls to the client over the
conditionals behavior of caches concerning the staleness of the object.
Depending on various Cache-Control: headers, the appliance
can be forced to consult the OCS before serving the object from the
cache. For more information about the behavior of various Cache-
Control: header values, refer to RFC 2616.
If the Substitute Get for HTTP 1.1 Conditionals setting is enabled,
HTTP proxy ignores the following Cache-Control: conditions
from the client request:
• "max-stale" [ "=" delta-seconds ]
• "max-age" "=" delta-seconds
• "min-fresh" "=" delta-seconds
• "must-revalidate"
• "proxy-revalidate"

Substitute Get for PNC Typically, if a client sends an HTTP GET request with a Pragma:
no-cache or Cache-Control: no-cache header (for
convenience, both are hereby referred to as PNC), a cache must
consult the OCS before serving the content. This means that HTTP
proxy always re-fetches the entire object from the OCS, even if the
cached copy of the object is fresh. Because of this, PNC requests
can degrade proxy performance and increase server-side
bandwidth utilization. However, if the Substitute Get for PNC
setting is enabled, then the PNC header from the client request is
ignored (HTTP proxy treats the request as if the PNC header is not
present at all).
Substitute Get for IE reload Some versions of Internet Explorer issue the Accept: */* header
instead of the Pragma: no-cache header when you click
Refresh. When an Accept header has only the */* value, HTTP
proxy treats it as a PNC header if it is a type-N object. You can
control this behavior of HTTP proxy with the Substitute GET for
IE Reload setting. When this setting is enabled, the HTTP proxy
ignores the PNC interpretation of the Accept: */* header.

192
Table 8–2 Description of Profile Configuration Components (Continued)

Management Console Definition

Check box Field
Never refresh before Applies only to cached type-T objects. For information on HTTP
expiration object types, see "About HTTP Object Freshness" on page 176.
When this setting is enabled, SGOS does not asynchronously
revalidate such objects before their specified expiration time.
When this setting is disabled, such objects, if they have sufficient
relative popularity, can be asynchronously revalidated and can,
after a sufficient number of observations of changes, have their
estimates of expiration time adjusted accordingly.
Never serve after expiration Applies only to cached type-T objects.
If this setting is enabled, an object is synchronously revalidated
before being served to a client, if the client accesses the object after
its expiration time.
If this setting is disabled, the object is served to the client and,
depending on its relative popularity, may be asynchronously
revalidated before it is accessed again.
Cache expired objects Applies only to type-T objects.
When this setting is enabled, type-T objects that are already
expired at the time of acquisition is cached (if all other conditions
make the object cacheable).
When this setting is disabled, already expired type-T objects
become non-cacheable at the time of acquisition.
Enable Bandwidth Gain This setting controls both HTTP-object acquisition after client-side
Mode abandonment and AAR (asynchronous adaptive refresh)
revalidation frequency.
• HTTP-Object Acquisition
When Bandwidth Gain mode is enabled, if a client requesting
a given object abandons its request, then HTTP proxy immedi-
ately abandons the acquisition of the object from the OCS, if
such an acquisition is still in progress. When bandwidth gain
mode is disabled, the HTTP proxy continues to acquire the ob-
ject from the OCS for possible future requests for that object.
• AAR Revalidation Frequency
Under enabled bandwidth gain mode, objects that are asyn-
chronously refreshable are revalidated at most twice during
their estimated time of freshness. With bandwidth gain mode
disabled, they are revalidated at most three times. Not all asyn-
chronously refreshable objects are guaranteed to be revalidat-
ed.

When an appliance is first manufactured, it is set to a Normal profile. Depending on your

needs, you can use the Bandwidth Gain profile or the Portal profile. You can also combine
elements of all three profiles, as needed for your environment.
The following table provides the default configuration for each profile.

193
SGOS Administration Guide

Table 8–3 Normal, Portal, and Bandwidth Gain Profiles

Configuration Normal Portal Bandwidth

Profile Profile Gain
Pipeline embedded objects in client requests Disabled Disabled Disabled
Pipeline embedded objects in prefetch requests Disabled Disabled Disabled
Pipeline redirects for client requests Disabled Disabled Disabled
Pipeline redirects for prefetch requests Disabled Disabled Disabled
Cache expired objects Enabled Disabled Enabled
Bandwidth Gain Mode Disabled Disabled Enabled
Substitute GET for IMS (if modified since) Disabled Enabled Enabled
Substitute GET for PNC (Pragma no cache) Disabled Enabled Disabled
Substitute GET for HTTP 1.1 conditionals Disabled Enabled Enabled
Substitute GET for IE (Internet Explorer) reload Disabled Enabled Disabled
Never refresh before expiration Disabled Enabled Enabled
Never serve after expiration Enabled Enabled Disabled

194
Section 3 Configuring the HTTP Proxy Profile
Configure the profile by selecting any of the components discussed in "About HTTP
Proxy Profile Configuration Components" on page 191.

To configure the HTTP proxy profile:

1. Review the description of the components for each profile, see Table 8–2 on page 191.
2. From the Management Console, select Configuration > Proxy Settings > HTTP Proxy >
Acceleration Profile.

Text displays at the bottom of this tab indicating which profile is selected. Normal is
the default profile. If you have a customized profile, this text does not display.

Important: If you have a customized profile and you click one of the Use Profile
buttons, no record of your customized settings remains. However, after the
appliance is set to a specific profile, the profile is maintained in the event the
appliance is upgraded.
Also, if you select any Pipeline option or the Enable Bandwidth Gain Mode option,
Symantec strongly recommends limiting clientless requests. See "About Clientless
Requests Limits" on page 185.

3. To select a profile, click one of the three profile buttons (Use Normal Profile, Use
Bandwidth Gain Profile, or Use Portal Profile).

The text at the bottom of the Acceleration Profile tab changes to reflect the new profile.

Note: You can customize the settings, no matter which profile button you select.

4. (Optional) To customize the profile settings, select or clear any of the check boxes
(see Table 8–2, "Description of Profile Configuration Components" on page 191 for
information about each setting).
5. Click OK; click Apply.

195
SGOS Administration Guide

See Also
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 190.
❐ "About HTTP Proxy Profile Configuration Components" on page 191.
❐ "About HTTP Object Freshness" on page 176.
❐ "Using a Caching Service" on page 197.

196
Section E: Using a Caching Service
CachePulse is a caching service that provides you with optimal bandwidth gains for
popular or high-bandwidth websites. Utilizing highly effective Web caching technology,
CachePulse saves bandwidth on expensive international links and backhaul traffic, thereby
improving Web experience for users.
CachePulse accelerates the delivery of rich Web 2.0 content, video, and large files such as:
• YouTube videos
• Netflix streaming media
• Microsoft Windows updates
Subscribing to the CachePulse service eliminates the need to maintain caching policy;
when you first enable the service, it downloads the latest version of the caching policy
database. CachePulse periodically updates the database as long as the service is enabled
and an Internet connection exists.
As with other subscription services, you can host the Cachepulse database on an internal
server. See "Configure CachePulse Database Downloads" on page 198 for details.

Prerequisite for Using CachePulse

Before you can use CachePulse, you must have a valid license for the feature. Refer to
your Symantec point of contact for more information.
If you do not have a valid license, the Management Console might display Health
Monitoring errors. The event log might also contain error messages about the subscription.

197
SGOS Administration Guide

Section 4 Enabling CachePulse

To enable CachePulse:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. In the CachePulse section, select Enable.
3. Click Apply.
The appliance attempts to download the database.

What if the Initial Download is Not Successful?

If you receive a download error and the Management Console banner displays Critical
shortly after you click Apply, the CachePulse database download might have failed. Check
your network configuration and make sure that the appliance can connect to the server.
When set to direct downloads, the appliance attempts to communicate with the Symantec
server over a secured connection on port 443. You might have to allow outbound
connections from the appliance on port 443 in the firewall.
To check if there was a download problem, select Statistics > Health Monitoring >
Subscription and look for the status “CachePulse failed on initial download” for
CachePulse Communication Status.

Configure CachePulse Database Downloads

You can download the CachePulse database at any time if the feature is enabled. If the
initial download failed, and you resolved the issue that caused the failure, you can use this
method to download database updates.

Host the Database on an Internal Server

You can host the database on an internal HTTP or HTTPS server and specify the URL to
the database on the server in your deployment. This is useful for:
❐ ProxySG appliances in a network without an internet connection.
❐ Testing new database versions in staging deployments before deploying to the
production environment.
Download the database from Symantec and host it on your own server before proceeding.
See https://www.symantec.com/docs/TECH252398 for details.

Configure Database Downloads

To configure database downloads:
1. In the Management Console, select Configuration > Proxy Settings > General.
2. On the Download tab, specify whether you will download the database from Symantec
or whether you will host the database internally:
• Select Direct to download from Symantec. This is the default selection.
• Select URL to host the database on your server. See https://www.symantec.com/
docs/TECH252398 for details.

198
3. Click Apply. If there is no database loaded, the appliance attempts to download the
database for the first time.
If you receive a download error, check your network configuration and make sure that the
appliance can connect to the Internet or URL to the database.

199
SGOS Administration Guide

Section F: Fine-Tuning Bandwidth Gain

In addition to the components related to top-level profiles, other configurable items affect
bandwidth gain. You can set the top-level profile (see "Selecting an HTTP Proxy
Acceleration Profile" on page 190) and adjust the following configuration items to fine-
tune the appliance for your environment:
❐ Allocating bandwidth to refresh objects in cache
❐ Using Byte-range support
❐ Enabling the Revalidate pragma-no-cache (PNC)

200
Section 5 Allocating Bandwidth to Refresh Objects in Cache
The Refresh bandwidth options control the server-side bandwidth used for all forms of
asynchronous adaptive refresh activity. On systems with increased object store capacity,
the value of asynchronous adaptive refresh has diminished markedly, and can in many
instances actually increase latency due to system load. Therefore, this feature is disabled
by default. You can select from the following options:
❐ Disable refreshing—Disables adaptive refresh. This setting is recommended on
systems that use an increased object capacity disk model. This is the default setting for
new installations.
❐ Let the SG appliance manage refresh bandwidth—The appliance will automatically use
whatever bandwidth is available in its efforts to maintain 99.9% estimated freshness
of the next access. You can also enable this from the CLI using the #(config
caching) refresh bandwidth automatic command. This setting is recommended
only on systems that are not using the increased object capacity disk model (that is,
systems that were manufactured with an SGOS version prior to 6.2).
❐ Limit refresh bandwidth to x kilobits/sec—Ifyou want to use adaptive refresh but you
want to limit the amount of bandwidth used, select this option and specify a limit to
the amount of bandwidth the appliance uses to achieve the desired freshness. Before
making adjustments, review the logged statistics and examine the current bandwidth
used as displayed in the Refresh bandwidth field. It is not unusual for bandwidth usage
to spike occasionally, depending on access patterns at the time. Entering a value of
zero disables adaptive refresh.

201
SGOS Administration Guide

To set refresh bandwidth:

1. From the Management Console, select Configuration > Proxy Settings > HTTP Proxy >
Freshness.

The Refresh bandwidth field displays the refresh bandwidth options. The default
setting is to Disable refreshing.

Important: Symantec strongly recommends that you not change the setting from the
default if you have a system with an increased object store capacity.

2. To enable adaptive refresh, select one of the following options:

• Select Limit refresh bandwidth to and enter a bandwidth limit to use in the kilobits/
sec field.

• To allow the appliance to automatically determine the amount of bandwidth to use

for adaptive refresh, select Let the SG Appliance manage refresh bandwidth
(recommended).

3. Click OK; click Apply.

Using Byte-Range Support

Byte-range support is an HTTP feature that allows a client to use the Range: HTTP header
for requesting a portion of an object rather than the whole object. The HTTP proxy
supports byte-range support and it is enabled by default.

When Byte-Range Support is Disabled

If byte-range support is disabled, HTTP treats all byte-range requests as non-cacheable.
Such requests are never served from the cache, even if the object exists in the cache. The
client’s request is sent unaltered to the OCS and the response is not cached. Thus, a byte-
range request has no effect on the cache if byte-range support is disabled.

When Byte-Range Support is Enabled

If the object is already in cache, the appliance serves the byte-range request from the cache
itself. However, if the client’s request contains a PNC header, the appliance always
bypasses the cache and serves the request from the OCS.
If the object is not in cache, the appliance always attempts to minimize delay for the client.

202
❐ If the byte-range requested is near the beginning of the object, that is the start byte of
the request is within 0 to 14336 bytes, then the appliance fetches the entire object from
the OCS and caches it. However, the client is served the requested byte-range only.
❐ If the byte-range requested is not near the beginning of the object, that is the start byte
of the request is greater than 14336 bytes, then the appliance fetches only the
requested byte-range from the OCS, and serves it to the client. The response is not
cached.

Note: The HTTP proxy never caches partial objects, even if byte-range support is
enabled.

Since the appliance never caches partial objects, bandwidth gain is significantly affected
when byte-range requests are used heavily. If, for example, several clients request an
object where the start byte offset is greater than 14336 bytes, the object is never cached.
The appliance fetches the same object from the OCS for each client, thereby causing
negative bandwidth gain.
Further, download managers like NetAnts® typically use byte-range requests with PNC
headers. To improve bandwidth gain by serving such requests from cache, enable the
revalidate pragma-no-cache option along with byte-range support. See "Enabling
Revalidate Pragma-No-Cache" on page 204.

203
SGOS Administration Guide

To configure byte-range support:

Note: Enabling or disabling byte-range support can only be configured through the CLI.

To enable or disable byte-range support, enter one of the following commands at the
(config) command prompt:
#(config) http byte-ranges
-or-
#(config) http no byte-ranges

Enabling Revalidate Pragma-No-Cache

The pragma-no-cache (PNC) header in a client’s request causes the HTTP proxy to re-
fetch the entire object from the OCS, even if the cached copy of the object is fresh. This
roundtrip for PNC requests can degrade proxy performance and increase server-side
bandwidth utilization.
While the Substitute Get for PNC configuration completely ignores PNC in client requests
and potentially serves stale content, the revalidate-pragma-no-cache setting allows you
to selectively implement PNC.
When the revalidate-pragma-no-cache setting is enabled, a client’s non-conditional
PNC-GET request results in a conditional GET request sent to the OCS if the object is
already in cache. The revalidate-pragma-no-cache request allows the OCS to return
the 304 Not Modified response, if the content in cache is still fresh. Thereby, the server-
side bandwidth consumed is lesser as the full content is not retrieved again from the OCS.
By default, the revalidate PNC configuration is disabled and is not affected by changes in
the top-level profile. When the Substitute Get for PNC configuration is enabled (see Table
8–2, "Description of Profile Configuration Components" on page 191 for details), the
revalidate PNC configuration has no effect.

To configure the revalidate PNC setting:

Note: The revalidate pragma-no-cache setting can only be configured through the
CLI.

To enable or disable the revalidate PNC setting, enter one of the following commands at
the (config) command prompt:
#(config) http revalidate-pragma-no-cache
-or-
#(config) http no revalidate-pragma-no-cache

Interpreting Negative Bandwidth Gain Statistics

Bandwidth gain represents the overall bandwidth benefit achieved by object and byte
caching, compression, protocol optimization, and object caching. Occasionally, you might
notice negative bandwidth gain when using the bandwidth gain profile. This negative
bandwidth gain is observed because the client-side cumulative bytes of traffic is lower
than the server-side cumulative bytes of traffic for a given period of time. It is represented
as a unit-less multiplication factor and is computed by the ratio:

204
 client bytes / server bytes
Some factors that contribute to negative bandwidth gain are:
❐ Abandoned downloads (delete_on_abandonment (no))
When a client cancels a download, the appliance continues to download the requested
file to cache it for future requests. Since the client has cancelled the download, server-
side traffic persists while the client-side traffic is halted. This continued flow of traffic
on the server-side causes negative bandwidth gain.
Further with (delete_on_abandonment (yes)), when a client cancels a download,
the appliance terminates the connection and stops sending traffic to the client.
However, the server may have sent additional traffic to the appliance before it
received the TCP RESET from the appliance. This surplus also causes negative
bandwidth gain.
❐ Refreshing of the cache
Bandwidth used to refresh contents in the cache contributes to server-side traffic.
Since this traffic is not sent to the client until requested, it might cause negative
bandwidth gain.
❐ Byte-range downloads
When download managers use an open-ended byte-range, such as Range: bytes
10000-, and reset the connection after downloading the requested byte-range. The
packets received by the appliance from the server are greater than those served to the
client, causing negative bandwidth gain.
❐ Download of uncompressed content
If the appliance downloads uncompressed content, but compresses it before serving
the content to the client, server-side traffic will be greater than client-side traffic. This
scenario is typical in a reverse proxy deployment, where the server offloads the task of
gzipping the content to the appliance.
❐ Reduced client-side throughput
In the short term, you will notice negative bandwidth gain if the client-side throughput
is lower than the server-side throughput. If, for example, the appliance takes five
minutes to download a 100 Mb file and takes 10 minutes to serve the file to the client.
The appliance reflects negative bandwidth gain for the first five minutes.
To view bandwidth usage and bandwidth gain statistics on the HTTP proxy, click
Statistics > Traffic History tab. Select the HTTP proxy service to view statistics over the
last hour, day, week, month, and year. See Chapter 35: "Statistics" on page 741 for
information on the graphs.

Compression
Compression is disabled by default. If compression is enabled, the HTTP proxy forwards
the supported compression algorithm from the client’s request (Accept-Encoding:
request header) to the server as is, and attempts to send compressed content to client

205
SGOS Administration Guide

whenever possible. This allows SGOS to send the response as is when the server sends
compressed data, including non-cacheable responses. Any unsolicited encoded response is
forwarded as is to the client.
For more information on compression, see "Understanding HTTP Compression" on page
209.

Related CLI Syntax to Configure HTTP

The following commands allow you to manage settings for an HTTP proxy.
Use the command below to enter the configuration mode.
# conf t
The following subcommands are available:
#(config) http [no] add-header client-ip
#(config) http [no] add-header front-end-https
#(config) http [no] add-header via
#(config) http [no] add-header x-forwarded-for
#(config) http [no] byte-ranges
#(config) http [no] cache authenticated-data
#(config) http [no] cache expired
#(config) http [no] cache personal-pages
#(config) http [no] force-ntlm
#(config) http ftp-proxy-url root-dir
#(config) http ftp-proxy-url user-dir
#(config) http [no] parse meta-tag {cache-control | expires | pragma-
no-cache}
#(config) http [no] persistent client
#(config) http [no] persistent server
#(config) http [no] persistent-timeout client num_seconds
#(config) http [no] persistent-timeout server num_seconds
#(config) http [no] pipeline client {requests | redirects}
#(config) http [no] pipeline prefetch {requests | redirects}
#(config) http [no] proprietary-headers bluecoat
#(config) http receive-timeout client num_seconds
#(config) http receive-timeout refresh num_seconds
#(config) http receive-timeout server num_seconds
#(config) http [no] revalidate-pragma-no-cache
#(config) http [no] strict-expiration refresh
#(config) http [no] strict-expiration serve
#(config) http [no] strip-from-header
#(config) http [no] substitute conditional
#(config) http [no] substitute ie-reload
#(config) http [no] substitute if-modified-since
#(config) http [no] substitute pragma-no-cache
#(config) http [no] tolerant-request-parsing
#(config) http upload-with-pasv disable
#(config) http upload-with-pasv enable
#(config) http version {1.0 | 1.1}
#(config) http [no] www-redirect
#(config) http [no] xp-rewrite-redirect

Note: For detailed information about using these commands, refer to the Command Line
Interface Reference.

206
Section G: Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)
This section describes how the appliance caches authenticated content over HTTP.
Authentication over HTTP allows a user to prove their identity to a server or an upstream
proxy to gain access to a resource.
The appliance uses CAD and CPAD to facilitate object caching at the edge and to help
validate user credentials. Object caching in the appliance allows for lesser bandwidth
usage and faster response times between the client and the server or proxy.
The deployment of the appliance determines whether it performs CAD or CPAD:
❐ When the Origin Content Server (OCS) performs authentication, the appliance
performs CAD.
❐ When the upstream HTTP Proxy performs authentication, the downstream HTTP
proxy or the appliance executes CPAD.

About Caching Authenticated Data (CAD)

In the CAD scenario, when a user requests a resource that needs authentication, the OCS
sends an HTTP 401 error response to the user. The HTTP 401 response also contains
information on the authentication schemes that the OCS supports. To prove their identity
to the OCS, the user resubmits the initial request along with the authentication details.

Figure 8–5 CAD: 200 response from the Origin Content Server.
The OCS then sends back one of the following responses:
❐ HTTP 200 response status, authentication is accepted. The user receives the requested
resource.
❐ HTTP 403 response status, user is not allowed to view the requested resource. The user
is authenticated but is not authorized to receive the content, hence the user receives an
error message.

207
SGOS Administration Guide

When another user accesses the same URL, the appliance authenticates the user with the
OCS and verifies the freshness of the content using the Get If Modified Since request.
If the user is authorized and the content has not been modified, the OCS returns an HTTP
304 response message to the appliance. The appliance then serves the content from cache.
If the content has been modified, the OCS returns the HTTP 200 response along with the
modified content.

Figure 8–6 CAD: 403 and 304 response codes from the OCS

Note: CAD is applicable only for pure HTTP authentication — the appliance caches
authenticated data only when the OCS includes the www-Authenticate response code in
the 401 response header. If, for example, the client accesses an OCS that uses forms-based
authentication, the appliance does not perform CAD.

About Caching Proxy Authenticated Data (CPAD)

The CPAD deployment uses two appliances — a local proxy and a gateway proxy. Figure
8–7 on page 209 below depicts the appliances in a CPAD deployment.
When the user requests a resource, appliance 1 forwards the request to appliance 2.
Appliance 2 issues the authentication challenge back to the user (a 407 response instead of
the 401 response that the OCS serves). Upon successful authentication, appliance 2
forwards the request to the OCS and the resource is served to the user.

208
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Figure 8–7 CPAD: 200 response from appliance 2

In Figure 8–8, appliance 1 caches proxy authenticated data and appliance 2 performs
authentication (instead of the OCS).

Figure 8–8 CPAD: 407 and 304 responses in a CPAD deployment

For subsequent users who access the same URL, see Figure 8-4, appliance 1 forwards all
requests to appliance 2 with the Get If Modified Since request.
Appliance 2 issues the authentication challenge and provides one of the following
responses:
❐ HTTP 200 response status, the user is allowed access to the requested resource but the
content has changed.
❐ HTTP 304 response status, the user is authorized and the content can be served from
the cache.
❐ HTTP 403 response status, the user is not authorized to view the requested resource.
❐ HTTP 407 response status, the user provided invalid credentials.

Understanding HTTP Compression

Compression reduces a file size but does not lose any data. Whether you should use
compression depends upon three resources: server-side bandwidth, client-side bandwidth,
and ProxySG CPU. If server-side bandwidth is more expensive in your environment than
CPU, always request compressed content from the origin content server (OCS). However,

209
SGOS Administration Guide

if CPU is comparatively expensive, the appliance should instead be configured to ask the
OCS for the same compressions that the client asked for and to forward whatever the
server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is not the
case, you can change the appliance behavior.

Note: Decompression, content transformation, and re-compression increases response

time by a small amount because of the CPU overhead. (The overhead is negligible in most
cases.) RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because compression
results in a smaller file being served to the client than was retrieved by the appliance from
the origin content server, bandwidth gain statistics reflect such requests/responses as
negative bandwidth gain.

Compression is disabled by default. If compression is enabled, the HTTP proxy forwards

the supported compression algorithm from the client’s request (Accept-Encoding:
request header) to the server as is, and attempts to send compressed content to client
whenever possible. This allows the appliance to send the response as is when the server
sends compressed data, including non-cacheable responses. Any unsolicited encoded
response is forwarded to the client as is.

Note: If compression is not enabled, the appliance does not compress the content if the
server sends uncompressed content. However, the appliance continues to uncompress
content if necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.

You can view compression statistics by going to Statistics > Protocol Details > HTTP/FTP
History > Client Comp. Gain and Server Comp. Gain.
For information on these statistics, see "Viewing HTTP/FTP Statistics" on page 211.
.

210
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section H: Viewing HTTP/FTP Statistics

2c

2d

This section discusses the following topics:

❐ "HTTP/FTP History Statistics"
❐ "Viewing the Number of HTTP/HTTPS/FTP Objects Served"
❐ "Viewing the Number of HTTP/HTTPS/FTP Bytes Served" on page 213
❐ "Viewing Active Client Connections" on page 214
❐ "Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on page
215
❐ "Disabling the Proxy-Support Header" on page 217

HTTP/FTP History Statistics

The HTTP/FTP History tabs display bar graphs that illustrate the last 60 minutes, 24 hours,
and 30 days for the number of objects served, bytes served, active clients, and client and
server compression gain statistics associated with the HTTP, HTTPS, and FTP protocols.
The overall client and server compression-gain statistics are displayed under System
Usage.

Note: You can view current HTTP statistics through the CLI using the show http-stats
command.

211
SGOS Administration Guide

Section 6 Viewing the Number of HTTP/HTTPS/FTP Objects Served

The HTTP/HTTPS/FTP Objects tab illustrates the device activity over the last 60 minutes, 24
hours, and 30 days. These charts illustrate the total number of objects served from either
the cache or from the Web.
The maximum number of objects that can be stored on an appliance depends on a number
of factors, including the SGOS version it is running and the hardware platform series.

To view the number of HTTP/HTTPS/FTP objects served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP History
> HTTP/HTTPS/FTP Objects.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

212
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section 7 Viewing the Number of HTTP/HTTPS/FTP Bytes Served

The HTTP/HTTPS/FTP Bytes tab shows the sum total of the number of bytes served from
the device over the last 60 minutes, 24 hours, and 30 days. The chart shows the total
number of bytes for objects served by the device, including both cache hits and cache
misses.

To view the number of HTTP/HTTPS/FTP bytes served:

1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP History
> HTTP/HTTPS/FTP Bytes.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

213
SGOS Administration Guide

Section 8 Viewing Active Client Connections

The HTTP/HTTPS/FTP Clients tab shows the maximum number of clients with requests
processed over the last 60 minutes, 24 hours, and 30 days. This does not include idle client
connections (connections that are open but that have not made a request). These charts
allow you to monitor the maximum number of active clients accessing the appliance at any
one time. In conjunction with the HTTP/HTTPS/FTP Objects and HTTP/HTTPS/FTP
Bytes tabs, you can determine the number of clients supported based on load, or load
requirements for your site based on a specific number of clients.

To view the number of active clients:

1. From the Management Console select Statistics > Protocol Details > HTTP/FTP History
> HTTP/HTTPS/FTP Clients.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

214
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section 9 Viewing HTTP/HTTPS/FTP Client and Server Compression

Gain Statistics
Under HTTP/FTP History, you can view HTTP/FTP client and server compression-gain
statistics for the ProxySG appliance one over the last 60 minutes, 24 hours, and 30 days in
the Client Comp. Gain and the Server Comp. Gain tabs. Overall client and server
compression-gain statistics are displayed under System Usage. These statistics are not
available through the CLI.
The green display on the bar graph represents uncompressed data; the blue display
represents compressed data. Hover your cursor over the graph to see the compressed gain
data.
See one of the following sections for more information:
❐ "Viewing HTTP/FTP Client Compressed Gain Statistics"
❐ "Viewing HTTP/FTP Server Compressed Gain Statistics" on page 216

Viewing HTTP/FTP Client Compressed Gain Statistics

To view HTTP/FTP client compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP History
> Client Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on page
215

215
SGOS Administration Guide

Viewing HTTP/FTP Server Compressed Gain Statistics

To view HTTP/FTP server compressed gain statistics:
1. From the Management Console, select Statistics > Protocol Details > HTTP/FTP History
> Server Comp. Gain.

2. Select the Duration: from the drop-down list.

3. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on page
215

216
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section I: Supporting IWA Authentication in an Explicit HTTP Proxy

Internet Explorer does not allow IWA authentication through an appliance when explicitly
proxied. To facilitate this authentication, Symantec added a Proxy-Support: Session-
based-authentication header. By default, when the appliance receives a 401
authentication challenge from upstream, it sends the Proxy-Support: Session-based-
authentication header in response.
The Proxy-Support header is not supported if:
❐ you are using an older browser (Refer to the SGOS Release Notes for supported
browser versions).
❐ both the appliance and the OCS perform IWA authentication.
In either case, Symantec recommends that you disable the header and enable Force IWA for
Server Authentication. The Force IWA for Server Authentication action converts the 401-
type server authentication challenge to a 407-type proxy authentication challenge that
Internet Explorer supports. The appliance also converts the resulting Proxy-
Authentication headers in client requests to standard server authorization headers, which
allows an IWA authentication challenge to pass through when Internet Explorer is
explicitly proxied through the appliance.

Disabling the Proxy-Support Header

The Proxy-Support header is sent by default when an explicitly configured appliance
receives a 401 authentication challenge from upstream.
The header modification policy allows you to suppress or modify the Proxy-Support
custom header, and prevents the appliance from sending this default header. Use either the
Visual Policy Manager (VPM) or CPL to disable the header through policy. For complete
information on using VPM, refer to Visual Policy Manager Reference.

Note: To suppress the Proxy-Support header globally, use the http force-ntlm
command to change the option. To suppress the header only in certain situations, continue
with the procedures below.

To suppress the proxy-support header through the VPM:

1. In a Web Access Layer, right click in the Action field and select Set. The Set Action
dialog displays.
2. Click New to see the drop-down list; select Control Response Header.

217
SGOS Administration Guide

3a

3b
3c
3d

3. Fill in the fields as follows:

a. Name: Enter a meaningful name.
b. Show: Select Custom from the drop-down list.
c. Header Name: Enter Proxy-Support.
d. Verify Suppress is selected.
4. Click OK.
5. Click Apply.

To suppress the proxy-support header through CPL:

Use CPL to define the Proxy-Support custom header object and to specify what action to
take. The example below uses Proxy-Support as the action name, but you can choose any
name meaningful to you. The result of this action is to suppress the Proxy-Support header.
<Proxy>
action.Proxy-Support(yes)

define action Proxy-Support

delete(response.x_header.Proxy-Support)
end action Proxy-Support

218
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section J: Supporting Authentication on an Upstream Explicit Proxy

Proxy chaining may cause issues in HTTPS configurations. When an upstream proxy
requires Proxy-Authentication, a timeout may occur because by the time the proxy
authentication challenge occurs in the HTTP CONNECT request, the client has already
established a non-authorized connection to the downstream proxy (which might or might
not be a ProxySG appliance).

Deployment Scenarios
Use this configuration when the appliance is inserted between a client and an explicit
proxy configured to use authentication. It can also be helpful in transparent deployments.
• Explicit downstream: The appliance supports authentication to the client for SSL/
HTTPS traffic, with an upstream proxy performing the authentication. The
upstream proxy is not in your (control)
• Transparent downstream: The appliance supports authentication to the client for
SSL/HTTPS traffic with an upstream proxy performing the authentication. For
example, in a chain where two proxies are configured transparently as
accelerators and a third further upstream functions explicitly, authentication
requests may not reach their destinations.

219
SGOS Administration Guide

Section K: Detect and Handle WebSocket Traffic

The Internet Engineering Task Force (IETF) standardized the WebSocket protocol in
2011. WebSocket provides simultaneous two-way communications channels over a single
TCP connection by detecting the presence of a proxy server and tunneling
communications through the proxy.
To upgrade an HTTP connection to a newer HTTP version or use another protocol such as
WebSocket, a client sends a request with Upgrade, Connection, and other relevant
headers. Previous versions of SGOS did not allow WebSocket handshakes to complete,
but supported versions allow the handshake to complete successfully. This version also
detects WebSocket traffic and allows you to perform specific policy actions.
When the appliance detects a WebSocket request in the HTTP/S request, the Active
Sessions tab in the Management Console indicates that the traffic is WebSocket. Use the
filter Protocol > WebSocket.
To differentiate WebSocket traffic in the access-log, use the TCP_WEBSOCKET value in the
s-action field. You can determine if the traffic was plain WebSocket or secure
WebSocket by looking at the scheme (HTTP or HTTPS).

220
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section 10 How the ProxySG Appliance Handles an Upgrade Request

Refer to the following overviews of how the appliance handles a WebSocket upgrade
request in transparent proxy and in explicit proxy. For more information on the policy
condition mentioned in the following overviews, refer to the Content Policy Language
Reference and the Visual Policy Manager Reference.

Upgrade Request in Transparent Mode

a. The browser sends a protocol upgrade request to the proxy.
b. The HTTP proxy receives the upgrade request.
c. If the Upgrade header has a single value of websocket, the HTTP proxy
begins a WebSocket handshake by forwarding the Upgrade and Connection
headers upstream to upgrade the connection protocol.
In this case, the tunneled=yes and http.websocket=yes conditions evaluate to
true.
d. Policy runs and evaluates the request. If the request is allowed, the proxy
takes the next step depending on the response code:
• If the HTTP response code is 101 ("Switching Protocols"), the proxy tunnels
the request.
• If the HTTP response code is successful (2xx), the proxy returns a 400 Bad
Request exception to indicate that the origin content server (OCS) did not
understand the upgrade request.
• In all other cases, the proxy returns the standard HTTP response codes and
does not tunnel the request.

Note: The appliance evaluates all policy that applies to a transaction during the
initial upgrade request.

Upgrade Request in Explicit Mode

a. The browser sends an HTTP CONNECT request to the proxy.
b. The HTTP proxy receives the HTTP CONNECT request.

221
SGOS Administration Guide

c. If Detect Protocol is enabled on the HTTP proxy, the request is forwarded to

the HTTP proxy.
If Detect Protocol is disabled on the HTTP proxy and policy does not allow HTTP
CONNECT requests, the appliance treats the request as
if force_protocol(http) were set in policy.
The request is thus forwarded to the HTTP proxy, allowing the appliance to
evaluate policy on (and possibly allow) tunneled HTTP traffic, such as
WebSocket requests, while blocking non-HTTP protocols sent over HTTP
CONNECT.
If Detect Protocol is disabled on the HTTP proxy and HTTP CONNECT is
allowed in policy, the request is TCP-tunneled.
d. (If the protocol is secure WebSocket) If Detect Protocol for SSL is disabled,
the request is TCP-tunneled. If Detect Protocol for SSL is enabled, the request
is forwarded to the SSL proxy.
(On the SSL proxy) If HTTPS interception is disabled, the request is SSL-
tunneled. If HTTPS interception is enabled, the request is forwarded to the
HTTPS proxy.
The proxy detects the Upgrade: websocket header and begins a WebSocket
handshake. The tunneled=yes and http.websocket=yes conditions evaluate to
true.policy that applies to a transaction during the initial upgrade request.

222
 Chapter 8: Intercepting and Optimizing HTTP Traffic

Section 11 Feature Limitations

❐ The appliance does not perform ICAP scanning (either REQMOD or RESPMOD) on
transactions using the WebSocket protocol.
❐ You must import the appliance’s signing certificate authority (CA) certificate into the
browser to prevent a trust error from occurring when the appliance intercepts HTTPS
and detects WebSocket over HTTPS.

223
SGOS Administration Guide

224
 Chapter 9: Managing the SSL Proxy

Chapter 9: Managing the SSL Proxy

This chapter discusses the ProxySG SSL proxy.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "Intercepting HTTPS Traffic" on page 229
❐ Section B: "Configuring SSL Rules through Policy" on page 239
❐ Section C: "Offloading SSL Traffic to an SSL Visibility Appliance" on page 244
❐ Section D: "Viewing SSL Statistics" on page 246
❐ Section E: "Using STunnel" on page 250
❐ Section F: "Tapping Decrypted Data with Encrypted Tap" on page 256
❐ Section G: "Working with an HSM Appliance" on page 259
❐ Section H: "Advanced Topics" on page 265
For information on Certificate Authority (CA) certificates, keyrings, and key pairs, see
Chapter 75: "Authenticating an Appliance" on page 1415.

About the SSL Proxy

HTTPS traffic poses a major security risk to enterprises. Because the SSL content is
encrypted, it cannot be monitored by normal means. This enables users to bring in viruses,
access forbidden sites, or leak confidential business information over the HTTPS
connection on port 443.
The SSL proxy intercepts, decrypts and re-encrypts HTTPS traffic (in explicit and
transparent modes) so that security measures such as authentication, virus scanning, and
URL filtering, and performance enhancements such as HTTP caching can be applied to
HTTPS content. Additionally, the SSL proxy validates server certificates presented by
various HTTPS sites at the gateway and offers information about the HTTPS traffic in the
access log.
The SSL proxy tunnels all HTTPS traffic by default unless there is an exception, such as a
certificate error or a policy denial. In such cases, the SSL proxy intercepts the SSL
connection and sends an error page to the user. The SSL proxy also enables interception of
HTTPS traffic for monitoring purposes.
The SSL proxy can perform the following operations while tunneling HTTPS traffic.
❐ Validate server certificates, including revocation checks using Certificate Revocation
Lists (CRLs).
❐ Check various SSL parameters such as cipher and version.
❐ Log useful information about the HTTPS connection.
When the SSL proxy is used to intercept HTTPS traffic, it can also:

225
SGOS Administration Guide

❐ Cache HTTPS content.

❐ Apply HTTP-based authentication mechanism.
❐ Send decrypted data to a configured ICAP Antivirus appliance for virus scanning and
URL filtering.
❐ Apply granular policy (such as validating mime type and filename extension).

IPv6 Support
The SSL proxy is able to communicate using either IPv4 or IPv6, either explicitly or
transparently.
In addition, for any service that uses the SSL proxy, you can create listeners that bypass or
intercept connections for IPv6 sources or destinations.

Validating the Server Certificate

The SSL proxy can perform the following checks on server certificates:
❐ Verification of issuer signature.
❐ Verification of certificate dates.
❐ Comparison of host name in the URL and certificate (intercepted connections only).
Host names in server certificates are important because the SSL proxy can identify a
Web site just by looking at the server certificate if the host name is in the certificate.
Most content-filtering HTTPS sites follow the guideline of putting the name of the site
as the common name in the server's certificate.
❐ Verification of revocation status.
To mimic the overrides supported by browsers, the SSL proxy can be configured to
ignore failures for the verification of issuer signatures and certificate dates and
comparison of the host name in the URL and the certificate.
The appliance trusts all root CA certificates that are trusted by Internet Explorer and
Firefox. This list is updated to be in sync with the latest versions of IE and Firefox.

Checking CRLs
An additional check on the server certificate is done through Certificate Revocations Lists
(CRLs). CRLs show which certificates are no longer valid; the CRLs are created and
maintained by Certificate Signing Authorities that issued the original certificates.
Only CRLs that are issued by a trusted issuer can be used by the appliance. The CRL
issuer certificate must exist as CA certificate on the appliance before the CRL can be
imported.
The appliance allows:
❐ One local CRL per certificate issuing authority.
❐ An import of a CRL that is expired; a warning is displayed in the log.
❐ An import of a CRL that is effective in the future; a warning is displayed in the log.

226
 Chapter 9: Managing the SSL Proxy

Working with SSL Traffic

The STunnel (SSL interception and tunnel) configuration intercepts all SSL traffic,
handing HTTPS traffic off to the HTTPS forward proxy for compression and acceleration.
STunnel decrypted traffic may be tapped and read by a third party application such as
Wireshark or Snort.
Recommendations for intercepting traffic include:
❐ Intercept non-HTTPS traffic for acceleration
❐ Intercept any SSL traffic for tap, when you don’t know the application protocol over
SSL
❐ The HTTPS information in the next section applies as well

Determining What HTTPS Traffic to Intercept

The SSL proxy tunnels HTTPS traffic by default; it does not intercept HTTPS traffic.
Many existing policy conditions, such as destination IP address and port number, can be
used to decide which HTTPS connections to intercept.
Additionally, the SSL proxy allows the host name in the server certificate to be used to
make the decision to intercept or tunnel the traffic. The server certificate host name can be
used as is to make intercept decisions for individual sites, or it can be categorized using
any of the various URL databases supported by Blue Coat.
Categorization of server certificate host names can help place the intercept decision for
various sites into a single policy rule.
Recommendations for intercepting traffic include:
❐ Intercept Intranet traffic.
❐ Intercept suspicious Internet sites, particularly those that are categorized as none in
the server certificate.
Recommendations for traffic to not intercept includes sensitive information, such as
personal financial information.

Managing Decrypted Traffic

After the HTTPS connection is intercepted, you can do:
❐ Anti-virus scanning over ICAP
❐ URL filtering
❐ Filtering based on the server certificate host name
❐ Caching
HTTPS applications that require browsers to present client certificates to secure Web
servers do not work if you are intercepting traffic. To address this, you can create a policy
rule to prevent the interception of such applications, or add client certificates to the
appliance, and write policy to present the correct certificate.
If you configure the appliance to intercept HTTPS traffic, be aware that local privacy laws
might require you to notify the user about interception or obtain consent prior to
interception. You can option to use the HTML Notify User object to notify users after

227
SGOS Administration Guide

interception or you can use consent certificates to obtain consent before interception. The
HTML Notify User is the easiest option; however, the appliance must decrypt the first
request from the user before it can issue an HTML notification page.

Using the SSL Proxy with ADN Optimization

The SSL proxy itself can be used as a split proxy, which requires two SSL proxies, one at
the branch and one at the core, working together. A split proxy can be configured (see
below) to implement functionality that is not possible in a standalone proxy.
In this configuration, the SSL proxy supports ADN optimization on WAN networks, and
SSL traffic performance can be increased through the byte caching capability offered. The
branch proxy, which makes the decisions, is configured with both ADN optimization and
SSL proxy functionality.
The Concentrator proxy (a ProxySG appliance that provides access to data center
resources) does not require any configuration related to the SSL proxy. It only requires the
necessary ADN configuration for applying byte caching capabilities to intercepted SSL
content.
No special configuration is required to the SSL proxy.

System Configuration: System Configuration:

ADN Optimization ADN Optimization
Device Authentication and Authorization Device Authentication and Authorization
SSL Proxy Configuration ADN Secure Tunnel
ADN Secure Tunnel

228
 Chapter 9: Managing the SSL Proxy

Section A: Intercepting HTTPS Traffic

Intercepting HTTPS traffic (by decrypting SSL connections at the appliance) allows you
to apply security measures like virus scanning and URL filtering. See “Configuring
STunnel” on page 251 to intercept HTTPS using STunnel.
Configuration to intercept HTTPS traffic requires the following tasks:
❐ An SSL license is required before you can make use of the SSL proxy for interception.
This can be verified in the maintenance tab > licensing page.
❐ Determine whether you are using transparent or explicit mode. For information on
explicit versus transparent proxies, see Chapter 6: "Explicit and Transparent Proxy"
on page 113.
❐ Create an SSL service or HTTP/SOCKS services with protocol detection enabled,
depending on whether you are using transparent or explicit mode. The Detect Protocol
setting is disabled by default. For more information on creating an SSL service, skip
to "Configuring the SSL Proxy in Transparent Proxy Mode" on page 230.
❐ Create or import an issuer keyring, which is used to sign emulated server certificates
to clients on the fly, allowing the SSL proxy to examine SSL content. For more
information on creating an issuer keyring, see "Specifying an Issuer Keyring and CCL
Lists for SSL Interception" on page 232.
❐ (Optional) Use the Notify User object or client consent certificates to notify users that
their requests are being intercepted and monitored. Whether this is required depends
on local privacy laws. The appliance has to decrypt the first request from the user to
issue an HTML notification page. If this is not desirable, use client consent certificates
instead. For more information on configuring the Notify User policy, refer to the Visual
Policy Manager Reference. For information on managing client consent certificates,
see "Using Client Consent Certificates" on page 233.
❐ Download CA certificates to desktops to avoid a security warning from the client
browsers when the appliance is intercepting HTTPS traffic. For information, see
"Downloading an Issuer Certificate" on page 234.
❐ Using policy (VPM or CPL), create rules to intercept SSL traffic and to control
validation of server certificates. By default, such traffic is tunneled and not
intercepted. You must create suitable policy before intercepting SSL traffic. For more
information on using policy to intercept SSL traffic, see Section B: "Configuring SSL
Rules through Policy" on page 239.
❐ Enabled Policy Services. See Chapter 23: "Using Policy Services" on page 489.
❐ Configure the WebFilter or a third-party URL-filtering vendor, if you have not already
done this. For more information on configuring BCWF, see Chapter 20: "Filtering
Web Content" on page 399.
❐ Configure Access Logging. For more information on configuring access logging, see
"Configuring Access Logging" on page 607.
❐ Customize Exception Pages: To customize exception pages (in case of server
certificate verification failure), refer to the Advanced Policy Tasks chapter, Section E, of
the Visual Policy Manager Reference.

229
SGOS Administration Guide

Configuring the SSL Proxy in Transparent Proxy Mode

Proxy services are configured from the Management Console or the CLI. If using the SSL
proxy in transparent mode, continue with this section.
If you are using the SSL proxy in explicit mode, you might need an HTTP proxy or a
SOCKS proxy. For information on configuring an SSL proxy in explicit mode, see
"Configuring the SSL Proxy in Explicit Proxy Mode" on page 232.
You can use a TCP Tunnel service in transparent mode to get the same functionality. A
TCP tunnel service is useful when you have a combination of SSL and non-SSL traffic
going over port 443 and you do not want to break the non-SSL traffic. The SSL service
requires that all requests to its port be SSL.

To configure an SSL service in transparent proxy mode:

1. From the Management Console, select the Configuration > Services > Proxy Services
tab.
2. Click New. The Edit Service dialog displays.

3. In the Name field, enter a meaningful name for this SSL proxy service.
4. From the Service Group drop-down list, select to which service this configuration
applies. By default, Other is selected.
5. Select SSL from the Proxy settings drop-down list.
6. TCP/IP Settings option: The Early Intercept option cannot be changed for the SSL
proxy service.
7. Select ADN options:

230
 Chapter 9: Managing the SSL Proxy

• Enable ADN. Select this option to configure this service to use ADN. Enabling
ADN does not guarantee the connections are accelerated by ADN. The actual
enable decision is determined by ADN routing (for explicit deployment) or
network setup (for transparent deployment).
• The Optimize Bandwidth option is selected by default if you enabled WAN
optimization during initial configuration. Clear the option if you are not
configuring WAN optimization.
8. Create a new listener:
a. Click New; if you edit an existing listener, click Edit.
b. In the Source address area, the most common selection is All, which means
the service applies to requests from any client (IPv4 or IPv6). You can,
however, restrict this listener to a specific IPv4/IPv6 address or user subnet/
prefix length.
c. Select a Destination address from the options. The correct selection might
depend on network configuration. For overviews of the options, see "About
Proxy Services" on page 124.
d. In the Port Range field, enter a single port number or a port range on which
this application protocol broadcasts. For a port ranges, enter a dash between
the start and end ports. For example: 8080-8085
e. In the Action area, select the default action for the service: Bypass tells the
service to ignore any traffic matching this listener. Intercept configures the
service to intercept and proxy the associated traffic.
f. Click OK to close the dialog. The new listener displays in the Listeners area.
9. Click OK to close the Edit Service dialog.
10. Click Apply.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception" on
page 232.

231
SGOS Administration Guide

Section 1 Configuring the SSL Proxy in Explicit Proxy Mode

The SSL proxy can be used in explicit mode in conjunction with the HTTP Proxy or
SOCKS Proxy. You must create an HTTP Proxy service or a SOCKS Proxy service and
use it as the explicit proxy from desktop browsers. You must also ensure that the detect-
protocol attribute is enabled for these services.
When requests for HTTPS content are sent to either a SOCKS proxy or an HTTP proxy,
the proxies can detect the use of the SSL protocol on such connections and enable SSL
proxy functionality.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception" on
page 232.

Specifying an Issuer Keyring and CCL Lists for SSL Interception

The SSL proxy can emulate server certificates; that is, present a certificate that appears to
come from the origin content server. In actuality, Blue Coat has emulated the certificate
and signed it using the issuer keyring. By default only the subjectName and the expiration
date from the server certificate are copied to the new certificate sent to the client. The
appliance supports the following key sizes when it emulates server certificates:
❐ DSA and ECDSA certificates: Key size up to 2048 bits
❐ RSA certificates: Key size up to 4096 bits

Note: Only keyrings with both a certificate and a keypair can be used as issuer keyrings.

You can also change the CA Certificate Lists (CCLs) that contain the CAs to be trusted
during client and server certificate validation. The appliance can verify DSA, RSA, and
ECDSA signed client and server CA certificates. The defaults are adequate for the
majority of situations. For more information about CCLs, see Chapter 75:
"Authenticating an Appliance" on page 1415.

To specify the keyring and CCLs:

1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.

2. Issuer Keyring: From the drop-down menu, select the keyring to use as the issuer
keyring. Any keyring with both a certificate and a keypair in the drop-down menu can
be used.

232
 Chapter 9: Managing the SSL Proxy

3. CCL for Client Certificates: Choose which CAs are trusted when the SSL proxy
validates client certificates. The default is <All CA Certificates>.
4. CCL for Server Certificates: Choose which CAs are trusted when the SSL proxy
validates server certificates. The CCL for server certificates is relevant even when
SSL proxy is tunneling SSL traffic. The default is browser-trusted.

Note: It is possible to set the CCL to validate client or server certificates from within
policy on a per-request basis. For details, see the
client.certificate.validate.ccl() and server.certificate.validate.ccl()
properties in the Content Policy Language Reference.

5. Click Apply.
To configure policy, see "Configuring SSL Rules through Policy" on page 239.

Configuring OCSP Stapling and CRLs for Emulated Certificates

Online Certificate Status Protocol (OCSP) stapling (RFC 6066) and Certificate
Revocation Lists (CRLs) allow you to obtain the revocation status of an X.509 digital
certificate. The ProxySG appliance supports configuring these options for emulated
certificates that the SSL forward proxy delivers.

Note: You might want to configure both OCSP stapling and a CRL if some clients
only support one of the methods.

To enable or disable OCSP stapling, use the following command:

OCSP stapling is enabled by default.

To enable the appliance to provide a CRL for the emulated certificates:

1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.
2. Select Enable CRL on emulated certificates.
3. In the CRL distribution point host name field, enter the host name that is used to reach
the ProxySG appliance for CRL downloads.
4. Click Apply.

Using Client Consent Certificates

The SSL proxy, in forward proxy deployments, can specify whether a client (typically a
browser) certificate is required. These certificates are used for user consent, not for user
authentication. Whether they are needed depends upon local privacy laws.
With client consent certificates, each user is issued a pair of certificates with the
corresponding private keys. Both certificates have a meaningful user-readable string in the
common name field. One certificate has a string that indicates grant of consent something
like: “Yes, I agree to SSL interception”. The other certificate has a common name
indicating denial of consent, something like: “No, I do not agree to SSL interception”.

233
SGOS Administration Guide

Policy is installed on the appliance to look for these common names and to allow or deny
actions. For example, when the string “Yes, I agree to SSL interception” is seen in the
client certificate common name, the connection is allowed; otherwise, it is denied.

To configure client consent certificates:

1. Install the issuer of the client consent certificates as a CA certificate.
2. In VPM, configure the Require Client Certificate object in the SSL Layer > Action
column.
3. Configure the Client Certificate object in the Source column to match common names.

Downloading an Issuer Certificate

When the SSL proxy intercepts an SSL connection, it presents an emulated server
certificate to the client browser. The client browser issues a security pop-up to the end-
user because the browser does not trust the issuer used by the appliance. This pop-up does
not occur if the issuer certificate used by SSL proxy is imported as a trusted root in the
client browser's certificate store.
The appliance makes all configured certificates available for download via its
management console. You can ask end users to download the issuer certificate through
Internet Explorer or Firefox and install it as a trusted CA in their browser of choice. This
eliminates the certificate popup for emulated certificates.
To download the certificate through Internet Explorer, see "To download a certificate
through Internet Explorer:" on page 234. To download a certificate through Firefox, see
"To download a certificate through Firefox:" on page 235.

To download a certificate through Internet Explorer:

Note: You can e-mail the console URL corresponding to the issuer certificate to end
users so that the he or she can install the issuer certificate as a trusted CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.
3. Click Download a Certificate as a CA Certificate; the list of certificates on the system
display.
4. Click a certificate (it need not be associated with a keyring); the File Download
Security Warning displays asking what you want to do with the file.

5. Click Save. When the Save As dialog displays, click Save; the file downloads.
6. Click Open to view the Certificate properties; the Certificate window displays.

234
 Chapter 9: Managing the SSL Proxy

7. Click the Install Certificate button to launch the Certificate Import Wizard.
8. Ensure the Automatically select the certificate store based on the type of certificate
radio button is enabled before completing the wizard
9. Click Finish. the wizard announces when the certificate is imported.
10. (Optional) To view the installed certificate, go to Internet Explorer, Select Tools >
Internet Options > Contents > Certificates, and open either the Intermediate Certification
Authorities tab or the Trusted Root Certification Authorities tab, depending on the
certificate you downloaded.

To download a certificate through Firefox:

Note: You can e-mail the console URL corresponding to the issuer certificate to end
users so that the end-user can install the issuer certificate as a trusted CA.

1. Select the Statistics > Advanced tab.

2. Select SSL.
3. Click Download a ProxySG Certificate as a CA Certificate; the list of certificates on the
system display.
4. Click a certificate (it need not be associated with a keyring); the Download Certificate
dialog displays.

235
SGOS Administration Guide

5. Enable the options needed. View the certificate before trusting it for any purpose.
6. Click OK; close the Advanced Statistics dialog.

236
 Chapter 9: Managing the SSL Proxy

Section 2 Warn Users When Accessing Websites with Untrusted

Certificates
Preserve Untrusted Certificate Issuer allows the appliance to present the browser with a
certificate that is signed by its untrusted issuer keyring. The browser displays certificate
information to the user, and lets the user accept the security risk of an untrusted certificate
and proceed to the website.
The default-untrusted keyring has been added to the appliance to use with the Preserve
Untrusted Certificate Issuer feature. The default-untrusted keyring should not be
added to any trusted CA lists.

Note: This only applies to SSL forward proxy transactions with HTTPS interception
enabled.

To display a warning to users about untrusted certificates on website, you must complete
the following tasks.

Task # Reference

1 "Presenting Untrusted Certificates to a Browser" on page 237

2 "Set the Behavior when Encountering Untrusted Certificates" on page 237

Presenting Untrusted Certificates to a Browser

Configure the appliance to act as a certificate authority and present a certificate signed by
a specific keyring for all traffic. The default is the default-untrusted keyring.
1. From the Management Console, select Configuration > Proxy Settings > SSL Proxy.
2. To have the appliance act as a Certificate Authority (CA) and present the browser with
an untrusted certificate, select Preserve untrusted certificate issuer.
3. From the Untrusted Issuer Keyring drop-down, select the desired keyring from the list
of eligible keyrings which will be used to sign untrusted server certificates presented
by the appliance.
4. Click Apply.

Set the Behavior when Encountering Untrusted Certificates

In the VPM or CPL, define what the appliance should do for specific traffic if the user
tries to access a website with an untrusted certificate.

Define Behavior in the Visual Policy Manager (VPM)

Override the Management Console settings for specific traffic, to specify whether the
users should be prompted when a certificate that has not been signed by a trusted
Certificate Authority is encountered.
In the SSL Intercept Layer, add one of the following Actions:
❐ Do not Preserve Untrusted Issuer

237
SGOS Administration Guide

If an OCS presents a certificate to the appliance that is not signed by a trusted

Certificate Authority (CA), the appliance either sends an error message to the browser,
or ignores the error and processes the request, based on the configuration of the Server
Certificate Validation object.
❐ Preserve Untrusted Issuer

If an OCS presents a certificate to the appliance that is not signed by a trusted

Certificate Authority (CA), the appliance acts as a CA and presents the browser with
an untrusted certificate. A warning message is displayed to the user, and they can
decide to ignore the warning and visit the website or cancel the request.
❐ Use Default Setting for Preserve Untrusted Issuer

The Preserve untrusted certificate issuer configuration setting in the Management

Console is used to determine whether or not untrusted certificate issuer should be
preserved for a connection. This is the default behavior.

Define Behavior in CPL

Include the following syntax in policy to specify the behavior of the appliance when users
encounter a website with an untrusted certificate:
ssl.forward_proxy.preserve_untrusted(auto|yes|no)
where:
• auto - Uses the Preserve untrusted certificate issuer configuration setting in the
Management Console to determine whether untrusted certificate issuer should be
preserved for a connection. This is the default.
• yes - Preserve untrusted certificate issuer is enabled for the connection.
• no - Preserve untrusted certificate issuer is disabled for the connection.
For example, to use the enable using the preserve untrusted certificate issuer, use the
following syntax:
<ssl-intercept>
ssl.forward_proxy.preserve_untrusted(yes)

238
 Chapter 9: Managing the SSL Proxy

Section B: Configuring SSL Rules through Policy

SSL interception and access rules, including server certificate validation, are configured
through policy—either the VPM or CPL. Use the SSL Intercept Layer to configure SSL
interception; use the SSL Access Layer to control other aspects of SSL communication
such as server certificate validation and SSL versions. To configure SSL rules using CPL,
refer to the Content Policy Language Reference. This section covers the following topics:
❐ "Using the SSL Intercept Layer" on page 239.
❐ "Using the SSL Access Layer" on page 241
❐ "Using Client Consent Certificates" on page 233
The policy examples in this section are for in-path deployments of appliances.

Using the SSL Intercept Layer

The SSL intercept layer allows you to set intercept options:
❐ "To intercept HTTPS content through VPM:" on page 239
❐ "To intercept HTTPS requests to specific sites through the VPM:" on page 240
❐ "To customize server certificate validation through VPM:" on page 241
❐ “Configuring STunnel” on page 251

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To intercept HTTPS content through VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. Right-click Set in the Action column; the Set Action object displays.
4. Click New and select Enable HTTPS Intercept object.
The options for Issuer Keyring, Hostname, Splash Text, and Splash URL all control
various aspects for certificate emulation. Fill in the fields as follows:
a. Issuer Keyring: If you selected an issuer keyring previously, that keyring
displays. If you did not select an issuer keyring previously, the default keyring
displays. To change the keyring that is used as the issuer keyring, choose a
different keyring from the drop-down menu.
b. Hostname: The host name you put here is the host name in the emulated
certificate.
c. Splash Text: You are limited to a maximum of 200 characters. The splash text
is added to the emulated certificate as a certificate extension.
d. Splash URL: The splash URL is added to the emulated certificate as a
certificate extension.
The STunnel options control various aspects of SSL interception.

239
SGOS Administration Guide

a. Enable STunnel Interception: Establish a policy where configured STunnel

services (such as POP3S and SMTPS) are terminated and accelerated.
b. Enable SSL interception with automatic protocol detection: In addition to
STunnel interception as described above, discovered HTTPS is handed off to
the HTTPS proxy. Otherwise, SSL traffic continues in STunnel mode.
5. Click OK to save the changes.
You can use the Disable SSL Intercept object to disable HTTPS Intercept.

To intercept HTTPS requests to specific sites through the VPM:

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Intercept Layer.
3. In the Destination column, right-click Set; the Set Destination Object displays.
4. Click New and select Server Certificate.

5a

5b

5. Fill in the fields as described below. You can only select one field:
a. Hostname: This is the host name of the server whose traffic you want to
intercept. After entering the host name, use the drop-down menu to specify
Exact Match, Contains, At Beginning, At End, Domain, or Regex.

b. Subject: This is the subject field in the server's certificate. After you enter the
subject, use the drop-down menu to specify Exact Match, Contains, At
Beginning, At End, Domain, or Regex.

6. Click Add, then Close; click OK to add the object to the rule.

To categorize host names in server certificates through VPM:

1. While still in the Destination column of the SSL Intercept layer, right-click Set; the Set
Destination object displays.

2. Click New and select the Server Certificate Category object. The Add Server Certificate
Category Object displays. You can change the name in the top field if needed.

240
 Chapter 9: Managing the SSL Proxy

3. Select the categories. The categories you selected display in the right-hand column.
4. Click OK.

Using the SSL Access Layer

For a list of the conditions, properties, and actions that can be used in the SSL Access
Layer, refer to the Content Policy Language Reference.

Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.

To customize server certificate validation through VPM:

Note: The policy property server.certificate.validate, if set, overrides the ssl-

verify-server command for either HTTP or for forwarding hosts.

1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Access Layer.
3. In the Action column, right-click Set; the Set Action object displays.
4. Click New and select Set Server Certificate Validation object.

241
SGOS Administration Guide

5. By default, server certificate validation is enabled; to disable it, select Disable server
certificate validation at the bottom of the dialog.

If server certificate validation is enabled, you can determine behavior by selecting the
Ignore hostname mismatch, Ignore expiration, or Ignore untrusted issuer options. These
options mimic the overrides supported by most browsers.
6. Select an option for revocation checks:
• Select an Online Certificate Status Protocol (OCSP) option. For more
information, see Section F: "Checking Certificate Revocation Status in Real Time
(OCSP)" on page 1271.
• Use only local certificate revocation check: Uses the CRL configured on the
appliance to perform the revocation check for a server certificate.
• Do not check certificate revocation: Does not check the revocation status of the
server certificate; however it still carries out the other certificate validation
checks.
7. Click OK; click OK again to add the object.

Notes

Note: Pipelining configuration for HTTP is ignored for HTTPS requests intercepted by
the SSL proxy. When the SSL proxy intercepts an HTTPS request, and the response is an
HTML page with embedded images, the embedded images are not pre-fetched by the
appliance.

❐ If the appliance and the origin content server cannot agree on a common cipher suite
for intercepted connections, the connection is aborted.

242
 Chapter 9: Managing the SSL Proxy

❐ Server-Gated Cryptography and step-up certificates are treated just as regular

certificates; special extensions present in these certificates are not be copied into the
emulated certificate. Clients relying on SGC/step-up certificates continue using
weaker ciphers between the client and the appliance when the SSL proxy intercepts
the traffic.

243
SGOS Administration Guide

Section C: Offloading SSL Traffic to an SSL Visibility Appliance

You can connect one or more ProxySG appliances to the SSL Visibility (SSLV) appliance
to offload SSL/TLS traffic processing.
To use SSLV offload, you require the following:
❐ SSLV 4.0.1
❐ SSLV serial number(s)
❐ ProxySG appliance serial number(s)
❐ If using the ProxySG command line interface (CLI), the enable password
For SSLV configuration details refer to the SSL Visibility Appliance Administration &
Deployment Guide.
Configuring SSLV offload requires that you identify the ProxySG and SSLV appliances to
each other using their respective serial numbers. In addition to the completing the
following steps on the ProxySG appliance, you must add the ProxySG appliance’s serial
number to the SSLV appliance(s). Refer to the SSL Visibility Appliance Administration &
Deployment Guide for instructions.

Configure SSLV offload:

1. In the ProxySG Management Console, select Configuration > SSL > SSLV Offload. The
console displays the SSL V Offload tab.
2. Enable SSL offload. Select Enable SSLV Offload and click Apply.
3. (Optional) Select an SSL device profile for authentication. From the SSL Device
Profile menu, select an existing SSL device profile. By default, bluecoat-appliance-
certificate is selected.

4. Add SSLV appliances:

a. Click Add. The console opens an Add SSLV Device dialog.
b. Enter device IDs (serial numbers) of the SSLV appliances to allow.
You can enter IDs manually or copy and paste from an existing list. Make sure
that each ID is on a separate line. Click OK when you are done.
If you entered incorrectly formatted IDs, the console displays a warning message.
If this occurs, correct the errors and click OK again.
If you entered duplicate IDs, the system will keep one entry in the list.
c. Click Apply to save your changes.

244
 Chapter 9: Managing the SSL Proxy

Manage the list of approved SSLV appliances:

1. In the ProxySG Management Console, select Configuration > SSL > SSLV Offload. The
console displays the SSL V Offload tab with the list of approved appliances.
2. Manage the list of SSLV appliances:
• Sort the list of IDs: Beside the Device ID header, click the arrow to change the
order.
• Remove specific IDs: Select one or more IDs and click Remove. Click OK on the
dialog to confirm you want to remove the specified appliance(s).
• Clear the entire list of IDs: Click Remove All. Click Yes on the dialog to confirm
you want to remove all appliances.
3. Click Apply to save your changes.

245
SGOS Administration Guide

Section D: Viewing SSL Statistics

The following sections discuss how to analyze various statistics generated by SSL
transactions.

246
 Chapter 9: Managing the SSL Proxy

Section 3 Viewing SSL History Statistics

The Statistics > Protocol details > SSL History tabs (SSL Data, SSL Clients, SSL Bytes)
provide various useful statistics for unintercepted SSL traffic.

Note: Some SSL statistics (SSL client connections and total bytes sent and received over
a period of time) can only be viewed through the Management Console (see
"Unintercepted SSL Data" on page 247 and "Unintercepted SSL Clients" on page 247).

Unintercepted SSL Data

The SSL Data tab on the Management Console displays SSL statistics.
The following table details the statistics provided through the SSL Data tab for the
Unintercepted SSL protocol.

Table 9–1 Unintercepted SSL Data Statistics

Status Description
Current unintercepted SSL The current number of unintercepted SSL client
connections connections.
Total unintercepted SSL connections The cumulative number of unintercepted SSL client
connections since the appliance was last rebooted.
Total bytes sent The total number of unintercepted bytes sent.
Total bytes received The total number of unintercepted bytes received.

To view unintercepted SSL data statistics:

From the Management Console, select the Statistics > Protocol Details > SSL History > SSL
Data tab; make sure Unintercepted SSL is selected for the Protocol.
The default view shows all unintercepted SSL data.

Unintercepted SSL Clients

The SSL Clients tab displays dynamic graphical statistics for connections received in the
last 60-minute, 24-hour, or 30-day period.

To view SSL client unintercepted statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL History >
SSL Clients tab.

247
SGOS Administration Guide

2. Make sure Unintercepted SSL is selected for the Protocol.

3. Select a time period for the graph from the Duration: drop-down list. The default is
Last Hour.

4. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

Unintercepted SSL Bytes

The SSL Bytes tab displays dynamic graphical statistics for bytes received in the last 60-
minute, 24-hour, or 30-day period.

To view unintercepted SSL byte statistics:

1. From the Management Console, select the Statistics > Protocol Details > SSL History >
SSL Bytes tab.

2. Make sure Unintercepted SSL is selected for the Protocol.

248
 Chapter 9: Managing the SSL Proxy

3. Select the Duration: for the graph from the drop-down list. The default is Last Hour.
4. (Optional) To set the graph scale to a different value, select a value from the Graph
scale should drop-down list.

249
SGOS Administration Guide

Section E: Using STunnel

Stunnel intercepts SSL traffic regardless of the application protocol over it. HTTPS traffic
may be identified and handed off to that proxy, and you may create services to inspect and
accelerate other SSL protocols, such as SMTPS. The decrypted data may be tapped; see
"Tapping Decrypted Data with Encrypted Tap" on page 256.
STunnel integrates with secure ADN. When secure ADN is enabled, SSL traffic is
accelerated using byte-caching and/or compression. An STunnel service will intercept
traffic based on the configuration and policy. For intercepted SSL-sessions, the STunnel
proxy acts as man-in-the-middle.
The STunnel sub-proxy can perform the following actions:
❐ Intercept SSL traffic and hand off HTTPS content to the HTTPS proxy when it is
detected.
❐ Intercept non-HTTPS traffic.
❐ With ADN, accelerate intercepted SSL traffic.
If you are familiar with configuring an inline or explicit HTTPS proxy, STunnel works the
same way. STunnel is configured with the following policy rule:
ssl.forward_proxy(yes)
or
ssl.forward_proxy(stunnel)
Traffic is handled by STunnel, and tunneled through or processed as appropriate.
STunnel supports SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2.

250
 Chapter 9: Managing the SSL Proxy

Section 4 Configuring STunnel

You can configure STunnel using the Visual Policy Manager (VPM) or the Management
Console.

Configure STunnel Policy using VPM

STunnel, which lets you intercept SSL traffic regardless of the application protocol over it,
is configured on the interception layer. To configure STunnel policy using the VPM,
follow these steps.
1. On the Configuration tab, select Policy> Visual Policy Manager, then click Launch.
2. Select Policy > Add SSL Intercept Layer.
3. Right click in the Action column
4. Choose Set > New > Enable SSL Interception.
5. On the Add SSL Interception Object window, choose one of the following:
• Enable STunnel Interception: Establish a policy where configured STunnel
services (such as POP3S and SMTPS) are terminated and accelerated. Make sure
to configure the related services if you choose this option.
• Enable SSL interception with automatic protocol detection:
In addition to STunnel
interception as described above, discovered HTTPS is handed off to the HTTPS
proxy. Otherwise, SSL traffic continues in STunnel mode.

6. Click OK. The window closes.

7. Click OK on the Set Action Object Window; it closes.
8. To examine the policy, press View.
9. Click Install policy on the VPM window.

251
SGOS Administration Guide

Configure STunnel via the Management Console

Accelerate SSL Traffic
To provide acceleration to SSL using byte caching, enable a secure ADN. See "Using the
SSL Proxy with ADN Optimization" for details.
Intercept the traffic as described in "Intercept SSL Based Traffic" .
For an inline or explicit forward proxy, use the policy rule ssl.forward_proxy(stunnel)
or ssl.forwrd_proxy(yes).

Note: If an unsuccessful SSL interception occurs (the SSL handshake fails), the traffic is
tunneled.

Intercept SSL Based Traffic

Use STunnel to intercept SSL traffic, such as POP3S, SMTPS, and HTTPS.

Configure a Forward Proxy with an STunnel Service

1. Set up a Secure ADN between the concentrator and branch peer. See "Verify Secure
ADN" on page 298.
2. On the branch peer, edit or create POP3S or SMTPS services (create a new service at
Configuration > Services > Proxy Services > New Service).

3. Click Apply on the Configuration tab.

Example POP3S Setup:

POP3S is located in the Bypass-
Recommended group by default.
Name: POP3S
Service Group: Standard
Proxy Settings/Proxy: SSL
Detect Protocol: Check; identified HTTPS
traffic will be handed to the HTTPS forward
proxy for processing
TCP/IP: N/A
Application Delivery Network Settings: Click
Enable ADN; Retention priority is set to
normal.
Listeners: Set Action to Intercept.

For an SMTPS setup, follow the same configuration, except choose the appropriate
port and enter SMTPS as the Name.
Make sure your SSL policy is configured correctly for STunnel. See the next section.

252
 Chapter 9: Managing the SSL Proxy

Section 5 Viewing STunnel Results

Traffic and Service results are available for STunnel. See Chapter 35: "Statistics" on
page 741 for additional details on understanding the presentation of statistics.
• STunnel is part of the SSL proxy, but is broken out under STunnel in the Proxy
statistics, so you may easily find the results.
• The SSL proxy controls the tunneled (unintercepted) SSL traffic—there is no
need to look at the Bandwidth Savings report for the SSL proxy since this traffic is
not accelerated.
• For a typical setup, where you have HTTPS traffic identified and handed off to its
proxy, make sure to look at the HTTPS proxy statistics and bandwidth savings as
well as STunnel reports in order to get the best understanding of STunnel results.

Viewing Traffic Statistics

To see traffic statistics, go to Statistics > Traffic Details. View the Traffic Mix and Traffic
History tab statistics. STunnel sessions are listed under Active and Errored sessions, as
well.

Traffic Mix
On the Traffic Mix > Service tab, view traffic distribution and bandwidth statistics for SSL
service traffic running through the appliance.

Traffic History
STunnel sessions are listed under Traffic Mix and Traffic History:
1. Select the Statistics > Traffic Details> Traffic Mix/Traffic History.
2. On the Traffic Mix tab, select Proxy.
• The BW Usage and BW Gain tabs are available.

253
SGOS Administration Guide

• The pie chart visually represents the bandwidth percentage for each proxy,
including STunnel.
• Scroll down in the table to view the STunnel (and HTTPS) information.
3. On the Traffic History tab, select Proxy.
• View STunnel on the BW Usage, BW Gain, Client Bytes and Server Bytes tabs.

Application Mix
The appliance can classify SSL-tunneled traffic without full HTTPS interception. The
Statistics > Application Details > Application Mix and Statistics > Application Details >
Application History reports display the applications detected in SSL-tunneled traffic. In the
Proxy Type column in Application Mix report, look for STunnel.

Viewing Session Statistics

To see STunnel accelerated session statistics such as duration, bandwidth savings using
ADN functionality, and caching for current active and historical errored sessions, view
the Sessions statistics on the Statistics tab.
1. On the Concentrator peer, log in to the Management Console.
2. Select the Statistics > Sessions > Active Sessions/Errored Sessions > Proxied Sessions
tab.
3. From the Filter drop-down list, select Protocol.
4. Select STunnel from the corresponding drop down list.
5. Press Show.

254
 Chapter 9: Managing the SSL Proxy

See "Active Sessions—Viewing Per-Connection Statistics" on page 767 for details on

using these windows.

Viewing Protocol Details

Go to Protocol Details > SSL Data tab to view client connection and data transfer bytes
information for STunnel.
At Protocol, select STunnel.

Access Logging
View the SSL log to see the STunnel sessions; the cs-protocol value is set to stunnel.

255
SGOS Administration Guide

Section F: Tapping Decrypted Data with Encrypted Tap

Encrypted tap streams decrypted data from intercepted HTTPS or STunnel SSL
transactions on client connections. The tap is performed simultaneously and on the same
appliance which is performing the Secure Web Gateway function. The data is presented in
a format that can be understood by common network traffic analysis tools like Wireshark,
common network intrusion detection systems such as Snort, and so on.
• Encrypted Tap does not support VLAN.
• MTU is fixed at 1500 bytes.
• SSL protocol headers/records/details are not preserved.
• Encrypted Tap is supported for forward proxy for STunnel and HTTPS, and for
reverse proxy for HTTPS.
• Encrypted tap also taps WebSocket.

Before you start

• Ensure your SGOS license is up to date and includes a valid Encrypted Tap
component
• Configure HTTPS (see “Intercepting HTTPS Traffic” on page 229) or STunnel
(see “Using STunnel” on page 250) interception on the appliance.
• Ensure the appliance has at least one open Ethernet port.
• Have a computer with a spare, unused/assigned Ethernet interface and a third
party analysis application installed available to receive the tapped data.

Follow these steps

On the appliance:
1. Enable Proxy Services for HTTPS/HTTP:
a. From the Management Console, select Configuration tab > Services > Proxy-
Services.

b. On the Proxy Services tab, select Predefined Service Group >Standard >
HTTPS, and press Edit Service.

c. On the Edit Service pop up, under Listeners, set Action=Intercept.

d. Press OK. The Edit Service pop up closes.
2. On the Configuration tab > Proxy Settings > General > General tab, check Reflect
Client IP to reflect the client IP.
3. From the Management Console, select Configuration tab > Policy > Policy Options >
Default Proxy Policy: Allow to set the Default Policy to Allow.

4. Create the Encrypted Tap policy.

a. From the Management Console, on the Configuration tab, select Policy >
Visual Policy Manager > Launch. The Visual Policy Manager window pops up.

256
 Chapter 9: Managing the SSL Proxy

b. On the VPM, from Policy, select Add SSL Access Layer, and provide a name as
required.
c. Highlight the added row, right click on Action, and choose Set.
d. On the Set Action Object window, click New..., and choose Enable encrypted
tap.

e. On the Add Encrypted Tap Object window, set the name, verify Enable
encrypted tap is selected, and choose the tap Interface to use from the drop
down.
f. Click Ok. The window closes.
g. Click Ok. The Set Action Object window closes.
5. Install the Encrypted Tap policy.
a. Click Install Policy. You will see a confirmation when the new policy has been
installed.

Note: Make sure the tapped interface is not the same as any client/server/
management interface in use, in order to avoid dumping tapped or decrypted traffic
onto real servers. Furthermore, to avoid dropping traffic at the L2 device (resultant of
how L2 forwarding works), ensure there are no Layer 2 bridging devices between the
appliance and the sniffer tools used on the tapped interface.

On another computer:
1. Connect the PC to the selected Ethernet interface.

257
SGOS Administration Guide

2. Open the third-party application (such as Wireshark), and configure it to monitor the
network traffic on the selected Ethernet interface. The intercepted HTTPS traffic
should now be viewable by this application.

Viewing Encrypted Tap Results

❐ Tapping the Traffic
Traffic is accessed at the specified interface. It has a TCP-like format which
networking monitoring tools such as Wireshark and Snort can easily interpret. Here
are the output details:
• TCP-SYN/ACK for connection setup
• TCP-FIN/ACK or TCP-RST for connection tear downs.
• Original source and destination IP and ports of the connection
• TCP sequence numbers, acknowledgements, and checksums, updated accordingly
for data output
• TTL set to 1
• MAC addresses selected to avoid any potential conflicts. The Source MAC is the
original source MAC address. If the Destination MAC address belongs to the
original appliance, it may be translated, but will otherwise be preserved.
❐ View the ssl log to see HTTPS or STunnel sessions; tapped transactions have the x-cs-
connection-encrypted-tap x-cs-connection-encrypted-tap value set to TAPPED.

Troubleshooting
This section describes troubleshooting tips and solutions for Encrypted Tap.
❐ View access logs for Encrypted Tap. See ‘Viewing Access-Log Statistics.’
❐ View the Encrypted Tap debug log and statistics.
❐ Perform a packet capture at the hardware interface on the appliance. Go to
Maintenance > Service Information > Packet Captures to access packet captures. The
capture provides details on the data transmitted by the appliance; compare this to the
received tap data.
❐ Perform policy tracing; refer to MySymantec for articles on how to perform an SSL
policy trace.

258
 Chapter 9: Managing the SSL Proxy

Section G: Working with an HSM Appliance

A Hardware Security Module (HSM) provides additional security for storing
cryptographic keys and certificates, which is required in some highly regulated industries.
The appliance is able to use a network-attached HSM appliance to store resigning CA
keys, and to perform digital signature operations. The appliance exchanges signing
requests and responses with the attached HSM appliance, over mutually authenticated
HTTPS requests. The appliance sends certificate data to the HSM.

The appliance can work with multiple HSM appliances, and multiple appliances can work
with the same HSM. In the event that a policy rule using an HSM to sign cannot work due
to lack of response from the HSM, the attempt is logged, and the appliance responds with
an exception. In addition to the resigning certificates, a mutually authenticated connection
(communication pipeline) must be set up by verified certificates.

259
SGOS Administration Guide

Section 6 Working with the SafeNet Java HSM

The SafeNet Java HSM must be configured separately. Additionally, Symantec provides
an agent to install on the SafeNet Java HSM, which will be used to interact with Symantec
appliances. A certificate to authorize the agent is included. The Symantec HSM Agent
operates on top of a secure session. It communicates to the external Symantec entity
(ProxySG appliance), and is used remotely.

Before You Begin

In order for the appliance to trust the HSM, you must import the server certificate for the
HSM, and put it in to a CA Certificate List. Go to Configuration > SSL > CA Certificates,
and Import the certificate. Name the certificate and paste the .PEM data in to the
appropriate field. For further information, see “ Importing CA Certificates” on page 1260.
An HSM requires a linked Device Profile (go to SSL > Device Profiles). Click New, and
create a FIPS compliant or non-compliant profile as required, then enter the HSM
credentials into the Create SSL Device Profile window. For more information, see
"Specifying an Issuer Keyring and CCL Lists for SSL Interception" for more information.

Add an HSM
To add an HSM:
1. Select Configuration > SSL > HSM and click Create. The Create HSM window pops up.
2. Enter the HSM credentials. For the Device Profile, select the HSM profile created
earlier. Click OK to save the information and close the window.
3. Click Apply on the HSM window. The new HSM appears in the list. Referenced will
show “No” until you use the new HSM in policy.

Add an HSM Keyring

Adding an HSM keyring follows the same steps as adding any SSL keyring. HSM
keyrings are now also available in Proxy Settings > SSL Proxy > General Settings > Issuer
Keyring.

260
 Chapter 9: Managing the SSL Proxy

1. On the Configuration > SSL > HSM Keyrings tab, select Create. The Create HSM Keyring
window pops up.

2. Enter the HSM credentials. Use the Paste From Clipboard button to enter the
Certificate PEM file; the Key Label is the name associated with the private key created
on the SafeNet Java HSM. Click OK to save the information and close the window.
3. Click Apply on the HSM Keyrings window. The new HSM keyring appears in the list.
Referenced will show “No” until you use the new keyring in policy.

Note: A keyring which is referenced by policy can’t be deleted.

Once a keyring has been created, you can click View Certificate to see the certificate details
and PEM file data. Click Preview to see a list of actions which will occur when the keyring
is implemented.

Note: HSM keyrings also appear in the Proxy Settings > SSL Proxy list of Issuer
Keyrings.

Add an HSM Keygroup

Keygroups may be referenced in policy, instead of an individual keyring. When a
keygroup is used, the SSL connections are load balanced, either within one HSM or across
an HSM group.
Adding an HSM keygroup follows the same steps as adding any SSL keylist.
1. On the Configuration > SSL > HSM Keygroups tab, select Create. The Create HSM
Keygroup window pops up. Any preexisting keygroups appear is the Available HSM
Keyrings fields.

261
SGOS Administration Guide

2. Create the new group. Move keyrings from the Available HSM Keyrings list to the
Included HSM Keyrings list with the Add>> and Remove>> buttons, to have them
included in the new group.
3. Click OK. The window closes.
4. Click Apply on the HSM Keygroups window.

262
 Chapter 9: Managing the SSL Proxy

Section 7 Write HSM Policy

Use policy to direct the SSL proxy to use an HSM keyring or keygroup to sign an
emulated certificate from an intercepted authenticated SSL connection. See the following
graphic.
1. Launch the VPM (Policy > Visual Policy Manager > Launch).
2. On the Visual Policy Manager window, select Policy > Add SSL Intercept Layer.
3. Rename the layer on the Add New Layer window if required, then click OK (not shown
in the graphic).
4. Highlight the new layer, and right click at Action; select Set. The Set Action Object
window displays.
5. On the Set Action Object window, select New. > Enable SSL Interception.
6. On the Add SSL Interception Object window, select the Issuer Keyring to use for HSM
signatures. Configured HSM keyrings and keygroups appear on the drop down list.
7. Click OK. The window closes.
8. Click Install Policy. You will see a “Policy installation was successful” message on
completion.
9. Close the VPM and click Apply.

263
SGOS Administration Guide

264
 Chapter 9: Managing the SSL Proxy

Section H: Advanced Topics

If you use OpenSSL or Active Directory, you can follow the procedures below to manage
your certificates.
For OpenSSL, see "Creating an Intermediate CA using OpenSSL" on page 265; if using
Active Directory, see "Creating an Intermediate CA using Microsoft Server 2012 (Active
Directory)" on page 267.

Creating an Intermediate CA using OpenSSL

This section describes the certificate management when creating an intermediate CA using
OpenSSL.
The overall steps are:
❐ "Installing OpenSSL" on page 265
❐ "Creating a Root Certificate" on page 265
❐ "Modifying the OpenSSL.cnf File" on page 266
❐ "Signing the ProxySG CSR" on page 266
❐ "Importing the Certificate into the Appliance" on page 267
❐ "Testing the Configuration" on page 267
Various OpenSSL distributions can be found at http://www.openssl.org.

Installing OpenSSL
After OpenSSL is installed, you must edit the openssl.cnf file and ensure the path
names are correct. By default root certificates are located under ./PEM/DemoCA; generated
certificates are located under /certs.

Creating a Root Certificate

In order to create a root Certificate Authority (CA) certificate, complete the following
steps.

Note: The key and certificate in this example is located at ./bin/PEM/demoCA/private/

.

1. In command prompt, enter:

openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\
cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem

where the root directory for openssl is: \resources\ssl\openssl

openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done

265
SGOS Administration Guide

Generating a 1024 bit RSA private key

.....................................+++++
................................................+++++
writing new private key to
'c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem'
Enter PEM pass phrase:

2. Type any string more than four characters for the PEM pass phrase.
3. Enter the certificate parameters, such as country name, common name that are
required for a Certificate Signing Request (CSR).
The private key and root CA are now located under the directory ./PEM/DemoCA/
private

4. Create a keyring.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Click Create; fill in the fields as appropriate.
c. Click OK.
5. Create a CSR on the appliance.
a. From the Management Console, select Configuration > SSL > Keyrings.
b. Highlight the keyring you just created; click Edit/View.
c. In the Certificate Signing Request pane, click Create and fill in the fields as
appropriate.

Note: Detailed instructions on creating a keyring and a CSR are in Chapter 75:
"Authenticating an Appliance" on page 1415.

6. Paste the contents of the CSR into a text file called new.pem located in the ./bin
directory.

Modifying the OpenSSL.cnf File

Modify the openssl.cnf file to import the OpenSSL root CA into your browser. If you
do not do this step, you must import the appliance certificate into the browser.
1. In the openssl.cnf file, look for the string basicConstraints=CA, and set it to TRUE.
basicConstraints=CA:TRUE

2. Save the openSSL.cnf file.

Signing the ProxySG CSR

Open a Windows command prompt window and enter:
openssl ca -policy policy_anything -out newcert.pem -in new.pem
The output is:

266
 Chapter 9: Managing the SSL Proxy

Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf

Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'Paris'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'BlueCoat'
organizationalUnitName:PRINTABLE:'Security Team'
commonName :PRINTABLE:'Proxy.bluecoat.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 27 13:29:09 2006 GMT (365
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This signs the certificate; it can then be imported into the appliance.

Importing the Certificate into the Appliance

1. Open the file newcert.pem in a text editor.
2. Select Management Console > Configuration > SSL > SSL Keyrings.
3. Selecting the keyring used for SSL interception; click Edit/View.
4. Paste in the contents of the newcert.pem file.
5. Import the contents of the newcert.pem file into the CA Certificates list.
a. From the Management Console, select Configuration > SSL > CA Certificates.
b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN CERTIFICATE----
and the ----END CERTIFICATE----- statements in the ./bin/PEM/demoCA/
private/CAcert file.

d. Click OK.

Testing the Configuration

Import the root CA into your browser and construct an SSL interception policy.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 239.

You should not be prompted for any certificate warning.

Creating an Intermediate CA using Microsoft Server 2012 (Active Directory)

This section describes certificate management when creating an intermediate CA using
Active Directory.
Before you begin:

267
SGOS Administration Guide

❐ Verify the Windows 2012 system is an Active Directory server.

❐ Make sure IIS is installed on the server.
❐ Install the "Certificate Services" through the Server Manager. Enable Active Directory
Certificate Services and select the Certificate Authority mode
as Enterprise root CA on
the AD CS (Active Directory Certificate Services).

All certificate management is done through the browser using the following URL:
http://@ip_server/CertSrv
For information on the following tasks, see:
❐ "Install the root CA onto the browser:" on page 268
❐ "Create an appliance keyring and certificate signing request:" on page 268
❐ "Sign the appliance CSR:" on page 268
❐ "Import the subordinate CA certificate onto the appliance:" on page 269
❐ "Test the configuration:" on page 269

Install the root CA onto the browser:

1. Connect to http://@ip_server/certsrv.
2. Click Download a CA Certificate, certificate chain, or CRL.
3. Click Install this CA Certificate.
This installs the root CA onto the browser.

Create an appliance keyring and certificate signing request:

1. From the Management Console, select the Configuration > SSL > Keyrings tab.
2. Create a new keyring. For detailed instructions on creating a new keyring, see
"Creating a Keyring" on page 1235.
3. Create a Certificate Signing Request (CSR). For detailed instructions on creating a
CSR, see "Creating a Keyring" on page 1235.
4. To capture the CSR information, edit the keyring containing the CSR, and copy the
Certificate Signing Request field content.

5. Click Close.

Sign the appliance CSR:

1. Connect to http://@ip_server/certsrv.
2. Select Request a certificate.
3. Select submit an advanced certificate request.
4. On the next screen (Submit a Certificate Request or Renewal Request) paste the
contents of the CSR into the Base-64-encoded certificate request field.
5. Select the Certificate Template Subordinate Certification Authority.
If this template does not exist, connect to the certificate manager tool on the Active
Directory server and add the template.

268
 Chapter 9: Managing the SSL Proxy

6. Click Submit.
7. Download the certificate (not the chain) as Base 64 encoded.
8. Save this file on the workstation as newcert.pem.

Import the subordinate CA certificate onto the appliance:

1. Open the file newcert.pem in a text editor and copy the contents, from the BEGIN
CERTIFICATE through END CERTIFICATE; don’t include any spaces after the dashes.

2. In the Management Console, select the Configuration > SSL > SSL Keyrings tab.
3. Select the keyring that has the CSR created; click Edit.

Note: Ensure this keyring is used as the issuer keyring for emulated certificates. Use
policy or the SSL intercept setting in the Management Console or the CLI.

4. Click Import to paste the contents of the newcert.pem file. This imported the
appliance’s subordinate CA certificate into the keyring.
5. To ensure the appliance trusts the newly -added certificate, import the contents of the
newcert.pem file into the CA Certificates list.

a. From the Management Console, select Configuration > SSL > CA Certificates.
b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN CERTIFICATE----
and the ----END CERTIFICATE----- statements in the ./bin/PEM/demoCA/
private/CAcert file.

d. Click OK.
e. Click Apply.

Test the configuration:

Import the root CA into your browser and construct an SSL interception policy. You
should not be prompted for any certificate warning.

Note: Detailed instructions on constructing an SSL interception policy are in

"Configuring SSL Rules through Policy" on page 239.

269
SGOS Administration Guide

270
Chapter 10: Managing the WebEx Proxy

This chapter describes how to use the ProxySG appliance WebEx proxy to control
WebEx sessions.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About Controlling the WebEx Application and File Uploads" on page 272
❐ "Enable HTTP Handoff" on page 273
❐ "Control Access to a WebEx Site with Policy" on page 274
❐ "Control File Uploads with Policy" on page 276
❐ "Control Desktop Sharing with Policy" on page 279
❐ "WebEx Proxy Access Logging" on page 282
❐ "Review WebEx Proxy Sessions" on page 284

WebEx is a popular file and desktop sharing software application. Meeting participants
can join from all over the world. In the presenter role, a user can share his desktop, files,
or a specific application window. The WebEx proxy on the appliance provides for the
inspection of WebEx traffic, which allows fine control over desktop sharing and file
upload operations.
This solution is designed for both explicit and transparent forward proxy deployments.
It requires the WebEx HTTP handoff be enabled. If the HTTP handoff is not enabled,
the WebEx proxy policy is not applied, though other policy pertaining to HTTP traffic
is applied.

IPv6 Support
The WebEx proxy is able to communicate using either IPv4 or IPv6, either explicitly or
transparently.

271
SGOS Administration Guide

Section 1 About Controlling the WebEx Application and File Uploads

The WebEx Proxy can control WebEx desktop sharing and file uploads with using a deny
(block)/allow option. The proxy can be configured to allow a user to attend a meeting, but
restrict the user from sharing a file, hosting a meeting, or sharing the desktop.
This solution requires an active, licensed content filtering service database. You can use
the Symantec WebFilter service, but some WebEx operations will be unavailable. To use
all WebEx operations, you require a Symantec Intelligence Services license and database.
When enabled, the content filtering service detects WebEx HTTPS connections. When
HTTP handoff is enabled, WebEx connections are handed to the WebEx Proxy, where it
can be inspected and subject to policy actions. If desktop sharing or file uploads is
configured to blocked when detected by the WebEx proxy, the HTTP connection does not
continue to the server.
For details on these content filtering services, see "Filtering Web Content" on page 399.

Before You Begin

❐ Make sure the Symantec content filtering service is licensed and active.
❐ Select Intelligence Services for the content filtering data source. Select Configuration >
Content Filtering > Blue Coat, and select Intelligence Services from the Data Source
menu.
❐ Enable Application Classification. Select Configuration > Application Classification >
General, and click Enable Blue Coat Application Classification on this device.

❐ Make sure WebEx HTTP Handoff is enabled before enacting policy. See "Enable
HTTP Handoff" on page 273.

272
 Chapter 10: Managing the WebEx Proxy

Section 2 Enable HTTP Handoff

Enable HTTP handoff so that WebEx connections are handed to the WebEx Proxy, where
it can be inspected and subject to policy actions. .
1. Go to Configuration > Proxy Settings > WebEx Proxy.
2. Verify Enable HTTP handoff has been checked; it is checked by default.

273
SGOS Administration Guide

Section 3 Control Access to a WebEx Site with Policy

This procedure applies to connections to a specific WebEx server. You will likely want to
write policy which contains both a reference to a specific site (whether to deny or allow
access to that site) as well as an action such as deny file uploads.
1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer.
3. Name the layer appropriately, such as “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system displays
the Set Destination Object window.
5. Click New, and select the WebEx Site from the list. The system displays the Add WebEx
Site Object window.

6. Name the WebEx Site Object, then enter the site name in the detail you select at the
drop down. For example, enter “company1“ for an Exact Match, then click OK. The
Add WebEx Site Object window closes. The Site Name may only contain alphanumeric
characters.

7. Choose an Action of Allow or Deny, as required.

8. Alternately, you can add a WebEx site and another object to a Combined Destination
Object, to allow or deny a specific action for a particular site. For example, add a
ShareApplication object to deny application sharing for a specific site.
See "Control File Uploads with Policy" next for more details on creating Combined
Destination Objects.

274
 Chapter 10: Managing the WebEx Proxy

9. Install the policy.

275
SGOS Administration Guide

Section 4 Control File Uploads with Policy

Use a combined object to deny file uploading through WebEx.

Note: Before proceeding, make sure that you meet the requirements described in
"Before You Begin" on page 272.

To control file uploads:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer.
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system displays
the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New, and
select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the left side
list, and click OK.

• If the appliance is unable to connect to Intelligence Services, you will see a

“Problem connecting” message.
8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control window.

276
 Chapter 10: Managing the WebEx Proxy

a. Name the object (for example, “WebExOperation-UploadFiles”).

b. Select Upload Files from the list, and click OK.

Note: Other WebEx operations include Host Meeting, Join Meeting, and Login.

9. To set up policy where both objects are required for the action to occur, set up an AND
operation.
a. Highlight the first new object (“WebExApplication”), and click Add to move
it to the top right object field.
b. Highlight the second new object (“WebExOperation-UploadFiles”), and click
Add to move it to the lower object field.

c. Click OK. The window closes.

d. Click OK on the Set Destination Object window.

277
SGOS Administration Guide

10. On the VPM window, right click Action on the current layer, and choose Allow or Deny.
11. Install the policy.

278
 Chapter 10: Managing the WebEx Proxy

Section 5 Control Desktop Sharing with Policy

Use a combined object to deny local desktop sharing through WebEx. Desktop sharing is
controlled by the Share Application function; the process is otherwise the same as
"Control File Uploads with Policy" .

Note: Before proceeding, make sure that you meet the requirements described in
"Before You Begin" on page 272.

To control desktop sharing:

1. Launch the VPM (Configuration > Policy > Visual Policy Manager).
2. Select Policy > Add Web Access Layer
3. Name the layer; for example, “WebEx Layer,” and click OK.
4. In the new layer, right click the Destination field, and click Set. The system displays
the Set Destination Object window.
5. Click New, and select the Combined Destination Object.
6. Name the object on the Add Combined Destination Object window, then click New, and
select the Request URL Application. The system displays the Add Request Web
Application Control window.

7. Name the object (for example, “WebExApplication”), select WebEx from the list, and
click OK.

• If the appliance is unable to connect to Intelligence Services, you will see a

“Problem connecting” message.

279
SGOS Administration Guide

8. Click New on the Add Combined Destination Object window, and select the Request
URL Operation. The system displays the Add Request Web Operation Control window.

• Name the object (for example, “WebExOperation-ShareApplication”).

• Select Share Application from the left side list, and click OK.

9. To set up policy where both objects are required for the action to occur, set up an AND
operation.

280
 Chapter 10: Managing the WebEx Proxy

a. Highlight the first new object (“WebExApplication”), and click Add to move
it to the top right object field.
b. Highlight the second new object (“WebExOperation-ShareApplication”), and
click Add to move it to the lower object field.
c. Click OK. The window closes.
d. Click OK on the Set Destination Object window.
10. On the VPM window, right click Action on the current layer, and choose Deny or Allow.
11. Install the policy.

281
SGOS Administration Guide

Section 6 WebEx Proxy Access Logging

WebEx actions are reported in the Collaboration proxy access log by default. Actions
include:
• a user joining a meeting
• a user leaving a meeting
• a user connection is dropped abruptly
• a file or application sharing session starting
• a file or application finishing
• a file or application being blocked
To verify Access Logging is enabled, go to Configuration > Access Logging > General, and
click Enable Access Logging on the Default Logging tab. Verify the Collaboration log
appears on the Configuration > Access Logging > Logs tab.
For information about access log customization, refer to the "Creating Custom Access Log
Formats" . To view the Collaboration log, go to Statistics > Access Logging, and select
collaboration in the Log field.
Each individual WebEx meeting has a designated nine-digit Meeting ID. This Meeting ID
is recorded in the access logs. Follow the Show Log Collaboration link.
The following table describes log fields and possible field values.

Field Name Field description Possible values

date Date of event Specific to event

time Time of event Specific to event

c-ip Client IP Specific to event

r-dns Remote hostname Specific to event

duration Duration of the session in Applicable only to

seconds STOP_FILE_UPLOAD,
STOP_APPLICATION_SHARI
NG, and LEAVE_MEETING

x-collaboration-method Description of method JOIN_MEETING,

LEAVE_MEETING,
HOST_MEETING,
DISCONNECT,
START_FILE_UPLOAD,
STOP_FILE_UPLOAD,
START_APPLICATION_SHAR
ING,
STOP_APPLICATION_SHARI
NG

s-action Whether a sharing session ALLOWED, DENIED, FAILED,

was allowed or blocked (if SUCCESS
applicable)

282
 Chapter 10: Managing the WebEx Proxy

The following table describes log fields and possible field values.

Field Name Field description Possible values

x-collaboration-user-id WebEx user ID Specific to event

x-collaboration-meeting-id WebEx nine-digit meeting Specific to event

number

x-webex-site WebEx site name on which Specific to event

this meeting is hosted (for
example, "symantec" for
symantec.webex.com)

283
SGOS Administration Guide

Section 7 Review WebEx Proxy Sessions

After WebEx traffic begins to flow through the appliance, you can review the statistics
page and monitor results in various WebEx categories. The presented statistics are
representative of the client perspective.

To review WebEx statistics:

1. From the Management Console, select Statistics > Sessions > Active Sessions.
2. On the Proxied Sessions tab, set the following:
a. At Filter, select Protocol.
b. Select WebEx from the drop down menu.
c. Click Show.

284
Chapter 11: Managing Outlook Applications

This chapter discusses the Endpoint Mapper service and MAPI proxy, which function
together to intercept traffic generated by Microsoft Outlook clients and accelerate
traffic over the WAN. It also discusses intercepting Office 365 Exchange Online traffic
using the MAPI over HTTP protocol.

Topics in this Chapter

This chapter includes information about the following topics:
❐ Section A: "The Outlook Proxies" on page 285
❐ Section B: "Endpoint Mapper and MAPI Configuration" on page 292
❐ Section C: "Intercept Skype for Business" on page 304

Section A: The Outlook Proxies

This section discusses the Endpoint Mapper and MAPI proxies and how they work
together to accelerate Outlook email traffic.
❐ "About the Endpoint Mapper Proxy Service" on page 285
❐ "About the MAPI Proxy" on page 286
❐ "About MAPI Over HTTP" on page 289
❐ "Configuring the Endpoint Mapper Service" on page 292
❐ "Using the MAPI Proxy" on page 293

About the Endpoint Mapper Proxy Service

The Endpoint Mapper service is a key component of Symantec’s solution for
accelerating Outlook email traffic. Endpoint Mapper is a Remote Procedure Call (RPC)
service that allows communication between Outlook clients and Exchange servers. As
an RPC client, Outlook sends a message to Endpoint Mapper, asking what port
Exchange is listening on; then Outlook uses the supplied port to communicate with the
server.
The challenges occur when these communications occur between Outlook clients at
branch offices and Exchange servers located in core locations. The user experience is
poor because of low available bandwidth or high latency lines. This is where the
Endpoint Mapper proxy can help.
This proxy intercepts the RPC client request for a particular RPC service. When the
RPC client connects to the service, the Endpoint Mapper proxy secondary service
intercepts the request and tunnels it. Substantial performance increase occurs because:
❐ The ProxySG appliance caches server information, negating the requirement to
connect to an upstream server for repeated requests.

285
SGOS Administration Guide

❐ The ProxySG appliance at the branch office (the branch peer) compresses RPC traffic
and sends it over the TCP connection to the ProxySG appliance at the core (the
concentrator peer), which decompresses the data before sending it to the RPC server.
The Endpoint Mapper proxy can be deployed in both transparent and explicit modes.
Intercepting RPC traffic is part of the complete solution that includes the MAPI proxy.

Note: Only Microsoft RPC version 5.0 is supported. If the RPC version is not 5.0, the
connection is terminated.

About the MAPI Proxy

Microsoft Outlook client uses the MAPI protocol to communicate with Microsoft
Exchange Server, most commonly for e-mail applications. MAPI is based on the
Microsoft Remote Procedure Call (RPC).
Because MAPI is based on RPC, it suffers from the performance limitations inherent in
RPC communications. As enterprises continue to trend toward consolidating servers,
which requires more WAN deployments (branch and remote locations), e-mail application
users experience debilitating response times for not only sending and receiving mail, but
accessing message folders or changing calendar elements.
With the release of Exchange Server 2003 and subsequent versions of Outlook, Microsoft
introduced data encoding to enhance the efficiency and security of file transfers. However,
file encoding prevents data sent with the MAPI protocol from matching with data sent
using other protocols (HTTP, CIFS, FTP, etc.), thereby limiting byte cache effectiveness.

About the Symantec MAPI Solution

The MAPI proxy is similar to and actually works in conjunction with the Endpoint
Mapper proxy to intercept and accelerate RPCs; however, MAPI is always deployed
transparently and does not listen on a specific port or port range. Instead, when configured
to do so, the Endpoint Mapper proxy hands off Outlook/Exchange traffic to the MAPI
proxy (but the Endpoint Mapper proxy functionality is still required to make an RPC
connection).
The MAPI proxy itself is a split proxy, which is only viable in a deployment that consists
of a ProxySG appliance at the branch office and a concentrator ProxySG appliance at the
core. A split proxy employs co-operative processing at the branch and the core to
implement functionality that is not possible in a standalone proxy. In the case of the MAPI
proxy, cooperation exists between the ProxySG appliances at the branch and the core to
reduce the number of RPCs sent across the WAN. The TCP connection between the
branch and concentrator peers makes use of byte caching for acceleration.
MAPI compression includes all files and supported protocols sent from Microsoft
Outlook. It also improves general performance, bandwidth and, in certain cases,
application-level latency.
The appliance supports Office 365 (MAPI over HTTP) compression. To configure Office
365 traffic over ADN, see "Configuring Office 365 (MAPI over HTTP) in an ADN" on
page 296.
In summary, the Symantec MAPI solution supports the following acceleration techniques:

286
 ❐ Protocol optimizations
❐ Byte caching
❐ Compression
❐ Upload/download optimizations
The following diagram illustrates a typical MAPI communication flow:

LEGEND:
A: A ProxySG appliance at a branch office (branch peer); Endpoint Mapper proxy is configured
on port 135; MAPI proxy: MAPI handoff, batching, and keep-alive are enabled.
B: A ProxySG appliance (concentrator peer) at a corporate location.
C: The ProxySG peers communicate through a TCP tunnel.
D: Microsoft Exchange server at the core.
PROCESS FLOW:
1: During business hours, two branch Microsoft Outlook clients send e-mails with
attachments.
2: The branch peer batches RPC messages into larger chunks. If there is relevant data, such
as attachments, the branch peer will also decode the files compressed by Outlook.
3: With the default Endpoint Mapper proxy configuration, Symantec ADN compresses the data
over the TCP connection. The data is byte cached with all compatible protocols.
4: The concentrator performs decompression and connects to the Exchange server for
processing to destination client. The concentrator will also compress data decoded by the
branch peer for processing by the Microsoft Exchange server.
5. Another user logs out of Microsoft Outlook at the end of the day. With keep-alive configured,
the ProxySG appliance maintains a connection to the Exchange server and continues to
queue sent mail, creating a ‘warm’ byte cache. A warm byte cache holds data that will be
fetched at a later time.
6. When the user logs in the next morning, the ProxySG appliance delivers the cached mail,
eliminating excessive WAN traffic increase.

Figure 11–1 MAPI Proxy Deployment and Flow Diagram

287
SGOS Administration Guide

Reducing RPC Messages Across the WAN

The MAPI proxy batching feature reduces the number of RPC messages traversing the
WAN during attachment download and upload.
❐ Attachment download optimization If the protocol and Exchange version permit,
the concentrator peer will either batch attachments that have multiple simultaneous
RPC requests or request larger data chunks than the Outlook client requested. The
concentrator peer does attachment data read ahead and forwards it to the branch, so
that once Outlook requests the next data chunk, the branch peer already has it
available.
❐ Attachment upload optimization The branch peer simulates the Exchange server
by generating the attachment data acceptance response locally; this allows Outlook to
send the next data fragment, thereby reducing the response round-trip time over the
WAN, which saves time and bandwidth.

Maximizing Cross Protocol Byte-Cache Hits

The Symantec MAPI compression handling feature allows data encoded (or compressed)
by Microsoft Outlook and Exchange to be byte cached and thereby accelerated. This
feature improves bandwidth, especially when sending and receiving large attachments
using Microsoft Outlook.
For example, when a user sends an e-mail with an attachment, Outlook encodes the data to
the Exchange server. As the e-mail is sent across the line, the branch peer intercepts and
decodes the attachment data. Because the branch peer sends the data across the WAN in a
plain format, it can be byte-cached with all other supported protocols (CIFS, HTTP, FTP,
etc.), thereby increasing cross-protocol hits. After the data reaches the concentrator
ProxySG appliance, it is encoded back to the Outlook standard and processed by the
Exchange server.
When a user makes a receive request, the concentrator ProxySG appliance decodes the
data from the Exchange server. After the data reaches the branch peer, it is once again
encoded to the original format and processed by the Outlook client.
Currently, MAPI compression handling supports improved byte caching for MAPI 2000/
2003. Both the branch and concentrator peers must run the same version of SGOS for
MAPI compression functionality.
Note: Attachments sent using MAPI compression are transferred in plain over WAN
when secure ADN is not used. Branch to Outlook and concentrator to Exchange data is
obfuscated using the native Microsoft encoding format.

Maintaining Exchange Connections

The MAPI proxy Keep-Alive feature allows the ProxySG appliance to maintain the
connection to the Exchange server after the user has logged off from Outlook. Determined
by the configurable interval, the MAPI proxy checks the Exchange server for new mail.
ADN Optimization allows the connection to remain warm so that when the user logs on
again to Outlook, the number of retrieved bytes is lower, which provides better
performance.

288
 The MAPI proxy remembers each user that is logged on or off. If the duration exceeds the
specified limit, or when the user logs back into the mail application, the Keep-Alive
connection is dropped.

Supported Microsoft Outlook Clients and Exchange Servers

Refer to the following table to determine which MAPI protocol is supported if you are
using a specific Exchange and Outlook combination.

Table 11–1 Supported ProxySG Exchange/Outlook Servers

Exchange Exchange Exchange Exchange Exchange

2003 2007 2010* 2013* 2016*

Outlook 2003 MAPI 2003 MAPI 2003 MAPI 2003 MAPI 2003 MAPI 2003

Outlook 2007* MAPI 2003 MAPI 2007 MAPI 2007 MAPI 2007 MAPI 2007

Outlook 2010* MAPI 2003 MAPI 2007 MAPI 2010 MAPI 2010 MAPI 2010

Outlook 2013* MAPI 2003 MAPI 2007 MAPI 2010 MAPI 2013 MAPI 2013

Outlook 2016* MAPI 2003 MAPI 2007 MAPI 2010 MAPI 2013 MAPI 2016
*MAPI encryption enabled by default

MAPI Backward Compatibility

SGOS allows MAPI backward compatibility, allowing functionality during upgrade/
downgrade cycles and other instances when the appliances at the branch office and core
are running different versions. As a result, any ongoing changes to the ProxySG
appliances will not break application usability.
When the branch and concentrator peers encounter a MAPI version mismatch, they
negotiate down to the lowest common version. Depending on which version of MAPI has
been negotiated to, certain features found in later versions will not function.
For example, if the branch peer runs SGOS 5.3 and the concentrator peer runs SGOS 5.4,
they will negotiate to SGOS 5.3. Because SGOS 5.3 does not support MAPI compression,
users will not benefit from cross protocol byte-cache hits with CIFS or other compatible
protocols.
Note: A warning appears in the Active Sessions at the branch office when connections
are affected by a version downgrade.

About MAPI Over HTTP

MAPI over HTTP tunnels traffic over an HTTPS connection and accepts connections
from the HTTP proxy instead of from the Endpoint Mapper Proxy. This protocol was
introduced in Microsoft Outlook 2013 SP1 and it replaces RPC over HTTP.
When using this protocol with a ProxySG appliance, the appliance removes MAPI’s
compression from traffic sent over an ADN and applies its own compression instead.
Clients running Microsoft Outlook 2013 and later support optimizing Microsoft Office
365 MAPI over HTTP traffic.

289
SGOS Administration Guide

About Encrypted MAPI

This feature provides the ability to transparently accelerate encrypted MAPI traffic
between the Outlook client and the Exchange server. The ability to decrypt and encrypt
MAPI is transparent to the user, with no knowledge of the user's password.
This feature assumes your ADN network is set up as follows.

The encrypted MAPI acceleration feature expects the Outlook client to use the Simple and
Protected Negotiation (SPNEGO) security protocol, and as a result the proxy will
negotiate NTLM protocol on the client side and Kerberos on the server side. SPNEGO is
used when a client application wants to authenticate to a remote server, but neither end is
sure what authentication protocols the other supports.
For configuration details, see "Optimizing Encrypted MAPI Traffic" on page 297.

Encrypted MAPI Requirements

The ProxySG encrypted MAPI feature has the following requirements:
❐ ADN must be configured with at least one branch and one concentrator peer. The
peers must be running SGOS 6.2 or later and configured to use an SSL device profile
and secure ADN.
❐ An SSL license is required for secure ADN on the branch and the concentrator peers.
❐ The Outlook clients must be configured to use Kerberos/NTLM Password
Authentication (Outlook 2003) or Negotiate Authentication (Outlook 2007, Outlook
2010) logon network security. The Exchange server must be enabled to support
Kerberos security protocol and the Domain Controller must be enabled to support
both Kerberos and NTLM LAN authentication protocols.
❐ The clocks on the branch and concentrator peers must be synchronized with the
Domain Controller clock.
❐ The branch peer must be joined to each Windows domain to which your Exchange
server(s) and Outlook users belong. For example, if users are created in domain A and
the Exchange server resides in domain B (which has a trust relationship with domain
A), the ProxySG appliance must be joined to both domains.
❐ The branch peer must be configured to be trusted for delegation for exchangeMDB
services and must act as an Active Directory member host.

Encrypted MAPI Limitations

The encrypted MAPI feature has the following limitations on the ProxySG appliance:

290
❐ The encrypted MAPI solution on the ProxySG appliance does not support batching.
❐ Encrypted MAPI 2000 is not supported on the ProxySG appliance.
❐ Non-secure ADN can be reported in the Active Sessions at the branch even though
secure ADN is enabled on the branch and concentrator peers. This can happen when
Outlook establishes a plain connection with the Exchange server and then switches to
the secure authentication level in the middle of a MAPI conversation. When this
happens, the encrypted MAPI session goes through a plain ADN tunnel, without
acceleration benefits.
To prevent this, enable the Secure all ADN routing and tunnel connections option.
❐ Encrypted MAPI is not supported if the branch peer fails to authenticate the user by
using NTLM and Kerberos authentication protocols within the Exchange domain.

291
SGOS Administration Guide

Section B: Endpoint Mapper and MAPI Configuration

This section discusses the following configuration topics:
❐ "Configuring the Endpoint Mapper Service"
❐ "Using the MAPI Proxy" on page 293
❐ "Optimizing Encrypted MAPI Traffic" on page 297

Configuring the Endpoint Mapper Service

By default (upon upgrade and on new systems), the ProxySG appliance has an Endpoint
Mapper service configured on port 135. The service is configured to listen to all IP
addresses, but might be set in Bypass mode (depending on the initial configuration
performed by a network administrator).
In order to manage Outlook traffic, the Endpoint Mapper service must be intercepted.

To set the Endpoint Mapper service to intercept:

1. From the Management Console, select Configuration > Services > Proxy Services.

2a

2b

2. Change the Endpoint Mapper service to intercept:

a. Scroll the list of service groups, click Standard, and select Endpoint Mapper.
b. If the Action for the default service (port 135) is set to Bypass, select Intercept
from the drop-down list.
3. Click Apply.

292
 Adding a New Endpoint Mapper Service
The ProxySG appliance allows you to add new Endpoint Mapper services. Consider the
following scenario: you want the ProxySG appliance to exclude (bypass) an IP address/
subnet from MAPI acceleration because that network segment is undergoing routine
maintenance. To learn more about adding custom services, see "Creating Custom Proxy
Services" on page 134.

Bypassing Endpoint Mapper Traffic

Certain scenarios might require you to change the Endpoint Mapper service from Intercept
to Bypass. For example, you need to take an Endpoint Mapper service offline for
maintenance. When an Endpoint Mapper changes from Intercept to Bypass, the ProxySG
appliance closes not only the primary connections (such as connections to a Microsoft
Exchange server on port 135), but also the secondary connections, which are used to
intercept further RPC requests on mapped ports. The result is fully bypassed Endpoint
Mapper traffic.

Reviewing Endpoint Mapper Proxy Statistics

After RPC traffic begins to flow through the ProxySG appliance, you can review the
statistics page and monitor results in various categories. The presented statistics are
representative of the client perspective.

Management Console Statistics Pages

Endpoint Mapper statistics display across multiple pages:
❐ tab—Service and proxy data; bandwidth use and gain; client,
Statistics > Traffic Mix
server, and bypassed bytes. Includes all traffic types, but you can limit the scope to
Endpoint Mapper data.
❐ tab—Service and proxy data; bandwidth use and gain;
Statistics > Traffic History
client, server, and bypassed bytes. Select Endpoint Mapper service or proxy (related to
MAPI, as described in "Configuring the MAPI Proxy" on page 294).
❐ Statistics > Active Sessions—The Proxied Sessions and Bypassed Connections tabs
display statistics filtered by various criteria, such as port or service type (select
Endpoint Mapper).

Statistic URL Pages

Endpoint Mapper proxy statistics pages are viewable from Management Console URLs.
This page displays various, more granular connection and byte statistics.
https://SG_IP_address:8082/epmapper/statistics

Using the MAPI Proxy

This section discusses the following topics:
❐ "Configuring the MAPI Proxy" on page 294
❐ "Reviewing MAPI Statistics" on page 295

293
SGOS Administration Guide

Configuring the MAPI Proxy

This section discusses how to configure the MAPI proxy acceleration features.
For more information, see the following sections:
❐ "About the MAPI Proxy" on page 286
❐ "Reviewing MAPI Statistics" on page 295

To view/change the MAPI Proxy configuration options:

1. In the Management Console, select Configuration > Proxy Settings > MAPI Proxy.

2a

2b

2c
2d

2. Configure the MAPI proxy configuration options:

a. Enable MAPI handoff: Hand off MAPI and MAPI over HTTP traffic to allow
scanning of email attachments and embedded objects. SSL interception must
be enabled for MAPI over HTTP (Office 365) traffic scanning.
b. Enable acceleration for encrypted MAPI: Select this option if you want to
accelerate encrypted MAPI traffic. To use this option you must join the
appliance to each Windows domain to which your Exchange server belongs
and Outlook users are created. You must then select the Domain alias that is
associated with that domain to enable encrypted MAPI acceleration. If you do
not select a Domain alias, the appliance will bypass encrypted MAPI traffic
(and the associated traffic will show the Domain alias not set message in
Active Sessions). If you have not yet joined the appliance to a Windows
domain, see "Integrate the Appliance into the Windows Domain" on page
1114 for instructions.
Note: Before enabling acceleration for encrypted MAPI, make sure you have
performed the required setup tasks on the Domain Controller, and on the branch
and concentrator peers. See "Optimizing Encrypted MAPI Traffic" on page 297
for details.

c. Enable batching of attachment uploads/downloads: If enabled, this option

reduces the MAPI message count sent over the ADN tunnel during
attachment upload and download. This reduction in message roundtrips saves
time.

294
 Note: For the batching option to produce additional time gains, the Cached
Exchange Mode option on the Outlook client must be disabled.

d. Enable keep-alive for disconnected clients: After a user closes Outlook, the
MAPI RPC connection remains and the ProxySG appliance continues to
receive incoming messages to this account. If disabled (the default), no
attempts to contact the server occur until the next time the user logs into his/
her Outlook account. This might create a noticeable decrease in performance,
as the queue of unreceived mail is processed.
• Interval: How often the MAPI proxy contacts the Exchange server to check for
new messages.
• Duration: How long the MAPI proxy maintains the connection to the
Exchange server. The connection is dropped if the duration exceeds this value
or once a user logs back in to the mail application.
• Maximum Sessions: Limits the number of occurring active keep-alive
sessions. If a new keep-alive session starts, and the specified limit is already
exceeded, the oldest keep-alive session is not dropped but no new keep-alive
sessions are created.
3. Click OK.
4. Click Apply.

Reviewing MAPI Statistics

After MAPI traffic begins to flow through the ProxySG appliance, you can review the
statistics page and monitor results in various MAPI categories. The presented statistics are
representative of the client perspective.

To review MAPI History:

1. From the Management Console, select Statistics > MAPI History.
2. View statistics:
a. Select a statistic category tab:
• MAPI Clients Bytes Read: The total number of bytes read by MAPI clients.
• MAPI Clients Bytes Written: The total number of bytes written by MAPI
clients.
• MAPI Clients: The total number of MAPI connections.
b. The graphs display three time metrics: the previous 60 minutes, the previous
24 hours, and the previous month. Roll the mouse over any colored bar to
view the exact metric.
3. (Optional) You can change the scale of the graph to display the percentage of bar
peaks to display.

295
SGOS Administration Guide

To review MAPI Active Sessions:

1. From the Management Console, select the Statistics > Active Sessions > Proxied
Sessions tab.

2. From the first Filter drop-down list, select Proxy; from the second drop-down list,
select MAPI.
3. Click Show. The Proxied Sessions area displays MAPI statistics.

Configuring Office 365 (MAPI over HTTP) in an ADN

In an ADN deployment, the branch peer intercepts and compresses Office 365 traffic
before sending it to the concentrator peer. The concentrator then decompresses the traffic
before forwarding it.
To configure MAPI over HTTP in an ADN:
❐ SGOS 6.7.4 or later must be installed on the branch and concentrator peers.
If only the concentrator peer is upgraded, ADN does not take advantage of MAPI
decompression. If only the branch peer is upgraded, connections are terminated
abnormally.
❐ Enable MAPI handoff must be selected in the MAPI proxy service on the branch and
concentrator peers. See "Configuring the MAPI Proxy" on page 294.
On the branch peer, SSL interception and MAPI handoff must be enabled.

Note: E-mail attachment scanning is configured separately from ADN

acceleration of MAPI over HTTP traffic. To configure ICAP scanning, see
"Malicious Content Scanning Services" on page 517.

❐ Ensure that Enable ADN is selected in the HTTPS proxy service on the branch and
concentrator peers. See Chapter 7: "Managing Proxy Services" on page 123.
❐ On each proxy in the ADN configuration, select the passive-attack-protection-only-key
keyring in the SSL device profile. See Chapter 36: "Configuring an Application
Delivery Network" on page 787.

Disable Office 365 Acceleration after a Downgrade

If you downgrade either the branch or the concentrator peer to a version previous to 6.7.4,
disable the configuration settings as appropriate:
❐ Clear Enable MAPI handoff on all peers
❐ Disable HTTPS interception of outlook.office365.com on the branch peer
❐ Clear Enable ADN in the HTTPS service
❐ Disable interception of the HTTPS service entirely

296
Section 1 Optimizing Encrypted MAPI Traffic
Enabling optimization of the encrypted MAPI protocol requires the following tasks. If
these tasks are not performed, the ProxySG appliance tunnels MAPI traffic without
optimization. Some of these tasks are performed on the Domain Controller, some on the
branch peer, and others on the concentrator peer.

Task # Task Reference

1 Prepare the Domain Controller to support the Trust "Prepare the Domain Controller to Support
Delegation feature. Trust Delegation" on page 297

2 Ensure that the clocks on the ProxySG appliances at the "Synchronize the ProxySG Appliances and
branch office and core are synchronized with the DC Clocks" on page 298
Domain Controller.
3 Configure secure ADN between the branch and "Verify Secure ADN" on page 298
concentrator peers.

4 Join the ProxySG appliance at the branch to the primary "Join the Branch Peer to the Primary
domain (the same domain where the Exchange server is Domain" on page 299
installed).

5 On the Domain Controller, configure Trust Delegation "Configure the Domain Controller to Trust
for the host name of the ProxySG appliance at the branch the ProxySG Host" on page 300
office.

6 Enable MAPI encryption on the ProxySG appliance at "Enable MAPI Encryption Support" on page
the branch office. 300

Prepare the Domain Controller to Support Trust Delegation

Note: Only the Primary Domain Controller requires the new configuration; the
configuration automatically replicates to the Backup Domain Controller.

The trust delegation feature (configured in a later task) requires that the domain functional
level be at Windows Server 2003 (or newer).

If you need to raise the functional level:

1. On the Domain Controller, select Administrative Tools, and open Active Directory
Domains and Trusts.

2. Right-click the domain and select Raise Domain Functional Level.

297
SGOS Administration Guide

3. From Select an available domain functional level, select Windows Server 2003 (or
newer) and click Raise.

Note: After raising the domain functional level to Windows Server 2003 from
Windows 2000, you cannot add additional Windows 2000 servers to this domain.

Synchronize the ProxySG Appliances and DC Clocks

The clocks on the ProxySG appliances at the branch office and core must be synchronized
with the clock on the Domain Controller. Note that a branch peer cannot join an AD
domain unless its internal clock is in sync with the Domain Controller. In addition, if the
concentrator is out of sync with the other clocks, it will not be able to establish an
encrypted MAPI session.
To ensure that the ProxySG clocks are synchronized with the Domain Controller clock,
use either of the following techniques:
❐ Specify the same NTP servers for the ProxySG appliances and the Domain Controller.
❐ Configure the ProxySG appliances to use the Domain Controller as the NTP source
server.
ProxySG NTP configuration options are located on the Configuration > General > Clock
tab.

Verify Secure ADN

The branch and concentrator peers must have SSL licenses and be configured to use the
same SSL device profile and secure ADN.

298
 Chapter 11: Managing Outlook Applications

Configuring the ProxySG appliances for Secure ADN

1. On the branch peer, select the Configuration > ADN > General > Device Security tab.
2. Verify an SSL Device Profile is selected; if not, select one (if you need to create one,
refer to the Help System.
3. Click Apply to commit any changes.

4. Select the Configuration > ADN > General > Connection Security tab.
5. In the Secure-Outbound Mode area, verify a secure option is selected.
6. Click Apply to commit any changes.

Join the Branch Peer to the Primary Domain

One of the requirements for accelerating encrypted MAPI traffic is that the ProxySG
appliance at the branch office must be joined to each Windows domain to which your
Exchange server(s) and Outlook users belong. For example, if users are created in domain
A and the Exchange server resides in domain B (which has a trust relationship with
domain A), the ProxySG appliance must be joined to both domains.
For details on how to join the domain, see "Join the Appliance to the Windows Domain"
on page 1115.

299
SGOS Administration Guide

Configure the Domain Controller to Trust the ProxySG Host

For the ProxySG appliance to be able to authenticate Exchange users, the Domain
Controller must trust the ProxySG host for delegation. Note that the ProxySG host can be
trusted to delegate for multiple Exchange servers.

Trusting the ProxySG Appliance as a Host

1. On the Domain Controller, select Administrative Tools, and open Active Directory
Users and Computers.

2. Under DomainName/Computers, double-click the ProxySG host to display the

Properties dialog.
a. On the Delegation tab, click Trust this computer for delegation to specified
services only.

If you don’t see the Delegation tab, you did not raise the delegation level to
Windows Server 2003 or newer. See "Prepare the Domain Controller to Support
Trust Delegation" on page 297.
b. Click Use any authentication protocol.
c. Click Add; in Add Services, click Users and Computers.
d. In the Enter the object names to select (examples) field, enter the name of the
Exchange server for which the system will be trusted to delegate and click OK.
e. In Add Services, click the Exchange MDB that will be trusted for delegation
and click OK.
f. Repeat steps d and e for any other endpoint Exchange servers that accept
MAPI connections.
g. Click OK to close the Properties dialog.

Enable MAPI Encryption Support

After completing the previous preparatory tasks, you are now ready to configure the
branch peer to intercept and optimize encrypted MAPI traffic. This setting is enabled by
default on fresh installations; it is disabled on upgraded systems.

300
 Chapter 11: Managing Outlook Applications

Enabling MAPI Encryption Support

1. In the Management Console of the branch peer, select the Configuration > Proxy
Settings > MAPI Proxy tab.

2. Select the Enable acceleration for encrypted MAPI option; the Domain alias list
automatically populates with the alias created in "Join the Branch Peer to the Primary
Domain" on page 299.
3. Click Apply.

Verify Encrypted MAPI Connections are Optimized

To verify that encrypted MAPI connections are being optimized:
❐ Initiate Outlook client-to-Exchange server actions, including emails with attachments.
In the ProxySG Management Console, monitor the Active Sessions (Statistics >
Sessions > Active Sessions). The Encrypted label appends to connections intercepted
and optimized by the ProxySG appliance; for example: MAPI 2007 (Encrypted) shows
in the Details column. In addition, the P (Protocol Optimization) column in Active
Sessions should show a color (active) icon.

301
SGOS Administration Guide

If you misconfigure the deployment—for example, configure NTLM without

Kerberos on the Exchange server—the ProxySG appliance passes the connection
through without optimization. If this occurs, the icon in the P column in Active
Sessions is shown as inactive (gray). You should check the Details column for clues
on why the connection wasn’t optimized. For example, if the Domain Controller is
offline or is unreachable by the branch peer, the Details column displays “Unable to contact
domain controller.”
The following table lists the possible entries:

Active Session Detail Message Reason

Encrypted Encrypted MAPI connection is intercepted and
optimized successfully
Unable to contact domain controller The Domain Controller is offline or is unreachable
by the branch peer.
Logon network security not set to The Outlook account is not configured to use
negotiate on the client Negotiate Authentication (Outlook 2007 or newer)
or Kerberos/NTLM Password Authentication
(Outlook 2003 or older).
Client security negotiation failed General error message.
Server security negotiation failed General error message.
Secure ADN not available • MAPI proxy failed to establish a secure ADN
connection with the core ProxySG appliance.
• Outlook switched to a secure connection in the
middle of conversation when the ADN tunnel
was non secure.
ADN tunnel is not encrypted Outlook switched to a secure connection in the
middle of conversation when the ADN tunnel is
not encrypted
Encrypted MAPI not supported by peer SG Core ProxySG appliance does not support
encrypted MAPI protocol optimization
NTLM-only client authentication type is The Outlook client has authenticated the
unsupported connection with NTLM-only secure protocol.
Protocol optimization is not supported.
Kerberos-only client authentication type is The Outlook client has authenticated the
unsupported connection with Kerberos-only secure protocol.
Protocol optimization is not supported.
Unexpected authentication type The Outlook client has authenticated the
connection with an unexpected secure protocol.
Protocol optimization is not supported.
Unable to extract service principal name Branch peer failed to extract exchangeMDB
from SPNEGO connection service principal name from SPNEGO packet
which is required to negotiate Kerberos security
context.

302
 Chapter 11: Managing Outlook Applications

Active Session Detail Message Reason

Not intercepted by ADN concentrator If branch peer is in standalone mode or failed to
establish ADN connection with the concentrator
and branch peers, the session downgrades to
passthru mode.

❐ Display Errored Sessions (Statistics > Sessions > Errored Sessions) to investigate
various MAPI issues related to client/server socket failures.

303
SGOS Administration Guide

Section C: Intercept Skype for Business

For the ProxySG appliance to proxy Skype for Business and Microsoft Lync application
connections between clients after SSL interception is enabled, complete all of the steps in
this section. See the Office 365 Best Practices guide for additional information.
Skype for Business uses the following protocols (in addition to HTTPS):
❐ The Session Initiation Protocol (SIP) is commonly used for voice and video calls and
instant messages. Because this protocol defines the messages and traffic between
client endpoints, the ProxySG appliance interception of this traffic can cause dropped
connections.
❐ The (Microsoft) Traversal Using Relay NAT (TURN) protocol is used to allocate a
public IP address and port on a globally reachable server and relay media from one
endpoint to another endpoint.

Configure the Appliance for Skype and Lync Interception

Follow the instructions detailed in the Office 365 Integration and Best Practices
Webguide, “Skype for Business/Lync Fix” section, to safely intercept Skype for Business
and Microsoft Lync. Log in to Symantec Product Documentation to download the
webguide.

304
Chapter 12: Managing the FTP and FTPS Proxies

This chapter discusses File Transport Protocol (FTP) support on the ProxySG
appliance, including support for implicit and explicit FTP over SSL (FTPS) was
introduced. Where applicable, this chapter discusses configuring FTPS interception on
the proxy.

Topics in this Chapter

This chapter includes information about the following topics:
❐ "About FTP" on page 305
❐ "About FTPS" on page 308
❐ "Configuring Native FTP Proxy and FTPS Proxy" on page 310
❐ "Configuring Welcome Banners for FTP/FTPS Connections" on page 312
❐ "Viewing FTP/FTPS Statistics" on page 313

About FTP
The ProxySG appliance supports two FTP modes:
❐ Web FTP, where the client uses an explicit HTTP connection. Web FTP is used
when a client connects in explicit mode using HTTP and accesses an ftp:// URL.
The appliance translates the HTTP request into an FTP request for the origin
content server (OCS), if the content is not already cached, and then translates the
FTP response with the file contents into an HTTP response for the client.
❐ Native FTP, where the client connects through the FTP proxy, either explicitly or
transparently; the appliance then connects upstream through FTP (if necessary).
Native FTP uses two parallel TCP connections to transfer a file, a control connection
and a data connection.
❐ Control connections: Used for sending commands and control information, such as
user identification and password, between two hosts.
❐ Data connections: Used to send the file contents between two hosts. By default, the
appliance allows both active and passive data connections.
• Active mode data connections: Data connections initiated by an FTP server to
an FTP client at the port and IP address requested by the FTP client. This type
of connection method is useful when the FTP server can connect directly to the
FTP client. The FTP command for active mode is PORT (for IPv4) or EPRT
(for IPv6). When an IPv4 FTP client is communicating with an IPv6 FTP
server, the appliance will perform the required conversion (PORT to EPRT);
the clients and servers will be unaware that this conversion has taken place.

305
SGOS Administration Guide

• Passive mode data connections: Data connections initiated by an FTP client to an

FTP server at the port and IP address requested by the FTP server. This type of
connection is useful in situations where an FTP server is unable to make a direct
connection to an FTP client because the client is located behind a firewall or other
similar device where outbound connections from the client are allowed, but
inbound connections to the client are blocked. The FTP command for passive
mode is PASV (for IPv4) or EPSV (for IPv6). When an IPv4 FTP client is
communicating with an IPv6 FTP server, the appliance will perform the required
conversion (PASV to EPSV); the clients and servers will be unaware that this
conversion has taken place.
When using the FTP in active mode, the FTP data connection is formed from the server
(OCS) to the client, which is opposite from the direction of the FTP control connection. As
a result, when the FTP connections are enabled for ADN, the roles of the Branch and
Concentrator for the data connection are in reverse of those used for the control
connection. The type of ADN tunnel (Explicit, Translucent or Transparent) set up for the
data connection is therefore dictated by the tunnel mode configuration, which can be used
for any connection from the server to the client that needs to go over ADN. For more
information, see "Configuring the Tunnel Mode" on page 806.

For example, if the control connection for an Active mode FTP uses explicit ADN tunnels,
it is possible that the data connection that goes from the server to the client is transparent.
To use explicit connections for the FTP data connection as well, it might be necessary to
advertise the FTP client’s subnet address on the ProxySG appliance intercepting the FTP
connection.

Configuring IP Addresses for FTP Control and Data Connections

The FTP client determines whether the client-side data connection is active or passive
from the client to the appliance. The appliance determines the server-side connections.
By default, the appliance allows both active and passive data mode connections. FTP
connections are divided into client-side control and data connections and server-side
control and data connections.
❐ Client-side control connection: The proxy always uses the client’s IP address to
respond to the client. No configuration is necessary here.
❐ Client-side data connection: The proxy's behavior depends on the
ftp.match_client_data_ip(yes | no) property that is set via policy using CPL. If
this property is enabled (the default), the proxy uses the same IP address for the data
connection as it uses for the client-side control connection. If the property is disabled,
the proxy uses its own IP address, choosing the address associated with the interface
used to connect back to the client.
When an FTP client uses different protocols for control and data connections (for
example, IPv4 for control and IPv6 for data), the ftp.match_client_data_ip
property must be set to no so that the appliance’s address is used for the data
connection. Because each ProxySG interface is configured with an IPv4 and an IPv6
address in a mixed Internet protocol environment, the appliance will use the
appropriate IP address for the type of FTP server. For example, for transferring data to
an IPv6 FTP server, the appliance will set up with the data connection using its IPv6
address.

306
 Chapter 12: Managing the FTP and FTPS Proxies

When the client-side data and control connections are over IPv4 and the server-side
control and data connections are over IPv6, the ftp.match_client_data_ip property
can be set to yes.
❐ Server-side control connection: The proxy uses the IP address selected by the
reflect_ip(auto | no | client | vip | ip_address) property. By default, this is
the local proxy IP address associated with the interface used to connect to the server.
Client IP reflection is set globally from the Configuration > Proxy Settings > General
tab. By default, the CPL reflect_ip( ) setting is auto, which uses this global
configuration value.
Client IP reflection will automatically be disabled when the client is IPv4 and the
server is IPv6.

Note: Setting client IP address reflection for FTP affects the source address th